How to Identify Trustworthy vendors in the cloud – TRUSTe
-
Upload
truste -
Category
Technology
-
view
225 -
download
0
description
Transcript of How to Identify Trustworthy vendors in the cloud – TRUSTe
How to Identify Trustworthy Vendors in the Cloud
TRUSTe WHITEPAPER
TRUSTe Inc.
US: 1-888-878-7830
EU: +44 (0) 203 626 0109
www.truste.com
How to Identify Trustworthy Vendors in the Cloud 2
It’s All About Data
In the modern business landscape it’s rare to be able to talk about customer relationship
without the discussion centering on data. Data is at the center of understanding your
customer and gaining and maintaining that customer’s trust. What data are you collecting?
How are you using it? With what types of third parties are you sharing this data? Is there
any onward transfer out of your direct control in your workflow? Is all of the data secure at
every juncture and storage location?
Data is a critical asset and with this asset comes critical responsibility: How do you balance
the desire to use data that you collect while also respecting the privacy of those from
whom you collect it? How do you establish and maintain that critical component of trust?
It is a balancing act and your customers expect you to make the correct decisions and “do
the right thing” 100% of the time regarding their personally identifiable information (PII).
Little or no room for error
It does not matter how large or famous your company may or may not be. Likewise, the
products or services you offer are not really relevant. If you are collecting and storing any
customer or potential customer data you will—like so many others—be held responsible if
you violate their trust.
And, one of the primary factors in what you must understand, monitor, and police is a
constant, ever-increasing complexity that is inherent in the nature of Cloud-based business
as more and more services become available via the web. If you are to remain competitive,
you are very likely going to have to make decisions about how your company leverages
the advantages of the Cloud. Of course, as your data ecosystem expands the potential for
missteps also increases and risk factors are multiplied.
2011Apple and Google
weather “location gate”
privacy scandal over
their mobie devices.
Apple changes collection
practices in response.
2011Playdom fined $3 million
for violating children’s
online privacy.
2011Broken Thumbs Apps
settles FTC charges that
it violated children’s
privacy law – company
is fined and forced to
destroy the data.
2011Netflix faces multiple
privacy lawsuits over
its data storage
practices.
2011Acquisition of Borders
delayed due to questions
over privacy rights of
46M email subscribers.
2011OnStar forced to reverse
location tracking policy
following privacy outcry.
2012Path social network
app accesses
address books without
permission.
2011nebuAd settles $2.4
million privacy lawsuit
over behavioral
targeting practices.
How to Identify Trustworthy Vendors in the Cloud 3
There are two primary ways for trust to be breached and lost:
• The mishandling of data by you or trusted partners in your ecosystem
• Failed security, the leakage of data to unauthorized agents or eyes by you or partners
It is important to realize that regardless of how you may be implicated in legal action if a
breach occurs—even at a distant node in your ecosystem—your customers and the court of
public opinion will still be holding your brand accountable for any perception of injustice or
sloppiness in the care of personal information because it was to you that the information
was originally entrusted.
Also, if you are engaged in international business or you are partnering with others whose
data centers are established across borders, additional layers of rules, regulations, and
customer expectations may apply. You may be required by your business practices to self-
certify under the EU Safe Harbor framework or put other contractual mechanisms in place
to assure that your European customers’ personal information is protected according to
European standards. Or, for example, if a subset of your online data processing involves a
partner in Asia handling data collected from a French customer, you must ensure that the
related data transfers meet European Union PII standards adequately. US-EU Safe Harbor
covers data transfers to the US only. If customer PII is transferred to other countries outside
of this domain, then the appropriate legal mechanisms must be in place; such as model
contracts or binding corporate rules (BCRs). As you make every decision about outsourcing
or partnering to increase efficiencies in time and cost you are also inviting increased
complexity, whether you are aware of that factor or not.
