Ellen Rubin is CEO of ClearSky Data.
Here’s a scene you don’t want to be in: Your client was breached, and it’s too early to know exactly what happened. However, you know the client’s cloud-hosted data is now at risk, and its tendency to transfer unencrypted data, despite your caution against the practice, played a role in the situation. It’s unlikely that this instance was your fault, but you’re not going to be able to stick your head in the sand and claim that protecting this data wasn’t part of your job.
Today’s managed service providers (MSPs) are adding cloud services to their portfolios to meet their clients’ needs, but despite technological advancements in recent years, every cloud consumption model can expose companies to new risks. To keep your team and your customers safe, consider some of the most common sources of risk and implement these four ways to help clients support safe cloud environments:
Encryption, Key Management and Operational Controls
Every enterprise customer incorporates some level of compliance as it manages software, conducts operational processes and physically manages data and infrastructure. These regulations may be industry-specific compliance, mandated by a partner organization or dictated by the company. In any case, you must adhere to your clients’ individual preferences and standards as you handle their data and confirm that customer organizations will remain fully in compliance as they’re using your cloud services. Your MSP team has to remain one step ahead of your customers in terms of upholding best practices and educating itself on industry threats.
For example, even if your customer doesn’t typically encrypt the majority of its data, encrypting data in transit and at rest should be table stakes for your team. If a client isn’t running an encryption-key management system, he may request that you set one up, and you must be ready to respond to his request in a way that simultaneously protects your team from liability issues and protects your customer from security risks. In other words, clients should maintain exclusive control of their encryption keys – you should never see a customer’s private data. Finally, if metadata and configuration or management data apply to your service, consider how these elements will be encrypted for the customer side and on your team’s behalf.
Invest in Third-Party Audits of Your Services
It’s impossible to predict when a malicious party will launch an attack on a customer’s data, but this lack of foresight doesn’t mean you can’t identify likely sources of threats and help clients secure private information before attacks wreak havoc. According to Pew Research Center, Internet-connected systems are inviting targets for cyberattacks, but data protection isn’t necessarily top of mind when online applications are being designed. In other instances, hackers frequently gain access to private systems through undetected weak points in security architecture, or additional copies of data that were created for backup or testing.
An MSP team can locate potential exposures and entry points in clients’ cloud infrastructure by enlisting a third-party organization to run penetration-testing services and regular, independent security audits. Then, use information from the audit to ensure that there are no back doors in the servers, storage, applications or other systems that handle data. Those insights can also inform the firewalls you build, the intellectual property (IP) you add to your service portfolio, and the cloud and network security practices you enlist.
Build and Nurture an Atmosphere of Trust6 With Your Customers
Earning your clients’ trust as you handle their data is a major factor in ensuring security. From development to archives, MSPs should be transparent about data retention and how it’s encrypted. It’s also critical to enact security controls for your staff members, which may include access-permission policies, highly secure access environments and protection processes that follow an employee’s termination. These controls should also be communicated to customers, especially if they’ll play a role in managing the service you provide, or if you’ll need to tie up loose ends when a customer ceases to do business with your team.
Be Transparent About the Location of Data at All Times
Throughout the data lifecycle, it’s crucial to be aware of your exposure to liability issues, especially if a situation occurs where a customer will need increased control of the location of its data. For example, when the U.S. government ordered Microsoft to disclose Microsoft Exchange emails hosted in a regional data center in Ireland in 2014, the case raised serious questions in the industry about data ownership. Not only should you offer customers the ability to control which regions and countries host their data, but your MSP team should avoid gaining or retaining access to encryption keys that may cause issues if that data is seized.
In some cases, enterprises are placing higher expectations on the security practices of their MSPs than they enforce for their internal IT teams. To maintain security as you help customers leverage the cloud, don’t assume your tactics are safe if you’ve never gone through a breach, and don’t wait for news of exposure to motivate your team and your customers into frantic action. Instead, educate yourself about the risks you’re most likely to face, test your strategies and show your clients you can fully protect their data.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.