Security and the Cloud: What You Should Ask Your Cloud Provider
BY LEN WHITTEN
So you’ve decided to move your IT data and infrastructure to the cloud. You’re not alone. More than one-third of contractors surveyed in 2014 rely on cloud computing for myriad reasons.1 They depend on it for backup and disaster recovery services, to access cloud-based software and to outsource computer storage, hardware, services or network components, among other reasons.
As background, a cloud environment is composed of a vast network of remote virtual servers hosted on the Internet that store, manage and process your data. The environment has firewalls and load balancers and operating systems, and its infrastructure is remotely and securely accessible and controllable.
Given the cloud’s complexity, more construction firms are developing security plans to protect their cloud environments and the data it stores. In fact, more than half of surveyed contractors have such a plan compared to only 40 percent in 2013. Their concern is warranted as data breaches of valuable business information and data occur increasingly as cyber-thieves continue to attack businesses’ network defenses.
This is why it’s important to properly vet the cloud security providers you’re considering, asking them pointed questions about how they will protect your information.
Ask to speak to the security team responsible for protecting your infrastructure and data. Find out how they determine if their incident response plan is strong, and determine if the security team is actively securing its system besides monitoring and reacting to attempted breaches.
WHAT YOU NEED TO KNOW ABOUT A CLOUD SERVICE PROVIDER
Before discussing the security questions to be asked, it’s critical to remember what retaining a service provider entails. First, your trust in a managed security service partner is critical. Remember that you’re turning the keys over to your most valuable information and IT operations.
Here are some key questions to make sure you’re comfortable making that transfer:
- How long have you been in business and do you have financials available?
- How many clients do you serve and can you supply a list of them?
- What investments are you making to ensure the security of your customers’ data?
- Can you share a few customer case studies, even if they are anonymous?
- What certifications do you hold and which organization(s) validate your work?
- Can you share references (three preferable)?
- Who will manage the cloud environment for us and what qualifications do they hold?
- What access controls are in place and how do you limit risk?
- Who can access what data and under what circumstances and conditions?
- What processes dictate administrators’ actions?
KNOW THE SECURITY QUESTIONS TO ASK
There are numerous security questions to ask and don’t hesitate doing so because, again, you must feel comfortable with your ultimate choice.
Be wary; if a provider contends it has never had a security incident, move on. Who would want to place faith in a novice?
Here are security-related inquiries and requests to consider:
- Where is our data actually located? Is our company’s data shared on the same server and storage area as others? If so, explain how our vital business data is segregated and secured.
- Do you encrypt our data and, if so, how? Are individual customers able to encrypt? How do you leverage encryption to protect customer data? How do you store the decryption keys? Have your security methods been tested and proven effective?
- What technology do you have in place to detect if an application is under attack? What specific network intrusion detection technology do you use?
- What response times do you offer if an attack does take place?
- Take us through the procedures that you would follow in case of a security incident? How have your procedures changed over the years and as data intrusions increase in general?
- What are your security policies related to personnel? How do you screen candidates? (Be sure the process is as good as your own.)
- What do you do to protect against breaches caused by employee error?
- What regulations and annual IT audits must you comply with and what are your processes for accommodating the needs of our auditors? Talk specifically about what you do regarding some of them, including, say, ISO27002 and Safe Harbor.
- Can you explain the intricacies of your service-level agreement?
- Is your infrastructure SSAE 16 compliant? Can you share the reports that disclose which procedures received the certification?
- What is your patching policy? Do you do patches routinely or on a certain day of the week? How do you notify customers when you’re conducting a patch?
Obviously, your decision on which cloud security service provider to choose will depend on the quality of its overall services and, specifically, on your judgment of how secure and protected your environment will be in their hands. That’s why it’s worth the time to conduct a strong evaluation.
1 Sage Construction & Real Estate’s 2014 annual survey, April 2014.
Len Whitten is senior director, Cloud Services Product Management, at Sungard Availability Services, a provider of information availability through managed IT, cloud and recovery services.