The International Association of Cloud & Managed Services Providers (MSPAlliance) recently announced guidelines intended to give businesses the tools they need to make smart and informed decisions about how their data interacts with the cloud.

The guidelines are based in part on the Unified Certification Standard for Cloud & Managed Services Providers, the MSPAlliance Code of Ethics and Conduct, and the Consumer Bill of Rights.

According to the MSPAlliance, the guidelines will be further illustrated in a white paper currently being developed that will be available to the public sometime this summer.

Highlights of these guidelines include the following:

  • Communication to businesses about location of their data
  • Disclosure to the business customer of any third parties who may have a meaningful access to that customer data
  • Established controls that govern how third party service providers should handle sensitive customer data
  • Controls for how service providers deal with both public and private cloud environments
  • Transparency requirements for service providers when communicating with customers and prospects related to sensitive data
  • Ethical, financial and security controls governing how service providers handle customer data
Charles Weaver - MSPAlliance

Charles Weaver – MSPAlliance

Charles Weaver, co-founder and CEO of the MSPAlliance, stressed that businesses need guidance to determine which cloud is doing what and to understand which cloud providers are keeping their data within country boundaries versus those whose technology makes it difficult to determine where the data is actually residing.

“Those are very fundamental questions, but most businesses don’t know how to go about doing it, don’t know how to assess their service provider in that regard,” he explained. “That’s what these guidelines are about.

InfoSec Institute recently asked Weaver a few questions not only as to the purpose of the guidelines, but also as to where the MSPAlliance goes from here.

InfoSec: Were there any challenges in introducing these new guidelines?

Weaver: Honestly, no. The challenges we had happened 10 years ago when the initial group of board members were working on this for over a year. That was a challenging time, I can tell you. It was very hard work. It was work that was done by a good cross-section of the technology community, and it represents something that is very much scalable and relevant to managed services and cloud, but it’s also something that is relevant across the world….These guidelines are pretty easy to grasp, and they provide businesses that employ them a lot of visibility and clarity when it comes to deciding what their cloud strategy is going to be.

InfoSec: What’s the most important thing about these guidelines that should interest businesses?

Weaver: [There are] two things. Number one, it gives the business a set of questions, a set of principles that they can go and ask….[such as], ‘How do you work? How do you operate?’ That’s number one, the visibility. Number two, it’s a catalyst for a larger discussion, which is, ‘How important is my data?’ Most companies have many different types or categories of data, so different data sets have different levels of importance.

Let’s say a company…has a certain segment of its data that needs to be stored, but it’s not really important, it’s not sensitive. So we can put it up in maybe public cloud storage. But the company also has a certain segment of its data that is very sensitive and then in light of all of these news stories, they might say, ‘Public cloud for that is not at all appropriate.’ But how do they figure out who the best provider is to deliver a private cloud offering? That’s the second benefit they will get from these guidelines.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

InfoSec: Where does the MSPAlliance go from here?

Weaver: We’re going to have an announcement [in a few weeks] with a major security vendor who is going to be announcing some very interesting things with regards to their partner program and our guidelines. So that will be of interest to you and your readers.

Where we go from here in a larger context? We keep doing what we’re doing. We’re actively seeking out and dialoging with various government agencies all over the world, including private sector businesses, and trying to get this information in the hands of as many people as we can.