Wednesday, January 4, 2012

20 Questions to Ask Your Cloud Provider

As soon as you contract with a cloud provider, you should be concerned not only with your IT security but the provider’s as well. If you’re a small or medium-sized business you may assume the provider’s security is superior to your own, and you might be right, but make sure you ask the right questions first. Here are some general questions you should consider asking.
  1. Does the provider take responsibility for the security and integrity of your systems and data or does it consider them your responsibility? If so, what security aspects does the provider take responsibility for?
  1. Does the provider encrypt data in transit and at rest?
  1. What measures does the provider take to destroy data after it is released by customers?
  1. What security certifications does the provider possess: SAS 70 Type I or II. PCI-DSS? What proof can the provider offer of those certifications? Can you examine the SAS 70 report? How often are its security practices audited and by whom?
  1. What physical security measures, processes, and monitoring capabilities does the provider have in place to prevent unauthorized access to its data centers and infrastructure?
  1. How does the provider screen its employees and contractors? Do those screening procedures differ at different international locations? How?
  1. Who at the provider’s premises can see your data? What internal controls does the provider have in place to prevent unauthorized viewing, copying, or emailing of customer information?
  1. What is the provider’s backup and disaster recovery strategy? How often are incremental backups made? How many copies of your data does the provider store and where are they stored? How far back do the copies go? How often and how do they test their backup and recovery infrastructure?
  1. If the provider stores data in non-U.S. locations can you specify where you want your data stored? How can it ensure your data will not be stored in other locations?
  1. What notice will the provider offer when it changes its data center locations or security practices?
  1. If the provider uses multitenant server model, what measures does it take to isolate individual tenant systems and data from each other?
  1. What visibility will the provider offer your organization into security processes and events affecting your data?
  1. Does the provider have an incident response plan? Can you see it? Does it measure up to your own? Does the provider include your organization in the incident response process?
  1. How do the provider’s identification and authentication systems integrate with your own?
  1. How can the provider ensure compliance with regulations your company must comply with?
  1. Does the provider offer periodic reports confirming compliance with your security requirements and SLA’s? Will it provide reports of attempted or successful breaches of its systems, impacts, and actions taken?
  1. What is the remediation process if the provider cannot live up to its security obligations? Token compensation may not be enough, as a serious breach can damage some organizations severely or even put them out of business.
  1. What will happen to your applications and data if the provider goes out of business? How can the provider ensure they won’t become the property of creditors?
  1. How does the provider ensure that legal actions taken against other tenants will not affect access to your data?
  1. If you decide to switch providers or take your systems and data in house, what will it take to migrate your systems and data?
By: Leon Erlanger