The guidelines are based in part on the Unified Certification Standard for Cloud & Managed Services Providers, the MSPAlliance Code of Ethics and Conduct, and the Consumer Bill of Rights. According to the MSPAlliance, the guidelines will be further illustrated in a white paper currently being developed that will be available to the public sometime this summer. Highlights of these guidelines include the following:
Communication to businesses about location of their data Disclosure to the business customer of any third parties who may have a meaningful access to that customer data Established controls that govern how third party service providers should handle sensitive customer data Controls for how service providers deal with both public and private cloud environments Transparency requirements for service providers when communicating with customers and prospects related to sensitive data Ethical, financial and security controls governing how service providers handle customer data
Charles Weaver, co-founder and CEO of the MSPAlliance, stressed that businesses need guidance to determine which cloud is doing what and to understand which cloud providers are keeping their data within country boundaries versus those whose technology makes it difficult to determine where the data is actually residing. “Those are very fundamental questions, but most businesses don’t know how to go about doing it, don’t know how to assess their service provider in that regard,” he explained. “That’s what these guidelines are about. InfoSec Institute recently asked Weaver a few questions not only as to the purpose of the guidelines, but also as to where the MSPAlliance goes from here. InfoSec: Were there any challenges in introducing these new guidelines? Weaver: Honestly, no. The challenges we had happened 10 years ago when the initial group of board members were working on this for over a year. That was a challenging time, I can tell you. It was very hard work. It was work that was done by a good cross-section of the technology community, and it represents something that is very much scalable and relevant to managed services and cloud, but it’s also something that is relevant across the world….These guidelines are pretty easy to grasp, and they provide businesses that employ them a lot of visibility and clarity when it comes to deciding what their cloud strategy is going to be. InfoSec: What’s the most important thing about these guidelines that should interest businesses? Weaver: [There are] two things. Number one, it gives the business a set of questions, a set of principles that they can go and ask….[such as], ‘How do you work? How do you operate?’ That’s number one, the visibility. Number two, it’s a catalyst for a larger discussion, which is, ‘How important is my data?’ Most companies have many different types or categories of data, so different data sets have different levels of importance. Let’s say a company…has a certain segment of its data that needs to be stored, but it’s not really important, it’s not sensitive. So we can put it up in maybe public cloud storage. But the company also has a certain segment of its data that is very sensitive and then in light of all of these news stories, they might say, ‘Public cloud for that is not at all appropriate.’ But how do they figure out who the best provider is to deliver a private cloud offering? That’s the second benefit they will get from these guidelines. InfoSec: Where does the MSPAlliance go from here? Weaver: We’re going to have an announcement [in a few weeks] with a major security vendor who is going to be announcing some very interesting things with regards to their partner program and our guidelines. So that will be of interest to you and your readers. Where we go from here in a larger context? We keep doing what we’re doing. We’re actively seeking out and dialoging with various government agencies all over the world, including private sector businesses, and trying to get this information in the hands of as many people as we can.