Vetting Partners and Service Providers
Building trust and looking at trust is not only important within the walls of your enterprise
but beyond and throughout your partner network. With the rise and easy availability of
cloud services, companies are engaging in relationships with more and more third party
service providers and partners. This often provides flexibility and cost savings that you
cannot create on your own. If there are already three other wheels out there optimized for
a process or capability that you do not already possess, frequently it does not make sense
to reinvent that wheel for the forth time, paid for with your own resources. However, when
considering which of the three alternative wheels might be the best fit for your needs, it is
wise to vet all options carefully for the bigger picture of your business. You must assure that
if the transfer of any data regarding personal information must occur for the relationship
to be productive that your vendor or partner will be just as respectful of or careful with the
data as you are. Wheel number two may initially seem like the best option due to obvious
costs, etc., but wheel number one or number three may be better equipped to protect your
overall reputation.
How to Identify Trustworthy Vendors in the Cloud 4
Before you allow customer data out of your control into the hands of a partner/vendor
you—or someone working on your behalf— should vet them for all of these data-centric
functional areas:
Collection Limitation and Use Minimization — Collecting a lot of data from or about your
customers is tempting from a business perspective. Collection limitation—collecting data
that is reasonably necessary to fulfill the purpose for which it was requested—is a key
element of data protection law in most jurisdictions. Also, you should not be using data for
purposes that were not disclosed to your customers at the time the data was solicited and
received. The general guiding principle is collect and use the minimum required information
to best lower your risk.
Access and Storage — Data containing personally identifiable information (PII) should
only be accessed by authorized entities and it is possible that international requirements
may force you to allow the individual about whom the data was collected to see it and
even modify it at any time. Of course, any security breach—intentional by criminals or
unintentional by your or your agents—could have a catastrophic impact on your brand.
Onward Transfer — You may only share PII with others with the permission of the individual
involved. You must obtain that consent at the time the data is collected and anyone
receiving onward transfer data must abide by all of the rules that are established and
agreed to at the time of collection as well. Special additional care must often be taken when
this transfer involves the data’s crossing an international boundary.
Actual Practices — The ultimate “go to” guide for what you say you are doing and what you
should actually be doing is typically your privacy policy. It is ideal that it be written in clear
language that does not intimidate your customers and that it be unified for all business units
where possible and easily referenced. Your customers must be able to understand precisely
what you intend to do with their PII and why. Then of course, you (and your vendors and
partners in the Cloud) must abide strictly by your promises. You must all do what you said
you would do when you collected the data originally.
And in addition to care with these core domains, when your business relationships change
you must have assurances in place for re-obtaining all control of any data that has been
out of your domain. You may also need assurances in some cases that customer data at a
vendor or partner is destroyed.
The Breadth of Your Responsibility
Building trust and looking at trust is not only important within the walls of your enterprise
but beyond and throughout your partner network. From a customer’s perspective, if a ball
is dropped, it doesn’t matter where it’s dropped if they feel harmed by it. This means that
everyone in your business ecosystem must be following the rules that you establish with
your customers, at all times and in every scenario that PII comes into play.
NAMELOCATIONPHONE NUMBER
P R I VA C YP O L I C Y
How to Identify Trustworthy Vendors in the Cloud 5
Contracts must be in place to make sure that every aspect of care that is required is actually
being observed consistently by all relevant parties who come into contact with the PII of
your customers. If a partner or vendor will be engaging in onward transfer, that must be
taken into account. And if they are not contractually empowered to transfer customer data
to other entities, then doing so is a violation that might cost you both dearly. A breach at
one of your partner’s vendors—even two or three degrees of separation away from you—can
be just as damaging to your customer and therefore to your customer’s trust relationship
with you as if it had occurred due to your own servers or handling practices.
It’s easier with TRUSTe
Your company may already be in good shape in terms of having policies and contractual
protections in place that you and your customers need. However, certification by a privacy
specialist like TRUSTe can greatly expedite your third party contracting processes. Privacy
certification processes augment basic security audits. Privacy-centric evaluations examine
and understand data from the end-user perspective, not just the nuts and bolts that secure
data on the back end. It is in any company’s best interest to require the service providers
they are evaluating to have qualified third party privacy certification as a basic criterion for
partnering or outsourcing.
