10 Security Questions To Ask A Cloud Service Provider
Help the business assess the risks of cloud services with these handy questions.
May 12, 2015
As security teams try to help line-of-business users and other IT practitioners take advantage of cloud benefits as safely as possible, they're increasingly stepping into the role of trusted advisor. The scalability, flexibility, and convenience of software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS) offerings frequently come at the cost of added risk to the business. It is up to information security pros to help evaluate potential providers to best evaluate where those risks are coming from.
Dark Reading talked to a number of experts to come up with 10 must-answer questions that security personnel should get the business in the habit of asking before signing a service agreement.
Image: Pixabay
"It's important to help protect against both mistaken and malicious actions -- when users know there is an audit trail, they will act with greater potential to detail, and also be dissuaded from using the platform as a vehicle for an attack. Having an audit trail is also helpful for troubleshooting purposes and root cause analysis."
--Bernard Sanders, CTO, CloudBolt Software
"Understanding that enterprises have to play a critical role in protecting their own data and how that data is accessed, even if leveraging a cloud provider, is critical for risk management. Most cloud providers will require a shared responsibility for security and enterprises cannot assume the provider is liable for data breaches."
-- Rehan Jalil, CEO, Elastica
"Security is only as strong as the weakest link. While it is very common to encrypt the traffic between the customer and the service provider in order to ensure integrity and confidentiality, it is less common for service providers to encrypt intra-server communications within the companies own perimeter. Too often attackers are able to exploit this type of weakness once a single breach in the perimeter has occurred."
--Paul Hill, senior consultant, SystemExperts
"As simple as it sounds, access to logs should be one of the top concerns when evaluating providers. End users are not going to get the rich log information set that they would get from the server in their data center as they will get from a cloud provider and the organization must carefully consider what information they will and will not obtain from the provider. While some information may not be relevant to the organization, it is possible that other critical pieces might not be revealed and if necessary the organization should try to negotiate relevant log access early on."
--Rob Ayoub, research director, NSS Labs
"Just like in an internal data center, there will be support staff who will maintain the cloud provider infrastructure. Understand which of these personnel can see your data. What internal controls are in place to prevent unauthorized viewing, copying or emailing of customer information?"
--Danelle Au, vice president of strategy, Adallom
"Penetration testing is a common method used by companies to ensure their systems are well defended from attacks. Cloud service providers that allow customers to perform such testing are willing to be transparent about their security practices and also likely to be confident that their systems are well secured."
--Paul Hill, senior consultant, SystemExperts
"Penetration testing is a common method used by companies to ensure their systems are well defended from attacks. Cloud service providers that allow customers to perform such testing are willing to be transparent about their security practices and also likely to be confident that their systems are well secured."
--Paul Hill, senior consultant, SystemExperts
As security teams try to help line-of-business users and other IT practitioners take advantage of cloud benefits as safely as possible, they're increasingly stepping into the role of trusted advisor. The scalability, flexibility, and convenience of software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS) offerings frequently come at the cost of added risk to the business. It is up to information security pros to help evaluate potential providers to best evaluate where those risks are coming from.
Dark Reading talked to a number of experts to come up with 10 must-answer questions that security personnel should get the business in the habit of asking before signing a service agreement.
Image: Pixabay
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024