For the last 4.5 years at Sumo Logic (Sumo for short) I have been working to help build the once tiny startup renting a shared loft above a bookstore into the cloud-first big data powerhouse we are today. This puts me in an interesting position when I am asked to review other cloud providers' security, privacy and compliance postures as part of our own procurement process.
My focus as CISO is on the security and compliance of our service. I tell our employees and our customers that if businesses can't trust Sumo to take care of their data and keep it secure, we simply don't have a viable business. It's that simple.
As a result of this intense business pressure and our hard work and innovation, I believe that we are at the forefront of cloud security technology and practices here at Sumo.
We are a major provider -- and consumer -- of cloud services. That means that in addition to ensuring our security and compliance, I’m tasked with evaluating the security and compliance of others. The process of evaluating other solutions has revealed that the approach to security and compliance vary from vendor to vendor. Sometimes the difference is remarkable.
The challenge of security standards: plenty to choose from
The benefit of a standard is a defined way to approach securing the cloud. The current challenge is the sheer number and variety of standards. Some new, some tested, and some growing in acceptance. As a result, we have little consensus in the industry in terms of expected (and perhaps mandatory) minimums. There is even less consistency when muddled between consumer and business expectations -- a real concern given how easy it is for consumers to use those services in business settings.
Premium and mature IaaS and SaaS providers appear to be adopting the following certifications and attestations:
- SOC 1, 2 or 3
- CSA STAR
These five standards are quickly becoming the de facto baseline compliance/control frameworks for enterprise-grade cloud applications and infrastructures. Based on my experience, this is a good move.
You should decide which of these are most relevant to you and your security and compliance requirements. A good place to start is to understand the SOC assessments and the differences between them. For most US-based businesses these standards (the replacements for the now obsolete SAS-70) are the most common and well understood.
If you are dealing with HIPAA or PCI data, you will need to evaluate if that data will be shared with your service provider, and if it is, you will need to ensure they have the correct audits in place, and can sign a BAA in the case of HIPAA.
The Cloud Security Alliance offers a variety of self and auditor attested frameworks specifically designed for cloud service providers. These are an excellent tool for evaluation and transparency, and I am glad to see they are starting to gain wide acceptance.
You will most often see the ISO27001 certification at very mature providers who have a customer presence in non-US markets.
What happens when the standard isn’t yet… standard?
While the emerging standards hold promise for consistency, we need to continue to work toward mutual understanding -- including how we talk about them.
With the unique position of both providing and consuming cloud services, I’ve invested a lot of time working to understand -- and comply with -- the standards we chose. I’ve prepared my team to explain why we made the choices we did, and demonstrate compliance. [Editor's note: check out more about Joan’s approach here: A CISO reveals why the cloud is your secret weapon for faster, better, and cheaper PCI audits]
When it’s my turn to evaluate others, I frequently run into a troubling situation where a vendor claims compliance. Always with a smile. Since I know to dig deeper, it’s common to discover that they are simply relying on the attestations of the IaaS provider in place of their own.
Here’s why this matters: I compare this scenario to that of a business being run out of a well respected address in a high-end skyscraper. The landlord provides security guards, and cameras, and segregated networks, and secure tenant separation. But these trappings, although necessary to run a secure business, are not sufficient when the business renting the space does not adhere to any standards or maintain sufficient controls.
So be wary of any claims of certification or of adherence to a given standard without seeing the report yourself. Either through confusion or intentional sleight of hand, this is misstated often, and I have personally seen this statement made falsely time and time again over the last few years.
The opportunity for the provider: make the investment
In reality, very few cloud based companies have taken the time and made the investment required to provide this level of independently verified assurance, which I believe is critical to earn and maintain the trust of companies such as Sumo, who take their responsibilities to their customers' data very seriously.
Our customers have, for very good reasons, demanded a lot from us, and in turn, I must demand the same of our providers if there is any dependency on them that may affect our own security and/or compliance. I have stated publicly many times that I believe that the cloud can provide a more secure operating environment than most traditional data-centers. However, the onus is on the service providers to do the work required to leverage the security capabilities of the public cloud.
And the onus is also on them to walk the walk and get their services assessed and audited and not just talk the talk while waving around someone else's certifications.
As consumers of these services -- and influencers on the purchasing decision -- we have an obligation, and an opportunity to clarify the standards. By working with our vendors to develop consistent understanding and use, we all benefit.
Joan Pepin brings over 17 years of experience to her role as Sumo Logic's VP of Security and CISO. Her career has spanned a wide variety of industries such as healthcare, manufacturing, defense, ISPs and MSSPs. Her experience includes technical, operational, and management aspects of security, allowing her to bring highly technical research expertise to her current interests in security policy management, marketing, strategy and thought leadership. Prior to Sumo Logic, Joan spent nine years with the Guardent/ Verisign/ Secureworks organization where she invented several core technologies and established key initiatives around policy management, security metrics and incident response. She holds a patent for developing methodology to assess whether a communication contains an attack.