The security of data is a high-priority item within a company’s network infrastructure – most companies take pains to ensure their network is locked down tightly to keep out hackers, viruses and other nefarious influences. But security in the hosted space is a much more tricky proposition, and one solution providers should be acutely aware of to help their end-user customers, said security executive Sean Bruton.
“The problem with security is it’s a black hole," said Bruton, director of security at hosting provider Neospire. “Part of the beauty of hosted services is that companies don’t have to deal with managing their data on a day-to-day basis, but people really like to understand where their data is so it becomes the hosting provider’s Achilles' heel."
A high number of customers using hosted services insist on performing a security audit on the hosting provider, yet many providers either don’t want to or can’t support those auditors due to time or infrastructure constraints, Bruton said. “And you end up with a stalemate between customers wanting information and provider wanting to give it out."
The answer, he said, is as simple as choosing a hosting provider that has gone through a trusted assessment such as a SAS 70 assessment. SAS 70, which stands for Statement on Auditing Standards No. 70, is an auditing standard developed by the American Institute of Certified Public Accountants that measures an organization’s policies and procedures related to security, and for service providers the audit shows whether adequate controls and safeguards are in place for hosting or processing data belonging to their customers.
However, Bruton noted, ensuring a hosting provider is SAS 70 certified is only one in a multi-step process for evaluating the security of a customer’s data. “SAS 70 is not a certification, it’s just a report from CPAs," he said. “If solution providers really want to evaluate their cloud provider, they need to get a copy of the SAS 70 report and make sure the audit looked at all of the hosting provider’s security controls and that the report doesn’t call out a bunch of exceptions."
Solution providers also should make sure they and the hosting provider are evaluating security in the same manner; in other words, an apples-to-apples comparison.
“Look for a little bit of transparency regarding performance metrics that are available to you. Some cloud providers just give a star rating. That really doesn’t mean anything and hard to tell what the ratings mean relative to each other," he said.
Also, Bruton said, find a provider that is able to provide an understanding how your application is going to perform within their infrastructure. “That is hands-down the best way to evaluate the safety of your data," he said.