2. Who will have access to my data?
Secure access control policies are another must-have before any company signs up with a cloud provider. These must detail what protections are in place to restrict access to data, what precise policies IT teams will be able to implement, and what steps will be taken to detect and block unauthorized access.
3. How do you monitor and document activity on my account?
Related to access control policies, cloud vendors must also be able to explain how they monitor what is happening within a user's account, including which users are accessing which files and when, who is making changes to settings or permissions, and how easy it will be to alert admins and revert to previous versions should any suspicious activity occur.
4. How specifically do you encrypt my data?
Understanding the encryption standards that cloud vendors apply to your business' data is also essential if you are to be confident it is adequately protected. Make sure you ask what standards they use for this - anything less than 256-bit Advanced Encryption Standard (AES) level encryption should be avoided - as well as how they manage their encryption keys.
5. What do you do to ensure my data is isolated from other users?
With public cloud providers hosting your digital assets in large data centers with many users' data sitting side-by-side on the same servers, what steps will the provider take to ensure your property is effectively isolated from those of other customers? Make sure the vendor can provide a detailed description of their virtualization tools to ensure no-one else can get their hands on your data.
6. What happens if you lose my data?
Understanding the contingencies that a cloud vendor has in place in the event that data is lost, deleted or corrupted is another must. In particular, businesses need to know what level of data durability they can guarantee, as well as how many backup copies they keep in the event of a data loss incident.
7. What steps are in place to manage data migration?
A factor that's often overlooked when evaluating cloud providers is what happens when your relationship ends. At this point, the provider will hold huge amounts of critical business data, so it's vital that it is easy to extract this and migrate it to another provider. Will data be ported in an easily accessible format? How can the task be performed quickly and with minimal disruption? What assurances does the provider have that all data will be removed from its servers?
8. Where are your cloud servers physically located?
It's important to understand where your data will be physically stored, as this will affect which legal jurisdiction it falls under, which may have an impact on your own compliance. For instance, some countries will have laws governing when data may be accessed without the owner's consent, while some data protection rules have restrictions on which countries users may legally transfer their data to.
9. Which responsibilities rest with me and which with you?
Although from a regulatory perspective final responsibility for data rests with the owner, most cloud providers offer a shared responsibility model that sees both vendor and customer take on certain efforts. Therefore, it's vital for users to understand what areas will be taken on by the provider - usually the underlying networking and storage infrastructure - and which will remain under the management of the user, which typically covers the data itself, the applications and firewall configurations.
10. What guarantees do you offer for uptime?
If you can't access your data because of service disruption, you could find your company is completely unable to do business. Therefore, you need to know exactly what guarantees your provider offers for uptime and what level of compensation you should expect if these standards aren't met.
This should all be spelled out in your service level agreement, but it's important to be aware that even if firms are meeting their contractual obligations, you could still face disruption. An uptime guarantee of 99.9% may sound good, but it still leaves scope for several hours of downtime a year - something that must be considered if you're running mission-critical applications through the service.
11. What security standards do you have?
The best way to ensure cloud providers have a commitment to data protection is to ask for their certifications. There are a range of industry standards governing cloud security, with some of the most relevant including ISO/IEC 27002 and 27017. As well as checking that cloud vendors meet recognized standards, you should also ascertain the scope of these certifications, to ensure they cover the provider's entire operations.
Do you need a cloud vendor security policy?
Even if you hand over day-to-day control of your data to a cloud service, you still retain ultimate responsibility for its security. According to Gartner, 95% of cloud security failures will be the fault of the customer rather than the provider, with errors such as poorly-configured services among the most common problems.
However, many of these issues can be avoided if firms have a clear policy in place for cloud security, and a major part of this is having a complete understanding of what protections your cloud provider will put in place, what the limitations of their services are, and what the steps are if you encounter a security breach.
Every business should have a policy they can refer to throughout the procurement and deployment process. This will not only make the operation more efficient, it will also ensure firms can react quickly to any issues.
- 9 Key Questions to Ask Every CASB Vendor
- Cloud Tokenization vs. Cloud Encryption: What's the Difference?
- Manage Risks and Ensure Security: 5 Cloud Governance Tips
- 5 Cloud Security Gaps Keeping CIOs Up at Night
Join the conversation...