In today’s saturated cloud market, differentiating your business depends on your ability to become a trusted provider of products and services to your customers. Consequently, as a partner, you must ensure that you offer high-quality solutions backed by services from dependable providers. After all, many customers lack the knowledge that would enable them to assess the value of any one cloud service provider (CSP) over another. Without this ability to grade providers, customers run the risk of onboarding solutions that don’t support their needs. This is especially critical when it comes to evaluating the vital function of security.
For this very reason, partners must ensure that they meticulously vet CSPs so that the ones they choose enable them to offer their customers the best possible security. This, however, can be much easier said than done, as truly gaining a full understanding of a CSP’s ability to provide best-in-class security involves rigorous investigation. At AVANT, thoroughly vetting CSPs on security measures involves everything from site visits to in-depth vendor-specific research. We dig deep to ensure that the cloud vendors we onboard meet our high security standards. On top of that, we also provide our partners with sales-enablement tools such as our survey-style intelligent lead form, which enables them to identify specific customers’ most pertinent security needs.
Our diligent vetting process paired with our one-of-a-kind sales enablement tools gives our partners confidence in their customer offerings. That is, they know that every CSP in our portfolio has received our stamp of approval and will meet high customer expectations.
So, what exactly does it mean to receive an AVANT stamp of approval when it comes to CSP security? Let’s explore some of the top criteria as explained by our very own chief cloud officer, Ron Hayman:
The data center’s role in the CSP’s product
First off, you want to understand whether or not your CSP maintains its own infrastructure or if it is housed by a data center provider. For example, our esteemed vendor Peak 10 maintains its own data centers, affording customers tight integration with its cloud services and, therefore, cost value. This benefit only holds true if the CSP makes data center management and security a line of business. A CSP with their own infrastructure, but are not experts, is a significant risk to your customers.
If your CSP outsources to a data center provider, on the other hand, then due diligence requires that you conduct a more in-depth investigation. For instance, that Tier are the data center? You should look for Tier 3 or Tier 4. You must also review the service-level agreement (SLA) and the operational-level agreement (OLA) in place between the data center provider and CSP. Oftentimes, regularly scheduled maintenance or specifications around network uptime, for instance, fall outside of the parameters of the SLA and OLA. As such, while the CSP may claim that it can provide 100 percent uptime, the function is actually impacted by the data center provider. You need to understand what your CSP is really capable of providing so that nothing—like your data integrity—falls through the cracks.
The CSP’s physical security measures
Understanding the physical security measures of your CSP’s data center—whether it is owned by the CSP or outsourced—is critical in preventing data breaches. For instance, when vetting a CSP, find out if it requires credentials to gain data center access, and whether it employs mantraps—a room that “traps” those who enter secure areas of the data center without authorization. In addition, ask if security cameras are in place throughout the premises, and in which areas these cameras have been placed. What’s more, CSPs that have a biometric requirement will likely be most secure, as they’ll possess reports detailing who is going in and out of the data center cages, thereby decreasing the risk of a data breach.
Furthermore, understanding a CSP’s standards on protecting data at rest and data in transit is vital to preserving your sensitive information. For instance, if you’re going to put personally identifiable information (PII) or personal healthcare information (PHI) in the CSP’s data center, then make sure necessary precautions will be taken, such as encryption and tokenization, to optimally safeguard data.
The CSP’s auditing standards
From a compliance perspective, you need to understand whether or not the data center and the CSP conduct an annual audit performed by a third party auditing service. Always ask to see the auditing reports so that you can ensure that it will meet your audit requirements whether they be PCI-, SSAE16- and/or HIPAA-compliant, as these are the standards most crucial for guaranteeing security and compliance. If you require HIPAA-enabled cloud, ask CSP if they will sign a Business Associate Agreement (BAA). A BAA governs the handling of a data breach including the sharing of liability.
One thing to keep in mind when evaluating a data center audit report provided by your potential CSP is whether the CSP itself or the data center provider conducted the audit. You want to choose a vendor that is dedicated to auditing its data center provider on its own terms to ensure it meets its standards as well as yours.
Partners: Vetting CSPs to ensure optimal security is a hefty task. As such, leverage the support and knowledge of a cloud-born organization like AVANT to give you a hand, as well as peace of mind. Let’s get in touch!