Top Security Questions to Ask Your Cloud Provider
Published 02/06/2014
When considering a move to the cloud, there are a number of security questions that should be considered as you select a potential cloud provider. Almost all analyst and industry surveys list privacy and data security as top concern for CIOs and CISOs. Through our years of moving SMBs and large enterprises to the cloud, we’ve compiled a list of questions to help you determine the level of security the provider offers.
1. | What is your data encryption viewpoint, and how do you encrypt data? Do you Encrypt data at rest or in transit? Is there an encryption offering and if so what level of encryption and what data protection certifications do you currently hold? |
2. | How do you manage the encryption keys? |
3. | Do you offer periodic reports confirming compliance with security requirements and SLAs? |
4. | What certifications for data protection have you achieved? |
5. | Who can see or have access to my information? How do you isolate and safeguard my data from other clients? |
6. | What are your disaster recovery processes? |
7. | What are your methods for backing up our data? What offerings are available to back up data? |
8. | Where is your data center, and what physical security measures are in place? |
9. | How do you screen your employees and contractors? |
10. | What actions do you have in place to prevent unauthorized viewing of customer information? |
11. | What actions do you do to destroy data after it is released by a customer? |
12. | What happens if you misplace some of my data? |
13. | What happens in the event of data corruption? |
14. | How is activity in my account monitored and documented? What auditing capabilities are provided: Admin/MGMT, Billing, System Information? |
15. | How much data replication is enough, and what level of data durability do you provide? |
16. | How much control do I retain over my data? |
17. | Can I leverage existing credentials and password policies? Do you offer SAML/SSO capabilities for authentication? What types of multifactor authentication is supported? |
18. | Can I disable access immediately to my data in the event of a breach? |
19. | Can you continue to provide protection as my workloads evolve? How scalable is the solution, including disaster recovery? |
20. | How often are backups made? How many copies of my data are stored, and where are they stored? |
21. | How reliable is your network infrastructure? What certifications do you currently hold for your data centers? |
22. | What is your current uptime and SLA option? What if SLA is not met? |
23. | Do you alert your customers of important changes like security practices and regulations or data center locations? |
24. | What country (or countries) is my data stored in - both on your infrastructure and for backups? |
25. | Will my needs be served by dedicated instances/infrastructure or shared instances/infrastructure? |
26. | Will my internal and external incident response resources be able to access your infrastructure in the event of an incident? If not, how will you perform the investigation on my behalf? |
27. | What third party security validation can you provide me with? How often do you have external assessments performed? |
28. | How do you dispose of end-of-life hardware? |
29. | How do you dispose of failed data storage devices? |
30. | What is your process for responding to a legal hold request? |