Part of the b:INFORM 2015/2016 Cloud Survey Trend Series
1. Importance of Security
Consistent with last year, our survey identified security and privacy at the forefront of buyers’ and providers’ minds in relation to cloud services. Security (88%) and Privacy (73.3%) topped the list of buyers’ primary hesitations in deciding whether to buy cloud services. More than a majority of buyers were also concerned with control and regulatory compliance as well. The importance of security was evident in identifying buyers’ primary criteria for choosing a provider.
A majority of buyers identified published security terms and compliance as such criteria. In addition, 69% of buyers identified reputation as a primary criteria for choosing a provider. Multiple participants at the seminars where we have presented our results have suggested that reputation may be a proxy for addressing hesitancies related to security and compliance. From every angle our results were clear, security is a significant concern driving decision making in the cloud computing space.
2. Security Standards
Almost two-thirds of buyers responded that their agreements required their providers to agree to customer required security terms. A number of buyers identified ISO 27001 as the standard to which they required providers agree. In addition, many providers responded that they had to provide customers with controls reporting, specifically SSAE 16 SOC2 Type II reports. Whether the security standards are published by provider or the buyer requires the use of objective security standards, the issue of security is best addressed at the outset and explicitly documented in the cloud services agreement. This is especially important for highly-regulated buyers such as those providing financial services or health data processing.
Together with security standards, audit rights provide a crucial risk mitigation tool regarding security and compliance issues related to the cloud. Two thirds of buyers responded that their agreements permitted buyer to audit the provider’s delivery center. The audit right, while an essential tool to have available, is not exercised with great frequency in practice. Only a quarter of buyers responded that they have actually performed an audit of their cloud providers. One reason for such a low incidence of buyers exercising their audit rights could be the sufficiency of the reporting they receive from providers.
For example, if a provider makes an adequate SSAE 16 SOC 2 Type II report available to buyer, buyer’s auditors are able to verify the provider’s control activity with respect to buyer’s controls. In such a case, a separate audit by buyer may not be necessary. In any event, audit rights provide a helpful, and oftentimes, necessary requirement for buyers to have available in order to address the security concerns brought on in any sourcing to a third party and specifically with respect to some of the unique challenges faced in the cloud.