In business today, failure to encrypt any or all content places your organization at rick of punitive action from regulatory bodies—both local and regional – in the event of a breach. The need to encrypt all data in transit and at rest is a given. However, when different cloud service providers have their own, differing approach to security, it can have a direct bearing on your business. Therefore, your choice of a vendor plays a crucial role in the success of your IT security policy and strategy; in fact, it has a far-reaching impact on data privacy, compliance, accessibility, integrity and security.
Understanding a cloud providers’ approach to security on critical business factors and weighing it against your business need plays an important role in the success of any vendor engagement. Questioning the providers on their approach during your negotiations helps you get a clearer picture on a range of issues—from helping to defend against violations and creating new business opportunities, to fostering competitive advantages and serving new customer segments or geographies. Remember, your IT security policy needs to fit your larger business strategy.
Businesses in their haste to move to the cloud often fall for untested cloud architecture, or even an unproven cloud service provider, or CSP – often failing to make sure the CSP’s capabilities fit their own business strategy needs. A prudent first step when you meet a prospective cloud provider is to find out whether they have customers of similar profile to yours on their platform. Perchance the cloud service provider may open up and demonstrate some best practices that meet your needs, giving you some references as well. It is a common mistake to assume that only a large, established cloud vendor will be able to meet your requirements. You’d be surprised to know that there are many small, up-and-coming cloud providers delivering a higher level of service than the big players do. And, with a much greater focus on security.
Given the challenges involved in choosing a cloud service provider, asking the right questions and digging out the answers can directly impact your business and set matters at rest. Here are some pertinent questions you can ask your vendor:
1. What is your data encryption standard?
- Make sure that they use 256-bit Advanced Encryption Standard (AES) SSL for data in transit and at rest.
2. How do you manage encryption keys?
- Find out whether the vendor provides for both physical and logical separation of the encryption keys and the encrypted data.
- Check if they have separate data centers for providing segmented access, enabling it on an as-needed basis.
- Find out who owns and manages the keys.
3. What certifications for data protection have you attained?
- Cloud providers should be FISMA-certified (indicating a high level of commitment to data security)
- Cloud providers should also be certified for compliance with various regulations (e.g. EU-GDPR).
- Cloud providers must also divulge details pertaining to data disposal and recovery.
4. What level of data durability do you provide?
- Verify if the cloud provider stores all files in triplicate at several geographically dispersed data centers, synchronizing them automatically and instantaneously.
- If so, do they have geo-fencing on their encryption management?
5. How much control do I retain over my data?
- It would be best to retain end-to-end, lifecycle control of your data—from storage to disposal.
- Make sure that the cloud provider can easily enforce your data retention policies.
- Also, look for the ability to remotely wipe any user account in the eventuality of a device being lost or stolen.
- Ask for a detailed plan that defines the course of action in case data is in the wrong place, due to error or malicious intent.
6. How do you ensure endpoint security?
- While the cloud service provider has no control over the security mechanisms of endpoint devices, the cloud provider can provide a robust firewall service that prevents communication with any non-authenticated source or storing information in an unencrypted format.
7. Can I leverage existing credentials and password policies?
- Leveraging existing accounts and working with pre-existing password policies and advanced configurations such as two-factor authentication, helps to reduce the risk involved.
8. How do you isolate and safeguard my data from that of other clients?
- Get a detailed description of cloud provider’s use of virtualization technology, which makes it possible to encapsulate multiple types of data, applications, and content within the same physical server.
- Do they have a clear and defined process for prevention of side attacks?
9. How do you monitor and document the activity in my account?
- Your cloud provider should be able to provide an audit trail with full change tracking for changes occurring in an account, with previous versions retained, so that you know who is making changes and what those changes are.
10. Can you continue to provide protection as my workloads evolve?
- Your cloud provider should be able to accommodate your business’ volume growth, spikes in demand for service, and unmitigated performance.