There are many benefits to outsourcing security, but there will always be an element of risk associated with the practice. When you allow cloud security providers to handle any aspect of your organization’s security, you are trusting them to look out for your best interests and to adhere to established security best practices with regard to such functions as threat detection, data security, vulnerability management and data loss prevention. While there are never any guarantees in life, large, well-known security providers generally do a really good job at this. But what if you’re looking “outside the box.” How can you tell whether startup or smaller cloud security providers have the stuff to truly protect your company?
There are lots of reasons for investigating smaller and newer cloud security providers. They can be less expensive than large cloud security providers, and they often are the most innovative. In addition, under the right circumstances, relative obscurity can actually enhance your security. On the other hand, you cannot simply assume that a lesser-known security provider is reputable.
While there is no fool-proof method for distinguishing between a good security provider and one that is, well, insecure, there are certain things you can do to assess cloud security providers’ reputations.
Contact the Provider
It might sound simple, but one of the most effective ways of assessing a cloud security provider’s capabilities is to contact the provider. Contact the provider by phone and ask about its products. This simple act will tell you a lot. For one thing, if the provider does not list a phone number on its website, it could be a sign that the provider is running a fly-by-night operation. Similarly, if you call the provider and get someone’s personal cell phone (during business hours), that may also be a sign that the company is not well-established.
As you talk with the provider, ask some basic questions about the service. For instance, you might inquire about the company’s compliance initiatives or about its audit policies. Whomever you talk to should be able to give you intelligent answers to your questions, but without giving too much away. After all, would you really trust a security provider who talks a little bit too freely about its internal security measures?
Examine the Privacy Statement
As you evaluate providers, be sure to take the time to read their privacy statements. It’s important to know for certain that providers are not selling information to a third party. I would recommend walking away from any providerthat that either does not offer a privacy statement or whose privacy statement seems a little too vague.
Before you hand your security over to an unfamiliar cloud services provider, take the time to find out what its existing customers are saying. A reputable provider will be happy to give you references.
You will probably also be able to find online reviews. However, reviews should not be taken at face value. There are just too many examples of fake reviews (both good and bad) on the Internet.
There are some things you can look for to identify fake reviews. For example:
- Compare writing styles across the various reviews. If most of the reviews seem like they were written by the same person, then it’s time to walk away.
- Examine all of the reviews collectively. If every reviewer gives the provider a five-star review, then the reviews are probably fake. Likewise, if there is a disproportionate number of one-star reviews, the reviews may have been placed by a competitor or a troll.
- Google the company name and cross reference it with words like “fraud” or “scam.”
Remember the Concept of JDLR
The physical security staff in Las Vegas casinos rely on a principle called JDLR: Just Doesn’t Look Right. The idea is that if something seems “off,” then there is probably a good reason why, even if that reason is not immediately identifiable.
When it comes to cloud security providers, my advice is to trust your instincts. If something just doesn’t feel right, walk away. Trusting your security to a sketchy provider is never worth the risk.