It is a fact that our organizations’ ability to deliver a service is increasingly dependent on third-party service providers. When it comes to IT service provision, there is no difference.
Facing this scenario, with growing pressures pushing us to reduce costs and embrace this new delivery model of cloud computing, there is an obvious question that will come to mind: Can I trust my cloud provider?
Trust is a very complex issue, and it is not easy to define all the conditions needed to gain it—but transparency is definitely a necessary condition. Being able to know, even before use, the security measures that are effectively implemented in an ICT service is quite useful for assuring the right security levels in the supply chain. This is especially true thinking about using a cloud computing service. Traditionally, following due diligence best practices, we try to audit the service providers or get an independent audit report or certification from them, but we have faced some difficulties:
- Auditing is not easy, and it is even more difficult if there is not yet a signed agreement with the provider.
- If we use audit reports from the providers, we have to check if what has been audited is relevant for us—specifically for the service we are going to use—or if the criteria fit our needs.
- Cloud providers, especially the bigger ones (that have hundreds or even thousands of customers), cannot afford being audited by each customer.
- If a certification is presented to us, we have to check again if the scope is suitable for us. Additionally, we have to be aware that current certifications are not about the implementation of security measures; they are about the implementation of information security management systems.
- Finally, all these methods tell us something about a moment in time, but they do not keep this information updated; we have to wait until the next audit/certification report.
If we had a way to compare different services and make sure that security measures were taken throughout the service period, it would be very helpful for our service provider selection process. As I discussed in my presentation at ISACA’s EuroCACS conference, security labeling of ICT services is a way to achieve all these objectives. This method assigns a label to every specific user showing the security measures it effectively implements in that service, allowing us to know in a quick and simple way if it is suitable for our needs. This recommendation to the industry was included in the European Cyber Security Strategy approved in February 2013, so it is something that the European Administrations will be willing to use.
What are your thoughts on security labeling? I encourage you to continue the conversation in the comments below.
Antonio Ramos, CISA, CISM, CRISC
CEO, Leet Security