cloud providers security status and internal responsibilities

Our organisation is moving a number of applications and subsequent databases to cloud/SaaS based systems – therefore our data (often PII) is hosted on external infrastructure that we don’t manage. I presume we don’t have any rights to audit their infrastructure for security issues, but our IT section seem to be of the view that they have no real responsibilities for verifying the security of the hosting providers infrastructure, yet were it to be compromised it would be our data exposed. Ultimately they are doing nothing in this area:


What should the organisation be doing in terms of verifying the security of the hosting providers network infrastructure?   If anything? They've never seen any sort of vulnerability assessment report of the servers hosting their data so have no idea if such work is undertaken.

What are the risks in essentially doing/monitoring nothing in this area? Should this be a contractual issue, i.e. the requirement for the hosting provider to conduct vulnerability assessment on server hosting our data?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad GrouxSenior Manager (Wintel Engineering)Commented:
As a person that is responsible for the data it is your job to do your due diligence. If you are moving to a cloud or hybrid cloud solution it is certainly the responsibility of ALL data owners within the organization to insure that their data will have the highest security standards possible when doing so. This includes not only the IT department, but the owners of the data as well.

If you are uncomfortable moving to the cloud without more data or background on the hosting provider, voice those opinions (preferably in writing, like an email). If your IT department won't request the data and security documentation you are seeking, try any avenue you can to simply bypass them and go direct to the host. If it is a legitimate hosting company, they will have answered these sorts of questions many times before - so it shouldn't be a big deal.

In the end, "plausible deniability" isn't a valid excuse - just ask Target. Tens of millions of Target's customer's credit cards were stolen because of lax security from an HVAC repair company - yet Target was on the hook for the breach, as they should be.

You're asking the right questions, and if your IT department (specifically IT management and executives) aren't asking those questions, then God knows what else they are oblivious and/or indifferent to. This should be a clear red flag that they aren't doing their jobs.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shalom CarmelCTOCommented:
You have every right to ask those questions.
However, eventually your data will be in places that you don't control, and it will be beyond your IT department's means to audit, investigate and check IT controls.
What you should do is check the regulations that govern your industry and are relevant to PII in your location, and then ask your vendors about their support of these regulations.
I would start with ISO 27001 as a general good practice, and follow with your specifics.
The adherence to regulations, including indemnification if possible and periodical checks, should be part of your contract with the SaaS vendor.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.