Here are the top 9 cloud security and compliance considerations that you should ask about when selecting a public cloud provider for your organization.
If you ask a systems administrator at a large corporation what kind of uptime he expects from their data center, you will likely hear “five nines” or 99.999 percent. This translates to no more than 5 minutes and 35 seconds of unscheduled downtime per year. But uptime is only half of the equation, the other half is security. Will your cloud provider be able to ensure you have the uptime you need, combined with the data security you require, to protect your data?
When discussing data security with a service provider, the conversation generally leads to the service-level agreement (SLA) that promises a given level of uptime, security protocols followed by the provider, and how the provider will compensate you if these service levels are not met. But an SLA, like an insurance policy, protects you after the fact, it might not describe in detail how your data is protected.
Rather than trying to recover from a security breach, here are nine questions to ask your cloud provider specifically about data security before you sign on the dotted line.
1. What Kinds Of Data Centers Does Your Cloud Provider Use?
Data centers, like everything else in this world, vary based on the priorities of the company running the data center and the needs of their users. A Tier 1 data center has non-redundant components and a single uplink for its servers. A home file server running on a PC might well be considered a Tier 1 data center since there is no redundancy, no multiple links to the Internet and no special heating or cooling; it’s a box that runs programs at the heart of a network.
Tier 2 data centers includes everything in Tier 1, but add redundant capacity components so you won’t lose data if your drives fail. At Tier 3, you have everything in Tiers 1 and 2, but you add dual-powered equipment and multiple uplinks. At Tier 4, the most secure level, you have everything already noted plus all components are fault-tolerant, including servers, storage, uplinks, heating, ventilation and air conditioning, and chillers. Everything in the data center is dual-powered.
According to hosting and cloud industry experts, only a Tier 4 data center can guarantee 99.999 percent availability.
2. What Is Your Cloud Provider’s Disaster Recovery Plan?
While many companies are opting for disaster recovery as a service (DRaaS) or using the cloud as part of their own backup strategy, they become increasingly dependent on their provider’s ability to protect their data. Ask your potential cloud provider to either show you their disaster recovery plan or at least explain it in detail. You should know in advance, for example, where your data will reside in case of a catastrophic failure. Know where your provider’s data centers are located and how they protect their own data centers in case of emergency.
Your provider also should show you how they back up your data on an ongoing basis. Make sure your data is being replicated at multiple data centers to ensure your business continuity in case one data center fails.
3. What Compliance Certifications Has The Cloud Provider Earned?
Your company might well be required to meet a variety of federal or industry regulations and you spend a lot of money on compliance. Do you know if your cloud provider also meets those same regulations?
Ask to see certifications that demonstrate your provider meets or exceeds the same requirements your company must meet. Ask to see copies of audits performed on the provider that demonstrate their current compliance, be it for Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HiTECH), or any other of the myriad of regulations your company must meet.
4. What Are The Cloud Provider’s Encryption Policies?
“Storing items under a password in the cloud doesn’t always guarantee they won’t be hacked,” says Tunio Zafer, CEO of pCloud.
Find out in advance your provider’s approach to encryption. Most big cloud storage providers like Dropbox and iCloud use end-to-end encryption where data is encrypted on the sender side and only the receiving party can decrypt it. The intention is to protect the file during transfer, but the files can still be accessed if either end of the service provider is hacked, Zafer says.
Part of the provider’s encryption policy is encryption key management. Ideally you will want to encrypt your data before sending it to the provider and manage the encryption keys yourself. Alternately, you might opt for a third-party provider to do encryption as a service, making sure your keys are rotated on a regular basis and protected. Letting the cloud provider encrypt your data and manage the keys is dangerous on two levels: You have your keys and your data in the same location and the data in transit might not be encrypted.
5. How Is My Data Isolated From Other Clients’ Data?
There is a big difference between a traditional hosted service where your data can be stored on a client-owned server that resides physically at a provider’s site and the cloud. Your server is segregated physically from other servers and security protections can be assigned to that specific server. In the cloud, your data can be protected by storing it in various locations to ensure you have multiple copies in case a single server fails. It also makes it possible to move data from server to server for load-balancing so that you get your data as you need it. The drawback, however, is that your data is essentially in a multitenant environment.
Make sure you understand how your provider approaches virtual machine security and what defenses are in place so that one tenant on the server is not able to breach another account by breaking through the hypervisor.
Additionally, in multitenant environments a government subpoena for one tenant can put the other accounts on that physical server at risk of being accessed by government agencies. The cloud offers benefits in that it permits data to be moved from server to server, but understanding the security protocols in place for each server, based on the provider’s written policies and procedures, can increase your due diligence.
6. Can I Use My Existing ICAM Software To Control Cloud Access?
Some cloud providers allow companies to use their existing identity, credential and access management (ICAM) policies to access cloud data, while others use their own access management approach. If you already have an ICAM protocol in place, you will likely want to use that rather than creating a second, parallel system just for the cloud.
Identity as a Service (IaaS, not to be confused with infrastructure as a service), is becoming more commonplace as enterprises move applications to the cloud. Today, vendors offer services for IaaS, single sign-on (SSO), multifactor authentication, Active Directory migration, password resets and provisioning for cloud-based applications such as Office 365. While service providers will debate the return on investment and other benefit of cloud- versus on-site-based ICAM, the client company needs to understand the differences based on their own security profile.
7. How Is Activity In My Account Monitored & Documented In Log Files?
Audit trails are essential for tracking and identifying potential breaches. While companies are able to select their own tools for monitoring and auditing internal networks, that is not always the case for cloud-based data centers. Make sure you know up front if you can use your own tools to monitor and audit your cloud-based data or how your provider will perform those tasks for you. Have the provider put in writing its policies and procedures for monitoring and documenting access by user and by application so that you can ensure only authorized users are accessing your information.
8. Can I Visit A Data Center And Do My Own Inspection?
A personal visit by the chief information security officer (CISO) or IT manager can unveil a lot of information not generally discussed during a negotiation. For example, look for doors that are open that should be locked, such as doors exiting the building. Look for servers or network equipment that are out in the open and accessible to employees who should not have access to that hardware. For example, if the lunchroom is open to the servers without a security fence or other physical security barrier, your data is more vulnerable than a data center with better physical security in place. Also, look for other physical security measures, such as cameras, badges on employees, or gated entries. And if you see PCs in the building with USB ports that non-employees can access, make sure those systems are not connected to the network.
9. What Must I Know In Case I Decide To Change Cloud Providers?
If past is prologue, we can expect to see more cloud providers either go out of business or merge with other providers in the future. When cloud providers fail, your company might not have a lot of notice of the closure, as was the case in 2013 when Nirvanix shut its doors and gave its customers just two weeks’ notice to download and move all of their data.
Ask to see if your provider has a written plan that will assist you in the steps you will need to take to move your data from their cloud to another provider. Find out in advance what extra charges you might face if you decide to change providers. And make sure that your data is presented back to you in a format you can access.
What other security related questions should you ask a potential cloud provider? Let us know your thoughts in the comments section below.