Box Execs: Evaluating Cloud Vendors for Security, Compliance is Crucial

Evaluating cloud vendors based on their security and compliance capabilities is a must for any business because when you do business with one Software-as-a-Service (SaaS) vendor, you’re also doing business with every other vendor they do business with, according to Box executives.

That means even one weak link in the chain can jeopardize your entire enterprise, so the stakes are huge.

It’s important to make sure that vendors “really understand what’s happening with the data” and whether they “have the appropriate controls to secure that data,” Crispen Maung, Box’s chief compliance officer, said Sept. 18 during the webinar “Secure from the ground up: How to vet your cloud vendors.”

If a vendor doesn’t have at least the same level of data protection and information security as Box, for instance, “then they become our weakest point,” he said, noting: “At no time do I want to expose Box or Box’s customers to any weak point within the business.”

Asked what the single most important thing that he looks at to protect Box and its customers is, Box CIO Paul Chapman said: “There are certain things you shouldn’t compromise on and I think it’s a sort of trifecta of things. Otherwise, you won’t be successful. First off is trust: Making sure that whatever service provider you’re looking at is able to provide the right trust vectors that you need.”
After trust, Chapman said: “Any specific compliance or regulatory requirements that you have must be met by whoever it is that you’re looking to use … . And then, thirdly, I think it’s about having a great user experience as well.”

Chapman warned listeners: “It’s sort of like the iron triangle … . You should not compromise on any one of those in order to have a successful outcome.”

It’s also “really important that you have a really good grasp on your IT reference architecture for the services that you run your business on and that you understand where the service that you’re looking to invest in fits into that architecture,” he told listeners.

Also during the webinar, Chapman said he learned two things recently. First, “the slowest rate of change that I think we will ever experience is the one we’re experiencing now [and] it’s not slowing down anytime soon,” he said. Second, he said: “Everybody should have a millennial as a mentor.”

Meanwhile, although the General Data Protection Regulation (GDPR) was implemented May 25 in Europe, Sanam Saaber, Box VP-legal, said she learned recently “there are still companies” asking her about it and asking how they should “get that going.”

Ahead of the webinar, Box pointed out that its business is “built on security, compliance and governance — and that means we make sure all our vendors comply with strict guidelines and standards so we can safeguard our customers’ security.”