BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

The Four Pillars Of A Great Cloud Security Strategy

This article is more than 10 years old.

Guest post by Todd McKinnon, CEO of Okta.

There’s a fundamental shift taking place in the world of corporate IT. Organizations of all sizes are moving major portions of their infrastructure away from legacy, on-premises applications and opting for the flexibility, affordability and speed of the public cloud. Increasingly, CIOs are deciding to rent these cloud applications in key areas of the business, instead of buying on-premises software that burdens IT staff with buying and installing hardware and software, system maintenance and troubleshooting and monitoring.

When they make this move, CIOs are handing over the control of many of their critical applications and infrastructure to outside partners, freeing themselves (and their staff) up to focus attention on maximizing employee productivity, not software.  Very few organizations will rely solely on the cloud for all of their infrastructure and applications, but as they make this move and want to develop good relationships, success of this move is all predicated on trust. And while most large-scale public cloud application vendors have more focused investments on security and reliability than any individual IT team can have for a particular application, not all cloud vendors hold themselves to the same high standards – particularly when it comes to the security and reliability of their service and the transparency they practice when communicating with their customers.

It’s important for CIOs to evaluate each vendor’s ability to be a secure, reliable, transparent and trustworthy partner. I know from experience from my time at Salesforce.com that this was a critical piece of our value proposition, and I have found that to be even more important for my current company, Okta, which delivers an identity management service that touches all applications, as well as all users, within an organization.

Bob Blakley, formerly with Gartner and now over at Citibank, commented on the increasing criticality of identity in a report he wrote earlier this year, “As organizational boundaries erode under the pressure of federation and outsourcing, and as organizations' control over IT continues to weaken through increased adoption of mobile devices and cloud services, identity management is more important than ever — and more problematic.”

For such critical infrastructure services as identity management to be successful it is tantamount that vendors provide a level of reliability, security and transparency that is better than any individual IT organization could achieve on their own.

So, based on the two experiences I have had building public cloud services, what advice would I give CIOs who are evaluating a new cloud vendor?

First, any evaluation of a vendor should cover the people they hire, the services they build, their operational processes and how they communicate with their customers — in good times, but more importantly in bad — as there are always going to be bad times in any relationship. Breaking this down, there are a few key components a CIO should assess: people, reliability, security and transparency.

People: Security Starts with Employees

It’s important for vendors and CIOs to see eye-to-eye on security, but it’s just as important that a vendors’ employees understand their roles and responsibilities regarding information security. Goals must be aligned not only between partners, but also from top to bottom throughout a vendor’s organization.

CIOs should do their due diligence to ensure their cloud vendors’ commitment to security controls for employees check out. Not only should the vendor be doing the requisite background checks on employees before they sign on the dotted line, but the company should also educate its employees on security best practices and have a methodology for continuing education on that over time. Do your research and talk to colleagues and other CIOs to gauge the reputation of a vendor’s employees.

Reliability — Zero Downtime Architecture That Just Works

To ensure reliability, the architecture must be multi-tenant and the service should have high levels of redundancy built in. Downtime, especially for critical applications, is unacceptable.

The application itself should be stateless so that any component could fail at any time without impact to you. Databases, which can’t be stateless, should be replicated broadly, and in real time. And the service should run in multiple data centers with real time replication between production and backup infrastructure so fail-over is seamless. Finally, for business critical services such as identity management, maintenance windows should be a thing of the past.

I learned that from my time at Salesforce.com. Technically, it is possible to engineer a system that requires zero planned downtime, so you should feel comfortable requiring that from your vendors.

Security — Prove It and Practice It Regularly

Is the service secure? Does your vendor exercise secure software development practices? How do they validate security both for themselves and for you?

For their application understand if they use outside, third-party security experts to regularly review software and perform ongoing testing on the service to identify any potential vulnerability. Ensure that the third party is involved in validating these best practices and performing this testing on a regular basis — not just when it is convenient or needed to check a box on an RFP or marketing data sheet.

What additional steps are they taking to prove they are a secure service provider? Any mature cloud company that wishes to assuage a CIO’s security concerns must meet SOC 2 Trust Services Principles. SOC 2 is the new, most stringent industry standard when it comes to running a secure service.

Vendors can be certified on any of the five trust attributes associated with SOC 2 (security, availability, processing integrity, confidentiality and privacy), but the most reliable companies, with the greatest commitment to security, maintain certification across all five.

Transparency: The Best Policy

Cloud vendors must be open and clear about any incidents, even if their users don’t notice any problems. They should maintain open, two-way communication with their customers to solicit feedback on where the company’s headed and why. CIOs should start to worry if their cloud vendors disappear after the check clears or are hard to reach when there is a blip in the service.

Moving key pieces of your infrastructure to the cloud has huge business benefits, of course, but that move doesn't come without risks. By entrusting cloud vendors with support and maintenance of core, too-important-to-fail business applications, from identity management to HR, CIOs are taking a leap of faith that their cloud vendors are capable of providing a secure, highly available and transparent service. Many vendors do a great job on delivering on this promise and others are getting better by the day. As you evaluate starting a relationship with one of these vendors, make sure you are comfortable with their ability to deliver a secure, reliable service — and that your relationship will be built on a foundation of transparent communications, shared values and trust.

Todd McKinnon is CEO of Okta, an on-demand identity and access management service. You can follow him on Twitter at @ToddMcKinnon.