cloud providers security status and internal responsibilities

Posted on 2014-08-15
Last Modified: 2014-08-21
Our organisation is moving a number of applications and subsequent databases to cloud/SaaS based systems – therefore our data (often PII) is hosted on external infrastructure that we don’t manage. I presume we don’t have any rights to audit their infrastructure for security issues, but our IT section seem to be of the view that they have no real responsibilities for verifying the security of the hosting providers infrastructure, yet were it to be compromised it would be our data exposed. Ultimately they are doing nothing in this area:


What should the organisation be doing in terms of verifying the security of the hosting providers network infrastructure?   If anything? They've never seen any sort of vulnerability assessment report of the servers hosting their data so have no idea if such work is undertaken.

What are the risks in essentially doing/monitoring nothing in this area? Should this be a contractual issue, i.e. the requirement for the hosting provider to conduct vulnerability assessment on server hosting our data?
Question by:pma111
    LVL 14

    Accepted Solution

    As a person that is responsible for the data it is your job to do your due diligence. If you are moving to a cloud or hybrid cloud solution it is certainly the responsibility of ALL data owners within the organization to insure that their data will have the highest security standards possible when doing so. This includes not only the IT department, but the owners of the data as well.

    If you are uncomfortable moving to the cloud without more data or background on the hosting provider, voice those opinions (preferably in writing, like an email). If your IT department won't request the data and security documentation you are seeking, try any avenue you can to simply bypass them and go direct to the host. If it is a legitimate hosting company, they will have answered these sorts of questions many times before - so it shouldn't be a big deal.

    In the end, "plausible deniability" isn't a valid excuse - just ask Target. Tens of millions of Target's customer's credit cards were stolen because of lax security from an HVAC repair company - yet Target was on the hook for the breach, as they should be.

    You're asking the right questions, and if your IT department (specifically IT management and executives) aren't asking those questions, then God knows what else they are oblivious and/or indifferent to. This should be a clear red flag that they aren't doing their jobs.
    LVL 32

    Assisted Solution

    You have every right to ask those questions.
    However, eventually your data will be in places that you don't control, and it will be beyond your IT department's means to audit, investigate and check IT controls.
    What you should do is check the regulations that govern your industry and are relevant to PII in your location, and then ask your vendors about their support of these regulations.
    I would start with ISO 27001 as a general good practice, and follow with your specifics.
    The adherence to regulations, including indemnification if possible and periodical checks, should be part of your contract with the SaaS vendor.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    This is part 3 of a tutorial series on how to set up a Virtual Private Cloud (VPC) in Amazon Web Services.  The series goes over a multi Availability Zone configuration, with public-facing subnets (direct access to the internet) and private-facing s…
    The viewer will learn how to download, install and use CrashPlan from on Windows 7. Open your browser and go to Click get started, it’s free then Click the Download CrashPlan button: Click save in Internet Explorer, the…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now