The allure of the cloud can be hard to resist, especially if you’re hearing about companies saving big bucks or boosting efficiency and service offerings by signing up with a cloud provider.
How does one determine the competency of a cloud provider? Dominic Vogel, a security analyst for a financial organization in Vancouver, B.C., said if you are going to trust a third party to handle your sensitive data or critical applications, “you need to hold their feet to the proverbial fire by undertaking due diligence."
Image from ShutterStock.com
In a recent blog post on the online technology site TechRepulic.com, Vogel suggests business owners or IT decision makers subject potential cloud providers
with a series of questions to probe their “security maturity.”
Are your cloud vendors full of hot air?
SaaS and cloud vendors stumble out of the gate
Here are 10 questions you should ask:
Does the provider have a formal written information security policy?
Companies that have not formalized their information security policy should not be trusted with corporate and customer data, according to Vogel. Security policies form the foundation of a vendor’s security posture, “without it, security is a mere after thought.”
Do external third party contracts need to comply with policies and customer agreements?
If your cloud vendor sub-contracts another provider to handle your information, the first vendor needs to assure you that their partners will comply with the policy and security agreements that were made in your contract. Otherwise, this becomes a weak link in the security of the
Does the vendor have a formal change control process?
Unplanned changes and changes carried out in an ad hoc manner cause downtime and network outages. Make sure you sign up with a vendor that follows a formal change control process.
Does the vendor restrict physical access to servers, network equipment and other data processing equipment?
Ask the vendor about their physical security procedures. If someone else can access your data, then you shouldn’t go with this vendor.
Are secure data destruction processes for sensitive information and IT equipment and media followed?
If the vendor does not properly destroy data from decommissioned equipment, information is placed at risk.
Does the vendor segregate your data from that of other customers?
If a multi-tenanted cloud service database
is not segregated and secured, a flaw in one client's application can provide attackers access to another client’s data. Also check if the vendor is using system-wide administrator accounts with so-called “God access.” Such accounts should be used sparingly and should be monitored
Does the vendor regularly encrypt and test its backups?
Unencrypted backups are insecure. Untested backups are useless, according to Vogel.
Does the vendor regularly test disaster recovery plans?