5 Questions to Ask Your Cloud Vendor About Security


It seems fair to say that security is never far from an IT executive’s mind, so the results of a recent survey focusing on enterprise cloud computing were particularly surprising.

While 82 percent of the organizations that responded to the survey either plan to or already have moved sensitive or confidential data into the cloud, a full 39 percent believe cloud adoption has decreased their companies’ security posture. 

Cloud Security GraphNot only that, but 64 percent of those with sensitive data in the cloud believe it’s the cloud provider’s responsibility to protect it, yet nearly two-thirds have no idea what their cloud providers are actually doing in order to keep that data safe, the survey found.

Dubbed “Encryption in the Cloud,” the global study of 4,000 business and IT managers was conducted by the Ponemon Institute for Thales e-Security. Representatives from both firms will present results from the study at a webinar on Tuesday, Sept. 25. 

Five Things to Ask

One interpretation of the data is that “for many organizations the economic benefits of using the cloud outweigh the security concerns,” as Larry Ponemon, chairman and founder of the Ponemon Institute, suggests.

Another possibility, however, is that companies’ inherent security-mindedness simply hasn’t yet caught up with their haste to begin taking advantage of the cloud.

In either case, John Howie has a few suggestions. Specifically, focusing in particular on public cloud providers, Howie — who serves as chief operating officer for the Cloud Security Alliance — suggests that companies ask vendors the following five questions. 

1. ‘Show me your certifications and attestations.’

This one “isn’t so much a question as a demand,” Howie told Linux.com. “What I’m looking for is a 27001 certificate, hopefully with a statement of applicability.”

Such certificates are awarded to organizations that have gone through an accredited certification process in line with the ISMS standard ISO/IEC 27001:2005. In other words, “this is proof that they’re running an information security management system that meets or exceeds the goals” of the standard, Howie notes.

Howie also says companies should expect to see a Service Organization Control (SOC) 2 Type 2 report. In addition, depending on the industry, they may also want to see proof of the provider’s compliance with the Payment Card Industry Data Security Standard (PCI DSS) or other niche-specific requirements.

Bottom line: “If you can’t show me those, I’m walking away,” Howie said.

2) ‘Share with me details of past incidents in your cloud and how you handled them.’

In other words, this is a way to see what the provider’s incident-response process looks like, Howie explained.

“Many won’t tell you about specific incidents, but they will share their process,” he noted.

Either way, that’s key information for a prospective consumer of the cloud service. “If I feel I have been hacked, this will tell me how do I respond, how do I work with them for investigation, etc.,” he explained.

First and foremost, you want to know that the provider has such a process in place and has used it before, Howie said.

3) ‘Where exactly is my data going to run from?’

On this point it’s not a street address that you’re looking for, “but you do need to know where your data and apps service will run from,” Howie pointed out.

That’s primarily because of the region-specific regulations and tax implications that may affect you. “At the end of the day, the [cloud service] consumer is responsible for compliance,” he added.

4) ‘What is your program for business continuity and disaster recovery?’

In particular, companies need to know whether they will be responsible for such functions themselves, or whether their provider has a mechanism in place.

For Infrastructure as a Service (IaaS) platforms such as what Amazon offers, it’s typically the cloud service consumer’s responsibility, Howie noted, though many corporate users don’t realize that.

For Software as a Service (SaaS) such as hosted mail or unified communications, however, it’s generally the cloud provider’s responsibility. In that case, you’ll want to hear the vendor confirm that they’ll do the failover as well as details such as how long it will take and where your data will get moved when that happens, Howie explained.

For Platform as a Service (PaaS) offerings, meanwhile, the answer to this question will vary depending on how the service is managed and run, he added. 

5) ‘What kind of service-level agreement (SLA) do you offer?’

Last but not least, Howie also advises that companies make sure to ask about the details of their cloud provider’s service-level agreement (SLA) or terms and conditions, including in particular uptime and privacy commitments.