Cloud Relationships: Getting to Grips With the ‘Vendor of My Vendor’
Published 04/15/2024
Written by Thales.
Over the course of centuries, we have learned a valuable lesson: building walls or burying treasure on shifting sand brings no advantages. This timeless wisdom can be applied to the present era, where businesses struggle to find the perfect storage solution for their data, which can be considered the precious gold of our time.
An interesting collection of privacy and data protection laws runs directly in the face of a global marketplace filled with storage centers, communications networks, and competing priorities. This makes data sovereignty a paradox, begging Steve Prentice’s question: Who can you turn to, and who can you trust?
Steve Prentice is the host of the Security Sessions Podcast by Thales. This podcast, themed ‘The Vendor of My Vendor: The Importance of Finding the Right Relationships for Cloud', featured Sean Heide, Research Technical Director at the Cloud Security Alliance, and Chris Holland, VP of Cloud Services at Thales, who delved into working with vendors, customers, and the law.
According to Chris, one of the chief concerns about sovereignty is complicated by geography, and issues arise when determining where data is stored due to varying laws and jurisdictions. This, he said, can be particularly challenging for large organizations that have customers and employees around the world.
Asking the Right Questions
Here, having internal expertise within your company is key to understanding when you're going into the cloud, whether the company’s data is being hosted locally or within a specific geographical location. Organizations need to pose these questions to their vendors to get a complete picture of where much of the additional cloud infrastructure is hosted and understand if data is transferring over borders and how that could impact the business.
Sean pointed out that the challenges don’t only crop up when a business is in the market for a new vendor; they exist in established relationships, too - a place where ending the relationship is all but impossible. He says large entities have established relationships with SaaS companies, but breaking these ties would be costly unless they adhere to regulations. Therefore, they must explore alternative solutions to ensure compliance.
Maintaining Thorough Relationships
As time passes, a business’s data assets remain undisturbed indefinitely. There are forces at play that must be taken into consideration. Paramount here is maintaining a good relationship between the company and its cloud provider. Sean says this means knowing the right questions and trusting the vendor to respond accordingly.
This is over and above service organization controls (SOC) reports, for instance. It means delving deeper, scrutinizing the architecture, looking at what data is crossing borders, how all internet connections communicate, and drawing the bigger picture from all these bits of knowledge.
Yet Another Burden
Sean says there’s another dimension: organizations also use third-party SaaS applications for other kinds of data. Companies must also be aware of where those vendors are storing their data. While he says this may seem to be another burden for organizations who have entrusted their data to their cloud services provider, it must be given top priority and appropriate attention.
When companies ask questions about the location and colocation of their data, they find out the vendor is using other cloud service providers to host the data for them, meaning they need to become well acquainted with all “vendor of my vendor” arrangements. This means understanding how data moves, identity and access management, and compliance with local or regulatory laws, which may differ from what they expected or agreed upon.
Listen to the Podcast
This blog is just a snippet from the conversation between Chris, Sean, and Steve. You can listen to the entire discussion here or on your podcast app of choice.
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
AI-Powered Cybersecurity: Safeguarding the Media Industry
Published: 11/20/2024