Partner’sVendor
Contract
NAMELOCATIONPHONE NUMBER
P R I VA C YP O L I C Y
Partner’sVendor
Contract
NAMELOCATIONPHONE NUMBER
P R I VA C YP O L I C Y
Vendor
Contract
NAMELOCATIONPHONE NUMBER
P R I VA C YP O L I C Y
Vendor
Contract
NAMELOCATIONPHONE NUMBER
P R I VA C YP O L I C Y
YOU
NAMELOCATIONPHONE NUMBER
P R I VA C YP O L I C Y
How to Identify Trustworthy Vendors in the Cloud 6
When all of the nodes in your ecosystem have been certified for safe best practices, you
have far less to worry about when forging new relationships or even implementing new
programs or processes that were not in place when original contracts were signed. TRUSTe
also assists clients in avoiding embarrassing and harmful problems through its privacy
feedback mechanisms. These help companies to identify privacy mishaps and pitfalls early,
before they potentially become public relations nightmares. TRUSTe can also serve as a
liaison in dispute resolution scenarios if necessary.
Success at Zendesk
Zendesk was created back in 2007 by two Danish entrepreneurs who had a vision of
providing great customer service through a SaaS product. Zendesk’s web application
provides help desk ticketing solutions and knowledge management capabilities for their
customers. It is a platform that allows customers to create a help desk to in turn assist
their customers. It functions on two levels. Zendesk—in collaboration with TRUSTe—has
developed best practices for security and PII policies and integrated those wherever
possible into their platform. They also educate and encourage their customers in these
best practices thereby perpetuating a mindset and culture of treating data as securely as
possible and not violating the privacy of their end-user customers.
Partner’sVendor
Contract
NAMELOCATIONPHONE NUMBER
P R I VA C YP O L I C Y
Partner’sVendor
Contract
NAMELOCATIONPHONE NUMBER
P R I VA C YP O L I C Y
Vendor
Contract
NAMELOCATIONPHONE NUMBER
P R I VA C YP O L I C Y
Vendor
Contract
NAMELOCATIONPHONE NUMBER
P R I VA C YP O L I C Y
YOU
NAMELOCATIONPHONE NUMBER
P R I VA C YP O L I C Y
How to Identify Trustworthy Vendors in the Cloud 7
However, complexities like integration with Facebook, Twitter, and other emerging web
services and phenomena continue to generate ongoing security and privacy implications
during the third party integration process. Zendesk’s customers, and their end-user
customers in turn, expect a consistent level of privacy and security policies to be in place
and for those to be uniformly enforced across the customer experience spectrum. So, as
Zendesk’s clients integrate with more and more third parties, they have to carefully and
constantly evaluate whether or not they can maintain their own standards.
Zendesk has over 100 third-party integrations including CRM products, and a broad variety
of others as well. This translates into over 20,000 clients in 140 countries—including both
small and very large businesses. Zendesk finds that their larger corporate customers tend to
be more sophisticated about security, whereas smaller customers, worry less about security
and PII domain concerns if they haven not yet experienced a breach. At times Zendesk finds
itself needing to educate customers on good security policies and practices.
TRUSTe has a multi-year relationship with Zendesk. Their data management, both in theory
and technical practice, is verified. Their privacy policy is now set to hold up at the highest
standard. TRUSTe educated Zendesk on how to modify and optimize the privacy side of
their business and Zendesk is now propagating best practices at every opportunity.
15 Years of Building Trust into Business
As a leading provider of data privacy solutions and certification services for 15 years—
small and large enterprises alike have come to rely on TRUSTe to assist them in designing
and implementing comprehensive data privacy strategies. TRUSTe fully understands the
complexities of identifying completely trustworthy vendors in the Cloud. If your partner or
vendor ecosystem needs to expand—or if you want to become that trustworthy, certified
vendor or partner—we can get you ready on every critical axis.
Please visit us on the web at:
truste.com/cloud
US: 1-888-878-7830 | EU: +44 (0) 203 626 0109 | www.truste.com © 2012 All Rights Reserved