5 QUESTIONS TO ASK A CLOUD SERVICE PROVIDER ABOUT CYBERSECURITY
One of the questions I’m frequently asked by PEOs is simple: Is the cloud safe?
Actually, this is a trickier question than it seems. The answer is yes, of course, but like any internet-based endeavor, there are certainly many caveats. Cloud security requires you to think about security differently than on-premise security or data center security. While many of the same concepts apply, you may require different tooling and approaches to enable the correct level of security. PEOs also need to be more cloud savvy through the use of SaaS, IaaS and PaaS (more on this in a bit).
One point I can’t stress enough is that everyone has a role to play to ensure your data and systems are safe from cyberattacks. Most breaches begin when someone lets their guard down and gets tricked into revealing information (passwords and such) through phishing, which could put the entire organization at risk. A quick click on a link from a phony email or engaging with a supposed “executive” through a social engineering attack (where someone impersonates someone from the company’s C-suite or another high-ranking official affiliated with the organization) could open the floodgates at any time.
Cybersecurity is never an easy job, but with the proper protocols and tools in place, companies can help ensure their systems and information are protected as well as their customers’.
Also known as Software as a Service (SaaS), cloud computing has changed the way we work by giving everyone in the organization the ability to access the tools, software and information they need to do their job whenever and wherever they want. Whether you’re in an office, a factory, at home, or even taking a respite on a beach in Tahiti, as long as there’s a Wi-Fi signal or cellular connection available, information will always be at your fingertips.
Unless the cloud solution has been compromised by a cyberattack, that is.
In Hiscox’ latest Cyber Readiness report1, the cyber insurance company found that companies with $100,000 to $500,000 in revenue now face as many cyberattacks as those making $1 million to $9 million. In other words, cyber attackers are not just looking to go after the bigger players anymore. Everyone is a potential target in today’s cyberworld.
As with any internet-related technology, hackers and cybercriminals continually mine for weaknesses in the cloud, and attacks don’t always happen instantaneously.
Did you know that the average data breach takes 277 days to detect and resolve? That’s because once an attacker breaches someone’s system, they might want to keep a low profile to get as much information as they can before they launch a full-blown attack, or they might want to spend time inside the network just practicing and experimenting to prepare for future attacks, or searching for information about bigger companies with which you do business. Additionally, after an attack is detected, it can take some time to push the cyber attackers out after they’ve gotten in. Having a backup system is critical, but even that can take several hours or more to deploy.
Thankfully, cloud security has gotten stronger and stronger as cloud service providers have evolved and matured. As well, the pandemic and the influx of hybrid and remote working arrangements accelerated cybersecurity efforts, but that doesn’t mean there aren’t lots of bad actors out there still looking to exploit new vulnerabilities.
It’s been that way since the very beginning.
Believe it or not, the idea of cloud computing was floated all the way back in 1963 when the Massachusetts Institute of Technology (MIT) was awarded a $2 million grant from the Defense Advanced Research Projects Agency (DARPA) to develop a computer that could be used simultaneously by two users as part of its Project on Mathematics and Computation (Project MAC) endeavor.
As DARPA itself explains2 on its website, “A major thrust of Project MAC was to develop general purpose time-sharing capabilities, which later influenced the design of computer systems for commercial and defense uses. Within years of its start, Project MAC would evolve into the world’s first online community, complete with online bulletin boards, email, virtual friendships, an open-source software exchange—and hackers.”
ONE SIZE DOES NOT FIT ALL
To be clear, there are different types of cloud computing software out there: from private clouds (often set up by a third-party vendor) to public clouds (think Amazon Web Services, Azure and Google Cloud) to hybrid clouds (could be one private and one public, etc.) to multiclouds (a way to keep cloud data separated). Besides SaaS, there’s also Platform as a Service (PaaS) -- think external networks, servers, operating systems or storage as well as Infrastructure as a Service (IaaS) where companies rent or lease servers for computing and storage.
