Back to the main page
QuinStreet Report: Evaluating Cloud Providers for Security
As adoption of cloud technologies continues to accelerate, a new executive brief from QuinStreet lays out five key security considerations when choosing a cloud provider.
While security is often cited as a barrier to cloud adoption, organizations are discovering that the right cloud partner can, in many cases, actually strengthen an organization's security posture.
"Depending on the capabilities of the provider, an enterprise could actually improve the overall security compared to what it might otherwise be able to resource on its own," the report's authors write.
Implement the Right Services on the Right Cloud
The report concludes that to realize these benefits each organization must carefully determine which type of cloud—software as a service, private cloud, managed cloud services, or some combination thereof—best meets the security requirements of particular applications and data sets.
And each organization must also perform due diligence in terms of security when selecting providers.
“Security truly is partnership between you and your provider. The more critical and sensitive the information, the more critical that partnership," says Gail Coury, vice president, risk management and infrastructure operations at Oracle.
To help with that process, the report’s authors list five key considerations.
- Transparency of the cloud vendor. While security is an essential part of any contract with a vendor, signing an agreement is not enough. "The vendor should be able to make clear commitments about what controls are in place, where the data resides, who is managing the underlying technology, and other responsibilities it will assume as custodian of the data," write the report's authors.
- Risk mitigation. Organizations need to consider how secure access is revoked; for example, when a user leaves the organization. Single sign-on is one obvious solution, but many organizations do not want to share credential information with third parties. One solution is federated identity technology, which enables organizations to automatically remove access to cloud applications at the same time they are removed from the company directory.
- Proof of capabilities. Security certifications provide an easy and objective way to compare providers. However, organizations often require an even higher level of certainty. "In these situations, it is important to know up front whether the cloud provider allows customers to perform an audit or penetration test, and under what circumstances—any time, only during certain times, unannounced, and so on," write the report's authors.
- Integration options. "No cloud exists in a vacuum," write the report's authors. "Applications that run in the cloud typically must interact with other cloud-based apps in different types of clouds as well as non-cloud-based applications." It is vital to understand how cloud-based services fit within the overall IT infrastructure—and ensure manual management and coding does not present an added security risk.
- Breadth of experience. Each industry has its own set of security and compliance concerns. It is important that the cloud provider understands an organization's unique needs. At the same time, consistency in controls across all industries enables automation of operational management and monitoring. That makes breadth of experience very valuable—something niche providers often can't provide.
"Oracle, a leader in secure data management and controls, recognizes security’s importance at every level in the hardware-software stack," write the report's authors. "Oracle’s seamless end-to-end stack offering makes it unique among the many cloud providers."
“Security is foundational to Oracle’s cloud offerings and is critical to delivery of its cloud services," adds Coury.
Read the entire report: Five Things to Look for in a Cloud Provider When It Comes to Security.