12 security questions to ask cloud providers

With their small IT departments, there’s good reason why some of the biggest users of cloud services in Canada are small and medium sized businesses.

Yet merely handing over functions or picking up cloud services doesn’t transfer an organization’s security risks. SMBs have to carefully ask providers what they will and won’t do before signing on the dotted line. That’s especially true because security is one of the concerns SMBs have when considering a cloud service, according to IDC Canada.

The European Union Agency for Network and Information Security (ENISA) has just issued a 51-page Cloud Security Guide for SMEs which organizations here will find useful for evaluating network and information security risks.

There are sections that outline not only the network and security advantages, but also the risks — and for each risk there are a series of questions.

For example, the report notes that it is important to understand who is responsible for which software component when using a cloud service. A SaaS provider (Microsoft Office 365 or Salesforce) has all the responsibility for preventing software vulnerabilities. However, the customer is responsible for the software in infrastructure or platform (IaaS/PaaS) services, unless there are special arrangements.

Most important is a list of 12 questions CISOs can ask before choosing a provider:

  1. How does the cloud provider manage network and information security risks?
  2. Which security tasks are carried out by the provider, which type of security incidents are mitigated by the provider?
  3. How does the cloud service sustain natural disasters affecting datacentres or connections?
  4. How does the provider ensure that personnel works securely?
  5. How is the physical and logical access to customer data or processes protected?
  6. How do you ensure software security?
  7. How does the provider ensure that personnel works securely?
  8. How is the physical and logical access to customer data or processes protected?
  9. How does the provider ensure that personnel works securely?
  10. How is the physical and logical access to customer data or processes protected?
  11. How is the physical and logical access to customer data or processes protected?
  12. Which national legislation is applicable and which foreign jurisdictions are involved, for instance due to the physical location of datacentres or cables?

The report also points out that not all vulnerabilities are in the hands of the provider. Because cloud computing enables mobility, device security is paramount — and that’s in the hands of the CISO. Similarly, it notes that cloud computing doesn’t eliminate the risks of attacks through phishing and other social engineering tactics.

The report is a useful guide that all CISOs should consider

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now