There is also third-party software you undoubtedly already use that is cloud-based, such as Microsoft Teams or Google Docs.
I bring all this up here just to put cloud cybersecurity into proper context for how complex it truly can be. In the early days, we struggled to get two computers to communicate with each other. Today it is almost impossible to keep them from communicating when we don’t want them to.
A good cloud-based software provider will audit its own cybersecurity initiatives. At PrismHR, we use the American Institute of CPAs’ (AICPA’s) System and Organization Controls 2 (SOC 2) criteria, which is an industry standard framework for measuring an organization’s cybersecurity initiatives.
Besides asking a cloud provider about whether it follows SOC 2, another way PEOs can check a provider’s cybersecurity strength is through asking about penetration testing. This is where an organization pays an ethical hacker to see if they can break into their systems. Keep in mind that this is not something every company does because it can be cost-prohibitive and may have an impact on the service to customers, but it is something you certainly can ask a cloud provider about to help gauge its commitment to cybersecurity.
There’s also so-called “attack” tooling that will give you a vulnerability score, but keep in mind that bad actors have access to the same tools, so it works both ways. You can find out how vulnerable a cloud provider or even your organization is to a potential cyberattack, but so can they. You should also work with your cloud provider before using any “attack” tooling or conducting unannounced penetration testing. Not doing so could have unpredictable consequences.
Cyber attackers are constantly looking for new ways to penetrate an organization’s cyber defenses, so it’s important for any cloud company to practice constant vigilance. Cloud providers and PEOs can never afford to let their guard down when it comes to cybersecurity.
So what should you be asking cloud providers about cybersecurity? Good question. Here are a few things that come to mind.
QUESTIONS TO ASK CLOUD COMPANIES ABOUT CYBERSECURITY
1.) Has the cloud provider gone through an independent assessment about what their security controls are for where the data is stored, and do they monitor for vulnerabilities?
If they have been independently assessed, you should be able to review a summary of the assessment, but you should also research the assessment company as well, especially if it’s not a well-known one.
In terms of technical controls, you need to know where the data is housed (U.S./abroad). If you do business in California, for instance, you need to know that the cloud provider’s protections comply with different geographic regulations, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) as two examples.
2.) What is their public reputation?
Look for independent reviews from trusted sources from an accrediting body website, industry peers, and previous customer letters of past performance.
Does the company have customer referrals available to offer insight into how they support and respond to different things from a security or IT perspective? Always try to talk to a customer to gauge their confidence in the cloud company and how responsive they are. If a breach or outage occurs, you’ll want to know that you can get in touch with the cloud company based on your business needs.
3.) Does the cloud provider allow single sign on (SSO), and do they support multifactor authentication (MFA)?
SSO is a great way to allow your employees and customers to access all of their cloud solutions through one convenient password at login. The potential problem, of course, is that a cyberattacker could be able to access more data should there be a successful breach. That’s why a state-of-the-art MFA option is important. A good cloud provider will provide MFA to ensure there is at least one other action a user must take to gain access to the software/data, whether it’s through an authenticator app, text message confirmation, email, phone call, etc.
4.) Can we set up role-based access?
Not everyone in an organization needs access to all information. Being able to limit the number of people who have access to sensitive information is essential.
Placing users into roles also ensures that changes to the system are controlled and can be audited.
5.) Most importantly, what is the disaster recovery process?
Any backup system will take time to launch, so you need to know what the company would be able to do within 24 hours (you might have to pay more for quicker turnaround times, but find out from the outset).
Cloud software is a critical tool in today’s business world, asking the right questions can help ensure your PEO’s data and systems remain safe now and in the future.
1 Hiscox, (2022, n.d.). Cyber Readiness Report. Hiscox.
2 DARPA. (2023). Project MAC. DARPA. www.darpa.mil/about-us/timeline/project-mac
Chief Information Security Officer
PrismHR Hopkinton, MA