Almost every survey regarding moving an enterprise to the cloud shows “Security” as the top concern by most business leaders. It’s important to note, that the “Cloud” can only be as secure as the provider makes it. Some cloud providers are exemplary at providing a secure network, some are not. The right cloud provider is going to operate their network with a much higher level of security that most enterprises, but it’s not good practice to assume they are doing so. In order to find out how secure you provider is, it’s important to ask the right questions.
It’s not enough to trust that your data is secure just because your vendor says it is. Read through your contract in detail. It’s also a good idea to get a legal review of the contract, preferably before it’s signed to make sure you know where your liability ends and the providers begins. Your provider should be able to answer these 5 questions
1. Who has access to my data and how is that access managed?
This is important. The provider will always have access to some form of the data. It has to. The question is, does the provider maintain a good security practice around the management of that data and how is access governed withing the providers network?
Good answers to expect: ‘We have limited access by only key individuals, security is managed by a rigorous access control and auditing program’
Possible warning signs: ‘We have no access to your data’; ‘We are not responsible for data security
2. What screening methods are involved in hiring staff members and vendors?
Service providers of every type should have a process to make sure that their staff members and vendors all pass a rigorous security screening which includes background checks to make sure they’re trustworthy.
Good answers to expect: ‘We have a detailed screening process that all employees must pass before they’re able to work here‘
Possible warning signs: ‘We make sure our employees are trustworthy‘ (without a process to validate it)
3. How can I report a possible security breach and what is the expected response time?
The answer to this question should be very clear. Furthermore, the process should be documented and easily accessible. Your staff members should be able to know what to do in an emergency.
Good answers to expect: ‘Call this number to speak to a support representative immediately‘
Possible warning signs: ‘Submit a ticket by email or web form, your inquiry will be responded to within one business day‘
4. Do you have a security policy and is it available to customers?
This is a bit of a trick question. Security policies should be company confidential. If a provider is too willing to give you information about their security practices, that could indicate irresponsibility on their part. They should be able to provide a list of security policies and the table of contents, but not the policy itself. Some providers will be able to even provide certifications based on SSAE, PCI or SOX audits.
Good answers to expect: ‘We have internal, confidential polices, but we can provide limited disclosure on what those policies contain‘
Possible warning signs: ‘Yes, we can provide you with all our security documents‘
Even worse answer: ‘We have a policy, but it’s not in writing‘
5. What security related certifications does your organization own?
There are a lot of security certification out there for solution providers. Sarbanes Oxley is one, SSAE 16 is one that applies to datacenters specifically; there are 3 types, 1, 2 & 3. Having all three means the facility has undergone a very strict audit that happens once a year in order for them to keep their certification.