10 Questions To Ask When Choosing Your Cloud Security Provider
Establishing and running a successful online presence always comes with some hurdles to overcome. Along with running a business and handling the quality of content, generating traffic and improving conversion rates, there’s also this increasingly important factor – your online security. Tons of researches over the last couple of years suggest that online security concerns and challenges are at an all-time high. Cyber criminals have been using progressively sophisticated technologies and tactics, and in their efforts they often outplay internal IT security capabilities. Keeping internal IT staff up to date with all the security technologies and trends can consume both valuable time and resources, and considering the global shortage of security experts, many companies are looking for specialised security providers to get help on the matter. Today a growing number of organisations is turning to security partners to set up a safe IT perimeter, further fueling the growth of the security services market which is expected to reach $3.25bn by 2018.
Once a company decides to involve external help, beside the financial aspect, there’s still a lot of parameters to look after in order to get the best suited solutions in place. To help you streamline the decision process when choosing your online security providers, we’ve put together a list of 10 questions you should get answers to when choosing your online security provider.
1. What are your and my company’s duties in the protection of our data?
When partnering up with a security provider one of the first things to clear up is the amount of responsibilities each of the partner has to take on. It’s important to determine what kind of involvement is required from each side. If you are required to follow certain procedures, it’s good to educate your staff and see how much you security provider gets involved on the matter. Does he follow you through the process “hands-on” or do you just get some guidelines? In terms of risk management, a company plays a key role in protecting their own data but the security provider must provide adequate assurance as well.
2. How will I get set up?
Once you choose and sign a contract with an online security vendor, the next logical step is to log in to your user dashboard and start configuring your account, adding employees as users, setting up permissions and key parameters. There’s a lot of fine tuning to do which can sometimes seem overwhelming as it requires adequate knowledge. Considering the lack of time, staff, expertise and/or resources being the reasons to why you approached a security solution provider in the first place, make sure the setup process doesn’t fire back. Some of them will walk you step-by-step through the whole installation and setup process of their services, while others will simply provide online guides. You should go with a provider that best suits your knowledge and skills or at least offers structured assistance when setting up your security solutions.
3. What level of access to logs will my company get?
Although it may sound simple at first, the level of access to logs should be one of the top concerns when choosing security providers. As the servers will no longer be entirely handled by your staff, it’s important to carefully consider what information will and what will not be obtainable from the provider. Although some information may simply not be as important to your company, it can happen that pieces of crucial data are not available. In that case, you should try to negotiate the level of log access you will be provided with as early as possible.
4. Who will be able to access my company’s data?
Although your data will likely reside somewhere else than within your premises, you definitely have to own and control it. You should look for a provider who uses customer data only to provide them with the services to which they have subscribed and for complementary purposes for providing those services. Make sure your security service provider doesn’t scan customer services, applications or data storages for advertising or other unapproved purposes.
5. Where will all the servers, processes and my company data physically reside?
When choosing your security provider it’s crucial to know where will your data reside. Providers can host all data in their own data centers, some may leverage cloud services and offer a hybrid on-site and cloud solution, while others may handle data on customer’s premises. Considering the increased migration and adoption of cloud services it is likely that you security provider will leverage cloud solutions as well. Although the cloud is considered as borderless, the data still has to reside somewhere in real countries which then have varying privacy and security laws in place. You need to be aware of regulations for both your country and the country where your data lives.
Knowing how each provider approaches the matter is key to finding the best fit.
6. What is your service level agreement (SLA) for uptime?
Downtime is when services are inaccessible to internet users for a period of time, as opposed to uptime which is the amount of availability your users can expect and you want it to be as high as possible. Many providers offer a 99.9% uptime, which can end up to almost 45 minutes of unwanted downtime per month and end up costing you revenue if your business processes are executed online. Most providers offer a “payback credit” to your account when the SLA is breached. This credit can amount at only a percentage of your monthly fee which is not anywhere near to the downtime costs your business could suffer. Outages can be disruptive and costly, so you want to partner with a provider with as few as possible. Some vendors even provide their downtime history logs online. Selecting a security provider that offers the right uptime guarantee is essential when choosing the right solution for your company so make sure to ask for provider’s track records.
7. How strong is your expertise?
The more expertise and knowledge your security provider possess, the better their performance will be. You want to make sure your data is handled by certified security experts who know exactly how to approach even the most specific issues. Look for provider whose experts are constantly training and improving. You need them to be up-to-date with the latest technologies you find most important for your business. Certifications are not only a measure of knowledge but also a good sign of dedication to excellence. Beyond individual certifications, you can check if the provider is ISO certified as a company. These certifications show a degree of professional approach to safe procedures, discipline and constant improvement.
8. What is the level of customer support I can expect if I side with you?
Today’s global, online economy doesn’t operate within “normal business hours”. The same is valid for cyber threats which are definitely not a “nine-to-five” occurrence. It’s why you should definitely look for a provider that offers quick responses and a proactive approach around the clock.
A good online security service provider will have sufficient resources to provide both remote management and monitoring, along with call support services available 24×7. This can mean handling all security needs daily or just complementing the coverage of internal staff when they’re not available. Without exception, technical support should be accessible online or by phone all day, every day of the week, including holidays. On that matter, find out whether you’ll be interacting with knowledgeable engineers or reps reading scripts when you reach for help.
Other important aspects you should also look into in terms of customer support are the average response and resolution time they can provide.
9. Do you keep a signed trail of which users performed what actions and when?
Setting up a safe IT perimeter is important to keep safe from hackers and external threats, but don’t underestimate the risks that arise from inside your company. It’s why it is important to protect against both malicious and mistaken actions. Find out if your security vendor can provide user action logs in order to track possible internal security mishaps and flaws. Also, when your employees know there is an audit trail, they will be more cautious and focus more on security details. Having an audit trail also greatly helps with troubleshooting and root cause analysis.
10. What is your exit process?
We all know not all relationships can last forever. It’s why it is important for companies to know exactly how the termination process is executed when ending a cooperation or switching to another provider. Make sure to define the following in your contract:
- How will the security provider assist with the transition – including providing the company’s data back or to a third party
- What are the provider’s destruction or electronic shredding policies – you need to have evidence that your data is no longer resident on the provider’s systems
- Which independent third parties will review and certify the exit process – you have to make sure the exit process is diligently executed and reviewed independently
Technology has become so complex and evolves at a rapid pace, which is why it’s no surprise that it can be challenging for internal IT departments to keep up. Security providers can offer different levels of support to meet your requirements, saving your IT staff from a Herculean task of staying on top of all the changes. As said, there’s an enormous deficit of InfoSec professionals, which is why turning to dedicated online security provider may be your safest bet when securing your online assets. Whether it’s to add capabilities you don’t already have in-house, or you want to shift the burden of operational work off your internal IT staff, at one point you will want to consider taking up professional security provider services. And when that moment comes, make sure to ask the right questions. If you are looking for a solutions to your security issues, feel free to talk to our experts here at GlobalDots as they can help you with everything performance and security related.