Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


cloud providers security status and internal responsibilities

Posted on 2014-08-15
Medium Priority
Last Modified: 2014-08-21
Our organisation is moving a number of applications and subsequent databases to cloud/SaaS based systems – therefore our data (often PII) is hosted on external infrastructure that we don’t manage. I presume we don’t have any rights to audit their infrastructure for security issues, but our IT section seem to be of the view that they have no real responsibilities for verifying the security of the hosting providers infrastructure, yet were it to be compromised it would be our data exposed. Ultimately they are doing nothing in this area:


What should the organisation be doing in terms of verifying the security of the hosting providers network infrastructure?   If anything? They've never seen any sort of vulnerability assessment report of the servers hosting their data so have no idea if such work is undertaken.

What are the risks in essentially doing/monitoring nothing in this area? Should this be a contractual issue, i.e. the requirement for the hosting provider to conduct vulnerability assessment on server hosting our data?
Question by:pma111
LVL 14

Accepted Solution

Brad Groux earned 1000 total points
ID: 40263078
As a person that is responsible for the data it is your job to do your due diligence. If you are moving to a cloud or hybrid cloud solution it is certainly the responsibility of ALL data owners within the organization to insure that their data will have the highest security standards possible when doing so. This includes not only the IT department, but the owners of the data as well.

If you are uncomfortable moving to the cloud without more data or background on the hosting provider, voice those opinions (preferably in writing, like an email). If your IT department won't request the data and security documentation you are seeking, try any avenue you can to simply bypass them and go direct to the host. If it is a legitimate hosting company, they will have answered these sorts of questions many times before - so it shouldn't be a big deal.

In the end, "plausible deniability" isn't a valid excuse - just ask Target. Tens of millions of Target's customer's credit cards were stolen because of lax security from an HVAC repair company - yet Target was on the hook for the breach, as they should be.

You're asking the right questions, and if your IT department (specifically IT management and executives) aren't asking those questions, then God knows what else they are oblivious and/or indifferent to. This should be a clear red flag that they aren't doing their jobs.
LVL 33

Assisted Solution

shalomc earned 1000 total points
ID: 40265973
You have every right to ask those questions.
However, eventually your data will be in places that you don't control, and it will be beyond your IT department's means to audit, investigate and check IT controls.
What you should do is check the regulations that govern your industry and are relevant to PII in your location, and then ask your vendors about their support of these regulations.
I would start with ISO 27001 as a general good practice, and follow with your specifics.
The adherence to regulations, including indemnification if possible and periodical checks, should be part of your contract with the SaaS vendor.

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
Are you a startup company? Being a startup, you may be using shared hosting, or maybe even dedicated hosting. But have you ever given a thought to using cloud computing now? Yes, don’t be surprised, it is possible for startups to opt for cloud compu…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question