Cloud Security and the Channel: Communication Key to Mitigating Risk

Kristopher Spadea

By Kristopher Spadea

Your business customers have likely grown much more comfortable with the cloud, for good reason: If you look at the high-profile breaches that have hit the news, most have occurred in companies running their own systems on premises.

Still, security can never be taken for granted, especially in the cloud. Anytime third parties are involved, you introduce risk. With so many entities working together on a single solution – the cloud provider, the solution provider, the channel partner, and the client – there is always a chance that something will be overlooked. Thus, cloud requires greater coordination among channel partners than a traditional engagement because security depends on a shared responsibility model,  where multiple entities care for a single organization’s data. To make that work, there must be clear lines of delineation on who is responsible for what. A big part of implementing a new cloud-based solution is communicating among the channel partner, other providers and the customer to define the security requirements and determine ownership.

Mitigating risk requires constant communication and a clear understanding of exactly what needs to be done — and who’s going to do it.

Typically, this means the cloud provider is responsible for the infrastructure components, which can include anything from the compute, storage and networking layers to firewalls. The customer and the channel partner are responsible for everything that layers on top of that infrastructure: the operating system, the application, the database, and even encryption of the data. The cloud provider doesn’t necessarily care if sensitive data is encrypted in flight or at rest, or if the operating system hasn’t been patched in three months. These are things that the customer is responsible for, and it is in the channel partner’s best interest to ensure that best practices are thought through and maintained.

Increasingly, channel partners are looking to bring managed service providers into the deployment of cloud-native solutions for customers. MSPs are able to take on the headaches of properly provisioning, architecting and maintaining a cloud environment, be that in a hosted private cloud or in a public cloud like Amazon Web Services (AWS). This sort of peer partnership can help ensure that the proper technologies and processes are in place. In theory, both the customer and the channel partner are thereby freed from the drudgery of maintaining the cloud and can focus on growing their businesses.

Still, as the owner of the customer relationship, partners must ask the hard questions — lest they be forced to have an even harder conversation if a third party they recommended drops the ball on security.

For example, customers in some vertical industries have specific compliance certifications that they must abide by. Do the cloud provider and MSP partner have this expertise? In health care, for example, the transfer of electronic health records between doctors’ offices must follow the standards laid out by the Electronic Healthcare Network Accreditation Commission (EHNAC) for trusted data exchange. Security is about trust, and certification and compliance with the appropriate standards at all levels of a cloud-based solution are an essential part of building that trust.

For channel partners, the choice of cloud provider must therefore be based on the needs of the customer and the nature of the workload being put into the cloud. Is the provider able to provide a high enough level of support and security to fit the profile the customer requires? Will the provider allow the implementation of security technologies on top of the base infrastructure provided?

The world has moved beyond simple perimeter security, so a simple firewall is no longer enough. Good security planning starts with the assumption that bad actors already have access to the network, so ask, “How can the cloud provider help mitigate that? Does your provider allow you to put network intrusion or prevention tactics in place? Or, post-intrusion protection? Data encryption?”

And, this is not “set and forget.” Because the cloud is an ongoing service, channel partners must pay closer attention to how customers are using a cloud-based solution than they might have an on-premises system. If something happens to knock a customer offline, that likely impacts their revenue stream. Good security is a big part of ensuring a cloud-based solution remains available.

Channel partners are in a good position to deliver strong cloud security. After all, they are the most familiar with the customer’s existing infrastructure, processes and policies. Smart advisers will take on a key role as the intermediary between the customer, who needs a specific service that the partner is not able to provide, and the other providers involved in delivering the complete solution. So don’t be shy about asking the hard questions.

Kristopher Spadea is a solution engineer for the channel organization at Sungard Availability Services (Sungard AS). Before that, he was a cloud specialist for Sungard AS, working in both the commercial and enterprise markets throughout North America.