1 / 6

Conduct A Strong Evaluation

Conduct A Strong Evaluation. Is A Security Team Actively Working?. Find out if security is a reactive part of the cloud provider's processes or if it is actively securing its systems.

edda
Télécharger la présentation

Conduct A Strong Evaluation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Conduct A Strong Evaluation Soar to New Heights! 2013 National Equipment Finance Summit, Albuquerque, NM

  2. Is A Security Team Actively Working? • Find out if security is a reactive part of the cloud provider's processes or if it is actively securing its systems. • Smaller providers will have system administrators addressing security as issues pop up. Get customer references. • Skills and certifications only go so far. Talk to the staff and generally get a feeling of their experience and knowledge. Soar to New Heights! 2013 National Equipment Finance Summit, Albuquerque, NM

  3. Is There A Process In Place For Incident Response? • Ensure that the provider is actively looking for weaknesses and vulnerabilities in its platform. • Insist on active monitoring, support and communication when problems arise. • Ask for a monthly report, a quarterly call or other regular meeting is set up to discuss issues and any improvements that are needed in your environment. • The business that owns the data is responsible for securing it. Soar to New Heights! 2013 National Equipment Finance Summit, Albuquerque, NM

  4. What Proof Does The Provider Have Validating Its Security? • Service providers should be able to show proof that the architecture and systems have been audited, giving you peace of mind that the systems meet industry standards. • Service Organization Control reports show it provides reasonable protection over customer data. • A SOC2 report is an exhaustive review of the control environment and would only be provided under a nondisclosure agreement. It gauges a service provider's controls against the Trust Services Principles, which cover the security, availability, processing integrity, confidentiality and privacy of the organization. • A SOC3 report is more streamlined but freely available and should provide reasonable information about an assessment of the provider's security. Soar to New Heights! 2013 National Equipment Finance Summit, Albuquerque, NM

  5. Can I Conduct A Penetration Test Of The Provider's Environment? • Security experts advise that penetration testing is a valuable tool to find weaknesses and configuration issues before a real attacker strikes. • A full penetration test is unlikely in the case of most SaaSprovider, but a large infrastructure service provider will let potential customers conduct a penetration test. • Conduct vulnerability scans or hire a firm to perform a full penetration test. If the service provider has an internal penetration testing team, you can request a detailed audit of reports. Third-party testing may be required to meet certain compliance mandates. Soar to New Heights! 2013 National Equipment Finance Summit, Albuquerque, NM

  6. Where Is My Data Residing? • If you are working with an infrastructure provider, most organizations will pick the data center where the information will reside and many service providers have data centers to settle country-specific data location regulations. • Organizations must keep an eye on what happens to the data. • Is the data encrypted at rest? • Are backups encrypted? • Does the data center provider have any direct access to the data at rest or in transit? Soar to New Heights! 2013 National Equipment Finance Summit, Albuquerque, NM

More Related