10 top things to look for in a cloud security solution provider
Searching for a Cloud Security Provider can be confusing. Many providers appear the same at first glance: similar metrics, similar promises. The fact is, the information you need to make a real comparison requires asking questions and probing for details that cloud services vendors don’t always volunteer. Use this list to be sure you’ve covered the essential elements for choosing the right cloud security provider to protect your organization from malicious cyberattacks.
- Experience: How long has the provider been in the cloud security business? How many cloud security clients around the world do they have now? (Insight into global attack vectors is useful.) Can they support your business in the way you need?
- Capacity and Scale: Many cloud security vendors imply they have enough scale, but the way they measure scale matters. You need to know if they can scale when you need them. Ask: What’s the largest Distributed Denial of Service (DDoS) attack they can really handle? Can they show you they’ve actually done so, with real attacks on their network?
- Performance, distribution, and availability: Does the provider offer fully-integrated cloud security solutions incorporating a global network of servers supported by data-drive algorithms and automation? Can you choose between DDoS scrubbing, CDN networks, or both?
- Collective Intelligence: Does the cloud security provider have the scale and global traffic volume to generate meaningful intelligence? Are they prepared to leverage this accumulated expertise to benefit their entire customer base if, when, and before they are attacked? Do they use a comprehensive big-data analysis engine to identify a single attacker that may have an impact on other clients?
- IP Reputation: What sources does the cloud security provider use to assign a reputation score for IP addresses? Some IP reputation products have varying degrees of quality and use a binary risk score: attacker or not, rather than a range of scores based on malicious activity over time.
- Accuracy: Interpreting accuracy claims from different Web Application Firewall (WAF) vendors is tricky. Comparison between two vendors’ accuracy rates is meaningless unless both were measured with the same test. Find out what was tested, who was tested, and how many tests comprise the final result. Make sure you compare apples to apples.
- Continuous Improvement: The key to accuracy is fine-tuning the rules regularly to stay up to date with evolving traffic. How often does the cloud security vendor test the security infrastructure—monthly, weekly, daily? How much traffic do they use for testing?
- Time-to-Mitigate: Does the cloud security provider’s Service Level Agreement (SLA) commit to speed and quality of mitigation, or just to a response time? Most vendors can promise to respond within minutes, but that only promises an investigation. Specific and contractually guaranteed mitigation SLAs are a tangible metric you can use to compare protection more accurately.
- The Human Factor (Security Operations Centers): Many vendors claim to protect you with their 24/7 SOC. However, it’s crucial to find out how many facilities your cloud security vendor has, where they’re located, and how they are staffed. How many people are available at one time? What protocols do they use to ensure you stay covered between shifts during an ongoing attack?
- Multi-layered Defense/Defense in Depth: No single security solution is 100% effective. But if the tools you’re combining are built on the same underlying technology or hardware, you’ll have multiple layers with the same weaknesses and gaps for attackers to exploit. The best approach is to layer multiple, best-of-breed technologies on top of each other.
More and more organizations are relying on the cloud for Internet security. Cloud-based security can offer an enterprise more scale, more accuracy, and better performance than an on-premises solution alone. Choosing a cloud security solution to work successfully with your existing security infrastructure requires understanding what’s really being offered