5 Security Questions To Ask Your Cloud Provider2:00 PM EST Wed. Jan. 23, 2013
Companies considering working with a cloud provider need to properly vet the service, seeking validation of the architecture's security and the state of nearly every aspect of its information security program. Cloud security experts say businesses need to treat the engagement like an evaluation of any technology provider, request to speak to the security team, find out how it conducts penetration testing and determine if its incident response plan is adequate. Some firms request to see the provider's security operations center and add services into the cloud contract negotiation, such as continuous monitoring and access to logs.
Here are five questions you should ask and have answered.
Find out if security is a reactive part of the cloud provider's processes or if it is actively securing its systems. Smaller providers will have system administrators addressing security as issues pop up. Get customer references. Skills and certifications only go so far, said Sean Bruton, senior product manager at Hosting.com. Talk to the staff and generally get a feeling of their experience and knowledge.
Ensure that the provider is actively looking for weaknesses and vulnerabilities in its platform. If you are evaluating a large service provider, ensure that you can mitigate any risks discovered in your specific infrastructure. Insist on active monitoring, support and communication when problems arise. Ensure that a monthly report, a quarterly call or other regular meeting is set up to discuss issues and any improvements that are needed in your environment. The business that owns the data is responsible for securing it.
Service providers should be able to show proof that the architecture and systems have been audited, giving you peace of mind that the systems meet a cloud security standard. Service Organization Control reports show it provides reasonable protection over customer data, say experts. A SOC2 report is an exhaustive review of the control environment and would only be provided under a nondisclosure agreement. It gauges a service provider's controls against the Trust Services Principles, which cover the security, availability, processing integrity, confidentiality and privacy of the organization. A SOC3 report is more streamlined but freely available and should provide reasonable information about an assessment of the provider's security.
Security experts advise that penetration testing is a valuable tool to find weaknesses and configuration issues before a real attacker strikes. A full penetration test is unlikely in the case of a Salesforce.com or another SaaS provider, but a large infrastructure service provider will let potential customers conduct a penetration test. Conduct vulnerability scans or hire a firm to perform a full penetration test. If the service provider has an internal penetration testing team, you can request a detailed audit of reports. Third-party testing may be required to meet certain compliance mandates.
If you are working with an infrastructure provider, most organizations will pick the data center where the information will reside and many service providers have data centers to settle country-specific data location regulations, according to Hosting.com's Bruton. There won't be any export control issues or international issues to deal with. Organizations must keep an eye on what happens to the data if there is a data scrubbing requirement to meet. Find out what happens to data stored in the cloud if the organization changes providers. Organizations with very I/O memory-intensive databases or ERP systems typically use a co-location service.