< ? php //If there is analytic campaign data, attempt to get the campaign_guid from that cookie if ( 1 === preg_match( '/pk10mkto-([0-9]+)/', $_COOKIE[ '__utmz' ], $match ) ) { $campaign_guid = $match[ 1 ]; } ?>

Security in the Cloud: What Should You Ask a Cloud Provider?

Big truck driving on highway

Perhaps you recognize the advantages the cloud offers — uptime, predictable monthly costs, connectivity and flexibility — but are still worried about security. The good news is that many mid-size and enterprise businesses are pleasantly surprised to discover the security at a cloud provider is more rigorous than what they have in-house. 

But not all companies are the same when it comes to cloud security. Consider the following when determining whether a cloud provider’s security is ample for your business.

  1. Regulatory Compliance

    While every cloud provider is different, those that wish to offer services to mid-size and enterprise businesses are expected to adhere to the stringent regulations formulated by multiple government entities and industry organizations regarding how they deploy, configure and monitor every aspect of their businesses.

    Annual independent third-party assessments are required by many of these organizations to validate a cloud provider’s ongoing compliance with their various regulations.  Security plays a major role in the vast majority of those assessments. The assessor will examine the physical security of the facility, the architecture of the cloud itself and the network security.

    Peak 10, for instance, completes multiple assessments and provides the accompanying reports including:

    • SOC 1 Type 2 (SSAE 16/ISAE 3402). This American Institute of Public Accountants (AICPA) audit aids companies in the evaluation process of the controls on financial assertions. With a SOC 1, a business self-identifies its own control areas and objectives, and is audited to ensure it is doing what it claims. Peak 10’s control objectives have been audited and found to be operationally effective. These control objectives include:
      • Physical security
      • Environmental security
      • Cloud, network services and monitoring
      • Logical security
      • Infrastructure change management
      • Provisioning
      • Support
    • SOC 2. This is an extensive assessment focused on the Trust Services Principles developed by the AICPA. Peak 10 completes an assessment each year against the security and availability principles.
    • SOC 3: This is a non-confidential, public report documenting the results of a successful SOC 2 assessment.
    • Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Companies that are required to adhere to HIPAA regulations must understand the role of a potential cloud provider and its compliance with the HIPAA Security Rule. As a part of Peak 10’s solutions, we have implemented the physical, technical and administrative safeguards to ensure that confidential electronic protected health information (ePHI) is secure and meets the requirements of the HIPAA Security Rule.
    • Payment Card Industry Data Security Standard (PCI DSS). PCI DSS establishes requirements to ensure that all companies process, store or transmit credit card information securely. The PCI DSS includes 12 data security standard requirements organized under six functional areas. Peak 10’s data center and cloud services have been examined and tested by an independent Qualified Security Assessor to assure PCI DSS compliance.

    If you are looking for a cloud provider, it’s a good idea to understand the standards and regulations specific to your industry, or to the customers you serve.  Ask your prospective cloud services provider for a copy of the relevant reports. Be sure to check the scope of the report to ensure all representations are accurate and fulfill your needs.

  2. Architecture and Security

    You should also ask about the cloud provider’s security features. Can the provider handle these workloads better, more securely and more reliably than you are in-house?  For many businesses, the answer is yes. Physically, a cloud provider is more secure because it separates your people from your hardware. You no longer have servers stuck in closets to which many people have access. Infrastructure-wise, the cloud is typically safer if the provider adheres to strict standards on how the infrastructure is configured, maintained and audited.

    Peak 10’s security includes:

    • Multiple layers of protection to help keep electronic information secure
    • Firewall and network security configurations
    • Industry best practices for installation, configuration and patch installation of managed servers and associated network devices
    • Proactive antivirus management ensuring versioning, active scanning and remediation of malware
    • Web application firewall, quarterly vulnerability scanning and documented change request procedures
    • Managed user access lists based on customer need
    • Secure audit trail and resource tracking
    • 24/7/365 support

What’s the Threshold for Your Business?

There’s no one-size-fits-all approach to cloud security. The key is to determine what your company’s needs are, and how well a prospective cloud services provider can meet them. By reviewing the provider’s regulatory compliance documentation that is relevant to your business, and understanding its cloud architecture and security mechanisms, you will have a better chance of determining if that provider can meet the security requirements of your business.

Fine tune your content search

About Peak 10

"Our values are the foundation for everything we do at Peak 10, and are ultimately what enable us to earn our customers' business and their trust."
David H. Jones,
Board Member, Peak 10 + ViaWest