"Are you secure?" doesn't cut it when it comes to cloud computing. The complexity of cloud security demands detailed and varied questions to clarify just how robust a service is. These questions aren't always asked by customers, and that's frequently because they just don't know of them. As a start, take a look at these four questions which you should ask your existing or potential cloud provider.
1. What security certifications do you have?
Certifications are externally ratified acknowledgments that your cloud provider adheres to best practice security. The one to look out for is the ISO27001 which is a voluntary, international best practice standard relating to information security. Since it's voluntary, it's an immediate signal that the provider you are dealing with takes security very seriously. It's not cheap to undertake the ISO27001 process, so it's a good indicator that your provider genuinely cares about security.
The certificate doesn't tell a company how to implement security, rather it defines goals that a company has to achieve in order to attain and retain the certificate. If you want the nitty-gritty details as to what getting the certificate involves take a look at the layman's guide to ISO27001.
In summary, it means that every employee will be properly trained to treat any data they handle in an appropriate way to keep it safe, and that the business as a whole fully understand potential risks to all data and have proper contingency plans in place should the data be put at risk.
2. Do you own your data centre infrastructure?
There are really several questions you should ask a provider about data centres, but whether they own their data centre infrastructure or not is a big one. A lot of cloud providers are simply reselling a service and therefore don't have access to or control over what happens in the data centre. Sure, the company that owns the data centre might have all the security credentials, but you need to find this out. Otherwise you are trusting a cloud provider to choose a data centre owner for you. In essence, the provider acts as a middle man, and when it comes to data security, a middle man adds extra risk that you just don't need. If your cloud provider owns the hardware used in the data centre then it should have access to it all times.
A provider should be able to tell you the geographical location of their data centres, how many they use, what tier of data centre they provide and how often they are backed-up.
3. What is your disaster recovery process?
A disaster recovery process is an outline of the chain of events that will happen in the aftermath of a disaster. In this context a disaster refers to a natural disaster like a hurricane or storm, or a human disaster, like a grievous error or a severe hack.
A provider should be able to outline a comprehensive disaster recovery plan in simple terms so that you know what will happen should anything go wrong. There are several processes that you should be informed about:
- A high level overview on the process from start to finish of restoring services in the event of a major (more than 8 hours) outage.
- The process for rebuilding a server from backup should the server become corrupted.
- The process for resolving any data changes or disruptions from end users.
4. Do you encrypt all of your data?
Encryption is a really important part of data security and cloud providers should encrypt all data going out of the cloud so that information is protected when it is being used on multiple devices.
You also need to find out about how encryption keys are handled. Encryption keys or passwords decode the encrypted data, so they need to be kept very secure too.