Alleviate cloud computing risks with effective vendor management
INSIGHT ARTICLE |
Moving to the cloud presents significant benefits for state and local government entities, including reduced staffing and infrastructure costs. While there are many positives to the cloud, several risks are apparent, as studies find the majority of businesses are dissatisfied with vendor contracts. You must be proactive in managing vendor agreements to ensure your security needs are satisfied, effective controls are in place and contract terms are favorable.
Cloud computing is a shared pool of configurable computable resources, providing a convenient, on-demand platform to reduce costs and adapt to changing business needs. Common resources deployed to the cloud include: networks, servers, shared storage, applications and services. As with any emerging technology, there are risks involved with storing your data and applications remotely. The top cloud security threats, as defined by the Cloud Security Alliance, include:
- Shared technology vulnerabilities
- Insecure application programming interfaces (APIs)
- Account or service traffic hijacking
- Malicious insiders
- Data loss and leakage
- Abuse and nefarious use of cloud computing
Meeting regulations and security standards
State and local government organizations can utilize vendor management strategies to reduce these and other risks. The market is currently flooded with cloud vendors; and while price is always important, a provider should also fit your needs from a data availability standpoint, and match your risk appetite.
When choosing a cloud provider, identify the regulations your entity is subject to, and whether vendors hold themselves to the same standards. For example, if your organization is subject to the Federal Information Security Act of 2002 (FISMA), your cloud provider must have the appropriate controls to comply. In addition, the Federal Risk and Authorization Management Program (FedRAMP) is designed to manage risks in the cloud, and ensure proper controls and protocols are in place.
Choosing the right cloud vendor to minimize risks
According to a recent Gartner report, most cloud computing contracts are more favorable to the vendor than to the customer. Agreements tend to be vague about how data will be protected, and do not require meaningful compensation if a vendor mistake leads to compromised data. State and local government data requirements are stringent, with stiff penalties. Defining your necessary protection level and appropriate penalties for vendor missteps is imperative.
In addition to security controls, appropriate vendor management allows your organization to mitigate other risks, including deficiencies in:
- Audit and testing
- Compensation in the event of breaches
- Data recovery parameters if data is lost
- Notifications of potential threats
- Exit strategies in case of changes in the environment
Negotiating for more favorable terms
The recent wave of cloud adoption is fairly new, and many state and local government organizations may not realize the potential to negotiate for stronger security controls. Studies have found that 80 percent of organizations are unhappy with their vendor contracts, and dissatisfaction is projected to continue through 2015. While cloud security is important for private businesses, it is even more critical for government entities, and vendor contracts must be managed to protect sensitive information.
A thorough cloud computing strategy provides management with an opportunity to reduce infrastructure costs and adapt quickly to changing business needs. However, the regulations that your organization is subject to must be identified, and whether potential vendors are able to hold themselves to the same standards.
When choosing a cloud provider, management should carefully look over proposals, and attempt to negotiate more favorable terms. While security and privacy issues are significant concerns for state and local government entities, they can be effectively mitigated through sound vendor contract management.