How do Organizations Choose a Cloud Service Provider? Is it Like an Arranged Marriage?

Have you ever had to make a critical decision rationalised by clear value drivers but which was heavily reliant on trust? Social media seems to be inundated with references to a US reality show called “Indian Matchmaker” which generated interest around arranged marriages: a tradition that involves trust-based relationships and decision making, which has seen success and failure over the centuries.

While not as critical a decision as marriage, most organizations today face a similar trust-based dilemma- which cloud service provider to trust with their data? There is no debate over the clear value drivers for cloud computing- performance, cost and scalability to name a few. However, the lack of control and oversight could make organizations hesitant to hand over their most valuable asset- information, to a third party, trusting they have adequate information protection controls in place.

With any trust-based decision, external validation can play an important role. Arranged marriages rely on positive feedback and references, mostly attested by the matchmaker.

It also relies on supporting evidence such as corroborations of relatives and more tangible factors such as education/career history of the potential bride/ groom. In case of cloud service providers, independent validation such as certifications, attestation or other information protection audits could make or break a deal. 

The notion of cloud computing may have existed as far back as the 1960s but cloud services took the form we know of today with the launch of services from big players such as Amazon, Google and Microsoft in 2006-2007. Companies had to place “performance” on one end of the scale and “security and compliance” on the other end, having to constantly strike a balance.

This challenge is addressed by the major providers in the market today through means and tools that verify compliance with the most demanded regulations be it industrial or legal (e.g. PCI-DSS, ISO 27001, NIST, GDPR, HIPPA).

Despite these provisions, numerous organizations and industries are still hesitant to adopt outsourced cloud services without assurance over information protection. Moreover, data localization requirements enforced by regulation on certain types of data in some countries (e.g. client data of financial institutions in Luxembourg, public records in the Netherlands) could further narrow down cloud hosting options for organizations.

We are often asked- how do external validations in the form of information protection audit reports, foster the right level of trust?

Reputation of the Auditor

The reputation of the auditor certifying or issuing audit reports for the cloud service provider’s information protection controls is of paramount importance when it comes to fostering trust. Assurance, like randomness or anonymization, cannot be achieved realistically in its true full form but one can gain reasonable assurance over the controls when a credible audit firm tests and subsequently validates the controls. Hence it is important to choose auditors with a good track record and reputation as that can strengthen the trust from clients, just like a matchmaker with more successful arranged marriages in their credentials.

Standards and scope

When it comes to determining the mechanism for external validation, there is host of internationally recognized information protection/ cyber security standards to choose from, including ISO, SSAE, NIST, and COBIT. Service organizations such as cloud service providers need to assess which standards apply to their services and opt for the relevant audits accordingly.

The choice is not always binary. For example, a certain service provider processing financial data may need to implement a set of information security management controls based on ISO standards, data privacy controls aligned with  regulatory requirements such as GDPR and controls around payment card processing based on industrial standards such as PCI-DSS.

In the case of arranged marriages, there are a lot of unwritten standards, which may differ by culture and upbringing of the families, at times triggering debate and judgement. Factors such as preferable age, religion, career, education and family history could “define” such standards. Nonetheless, just like an information protection auditor, the matchmaker typically has the knowledge and experience to validate the applicability of each standard based on the specific scenario.

Once the assurance standards are selected, the scope of controls is of crucial importance in terms of applicability from both directions:

  • Controls that match the nature of services of the cloud service provider
  • Controls that are important to the clients that want assurance.

For example, a software as a service (SaaS) provider may need to place more importance to system/ software development controls than an infrastructure service provider. A client concerned over protection of their personal data may derive more assurance from privacy controls audits that that those focussing on data integrity (albeit as important).

Moreover, with outsourcing becoming more and more prominent in the IT world, the chain of trust between a client, service provider, their sub-service provider and so on become as strong as the weakest link, with assurance being needed across the chain.  Even though information protection standards are formalized and documented, the control sets do not come as one-size-fits-all which is why additional time invested in scoping can reap benefits, similar to how more time spent working out compatibility could help with the success of an arranged marriage.

Continuous Assurance

The first successful audit performed by a reputed audit firm using the relevant standards and right scope, can be a major milestone for a cloud service provider. It demonstrates how data entrusted to them by clients is protected. After all, external validations in form of audit certificates or reports facilitate swift market entry and revenue generation of the service provider.

As with any relationship however, maintaining the trust gained is imperative. Year on year, the cloud service provider needs to pass the audits while the scope and method of testing controls need to swiftly adapt to trends and technology advancement. For example, organizations may be expecting their cloud service providers to implement controls with increased automation and standardization over time, cognizant of changing regulations and industry requirements. The service provider and auditor need to work together in reviewing the scope periodically and ensuring the requisite controls for continuous assurance are covered.

In case of arranged marriages, the spouses do need to continually work on the relationship and trust. Also, the matchmaker may still play a role (welcome or not) because it is in their interest that the marriage succeeds. 

It is becoming increasingly common for organizations to ask their cloud service providers for evidence of external validation of information protection controls, prior to engaging in business or sharing data. External validation in form of audits are seen to foster trust over how data is protected by service organizations.

Every decision comes with a risk, particularly those based on trust- an intangible concept. However, informed decision-making taking into consideration the key factors above can lead to a successful trust-based relationship, which is perhaps why, unlike what is depicted in reality shows arranged marriages can often be successful.


These are personal opinions of the authors and do not reflect that of their organizations


What’s Hot on Infosecurity Magazine?