There is a significant business risk lurking in the cloud computing industry and it is a matter of time before this exposure becomes public in some form of cloud outage, or worse, a data breach. So, what risk am I referring to? I am talking about the huge gap between service providers and third party providers, like data centers.

KONICA MINOLTA DIGITAL CAMERA
The MSPAlliance does a lot of certifications and audits on MSPs, cloud providers, and data centers every year. Too often, we see service providers rely on the certifications of their partners, rather than focusing on their own process, documentation, and security. In fact, I think the practice of reliance on partner certifications can actually be damaging because it creates a false sense of security, both with the service provider and the customers who are unaware of this significant risk gap. I'll explain.
When service providers make representations about their Network Operation Centers, help desks, data centers, or any other capability they market, there is a fine line between salesmanship and misrepresentation. Many MSPs partner with other providers in order to bring key features like NOC, help desk, and hosting, to their customers. Most customers trust their MSP and wouldn't question these representations. But, if the customer knew that the MSP really didn't own or operate the data center, didn't own the NOC, didn't own the help desk, would that really matter? For some it might, for others it might not.
The point is not that a MSP or cloud provider own everything they deliver; this is simply not practical. Instead, the point is about transparency and how much detail the service provider offers customers when it comes to which services are being delivered by the MSP and which by 3rd parties. In some markets, like financial services, omitting this information could result in serious trouble for the MSP and their customer.
In my opinion, the more serious and widespread problem is when service providers simply neglect to adopt policies and procedures because they think their "partner" has it covered. For example, an MSP uses a data center that possesses a certification like SSAE 16 or UCS. The MSP may think that the certification is enough to cover their own policies and procedures. This is simply not true! MSPs, even if you outsource to 3rd party partners, you must have policies and procedures that govern and are effective for your own environments, right up to the point they interact with the partner.

