The allure of the cloud can be hard to resist, especially if you’re hearing about companies saving big bucks or boosting efficiency and service offerings by signing up with a cloud provider.
How does one determine the competency of a cloud provider? Dominic Vogel, a security analyst for a financial organization in Vancouver, B.C., said if you are going to trust a third party to handle your sensitive data or critical applications, “you need to hold their feet to the proverbial fire by undertaking due diligence.”
Image from ShutterStock.com
In a recent blog post on the online technology site TechRepulic.com, Vogel suggests business owners or IT decision makers subject potential cloud providers with a series of questions to probe their “security maturity.”
Are your cloud vendors full of hot air?
SaaS and cloud vendors stumble out of the gate
Here are 10 questions you should ask:
Does the provider have a formal written information security policy?
Companies that have not formalized their information security policy should not be trusted with corporate and customer data, according to Vogel. Security policies form the foundation of a vendor’s security posture, “without it, security is a mere after thought.”
Do external third party contracts need to comply with policies and customer agreements?
If your cloud vendor sub-contracts another provider to handle your information, the first vendor needs to assure you that their partners will comply with the policy and security agreements that were made in your contract. Otherwise, this becomes a weak link in the security of the
Does the vendor have a formal change control process?
Unplanned changes and changes carried out in an ad hoc manner cause downtime and network outages. Make sure you sign up with a vendor that follows a formal change control process.
Does the vendor restrict physical access to servers, network equipment and other data processing equipment?
Ask the vendor about their physical security procedures. If someone else can access your data, then you shouldn’t go with this vendor.
Are secure data destruction processes for sensitive information and IT equipment and media followed?
If the vendor does not properly destroy data from decommissioned equipment, information is placed at risk.
Does the vendor segregate your data from that of other customers?
If a multi-tenanted cloud service database is not segregated and secured, a flaw in one client’s application can provide attackers access to another client’s data. Also check if the vendor is using system-wide administrator accounts with so-called “God access.” Such accounts should be used sparingly and should be monitored
Does the vendor regularly encrypt and test its backups?
Unencrypted backups are insecure. Untested backups are useless, according to Vogel.
Does the vendor regularly test disaster recovery plans?
Well defined disaster recovery plans that are regularly tested and tweaked when needed, will minimize the impact of a disaster on your critical information and business operations.
Will the vendor provide results of a third-party external audit carried out within the past two years?
Organizations that undergo an external audit are more likely to keep their security posture in shape and within an acceptable level. A transparent company confident of its capabilities will have no qualms showing you their audit results.
Will the vendor provide proof of applicable compliance certifications?
Ask vendors to provide proof of their certifications. “If they balk, chances are they’re hiding something,” said Vogel.
Read the whole story here