When Was The Last Time You Assessed Your Cloud Provider's Platform and Security Practices?
Understanding third party risk is a regulatory requirement. Before contracting with a cloud provider, confirm that you can conduct your own assessment.
13 January 2016
When I talk to customers and prospects, I often suggest that they have their assessment or vendor risk team take an in-depth look at Intralinks' platform and data center security practices. And not just on paper — I recommend that they perform an initial on-site visit to confirm that Intralinks' security and privacy controls and practices meet or exceed their own.
This catches many of our buyers by surprise. Few have ever had a cloud service provider say, "Please come audit us." To them I say, "Why wouldn't you conduct your own assessment? We want you to trust us with your most critical and sensitive documents. You should understand and see how we protect them."
Many companies are starting to take a harder look at their cloud service providers. As companies move more of their data and operations into the cloud and develop a business dependency on these services, it's important for them to view and treat their vendors as an extension of their own organization. "Follow the data" is a favorite motto. After all, risk and compliance challenges don't stop at traditional organizational boundaries. If a failure or breach occurs with the third party vendor, it's the contracting organization that is held accountable and suffers the fallout.
For many organizations, understanding third party risk is a regulatory requirement. Government regulations, agency guidance, and international standards such as HIPAA HCFA, the European Data Protection Directive 95/46/EC, Australia APRA, OCC, U.S./EU Safe Harbor, OECD, NIST, ISO, CobiT, as well as the FFIEC guidelines for financial institutions mandate that a company's risk management policies cover vendors. And aside from such regulations, it's simply a matter of best practices for companies to regularly evaluate their partner or third party risk ecosystem.
Companies that do conduct vendor assessments typically only perform on-site audits for their most critical vendors — mostly because the risks don't justify the time and resources needed to assess every single vendor. That's OK. Even a thorough "by mail" self-assessment questionnaire can help to uncover gaps in the security coverage that the vendor provides versus what the contracting company requires. And the "by mail" questionnaire does prove that due diligence was performed.
Our informal policy at Intralinks is to encourage customers to conduct assessments and an on-site visit if they choose to do so. We do this because we've found that it allays any concerns or reservations that a customer may have. Come "kick the tires" and see where your data is stored.
The brilliant part about this is that every customer benefits from all of these customer assessments. Because Intralinks serves a large variety of customers in different industries, each assessment reinforces what is industry critical and many often touch on something new. Furthermore, a few customers have consistently been "early indicators" of upcoming security controls. In short, the security bar keeps going up and we continually build stronger security practices. Throughout our 18 years of experience, Intralinks has developed, implemented and continuously improved its policies and procedures to meet the wide variety of our customers' policies and their regulatory requirements.
Think of it this way. Imagine having your own security practices assessed every week, but by a different team with somewhat different perspectives and objectives each time. Eventually, the entire spectrum of your security practices will have been covered and the most critical practices assessed repeatedly. If you followed a continual improvement process, over time you'd have a strongly secured platform.
This is not just our philosophy; it's our way of work.
In short, before you plan to contract with a cloud service provider — especially one that will handle your important and sensitive files — confirm that you can conduct your own assessment of them. Customer assessment rights are a standard component of Intralinks’ agreements. If the vendor doesn't welcome your assessment with open arms, you need to ask yourself, "Why am I engaging this vendor? What risk will it bring to me? What if something goes wrong down the line?" If you're left with an uneasy feeling, you know it isn't right.
Serge Renaud is VP of Security and Quality Assurance at Intralinks. He is part of the risk readiness team which focuses on improving security and addressing client audits. Serge is a Subject Matter Specialist in technology risk management across diverse industries, and acts as a process improvement guide and internal consultant. He has successfully guided more than 140 client audits through the Intralinks Platform.