Get with IT: How to Assess Cloud Providers

12 questions you should be asking to ensure your data is safe

The old saying goes: Look out for yourself, because no one else will. When it comes to cloud computing, it would behoove you to take this advice to heart. Many of the professionals in management, legal —even IT — assume that if software or services are outsourced to the cloud, then they can wash their hands of any associated responsibilities. The fact is, it is just not that simple.

What many do not yet understand is that cloud service providers are in the business of uptime — not necessarily web or network security. The focus is on keeping the joint running, and that’s really not a problem. The issue is that by handing over the management of your systems and presumably tons of sensitive information to third parties, you now have even more IT complexity to deal with, and more risks to minimize.

For decades, the principle of “trust but verify” has been drilled into our heads; yet, when it comes to the cloud, we get amnesia and assume the “verify” element can be thrown out without any consequences. As much as the lawyers who write up the contracts would like for us to believe that, it is just not true. Outside of the legal realm, there are a myriad of challenges that must be dealt with when things go awry in the cloud. These are challenges that IT professionals understand, because they are the ones responsible for handling them.

The smart approach to cloud computing is to eliminate the problems before they have a chance to progress. Assessing your cloud providers does not need to be complicated. Here are 12 questions you need to be asking — both internally and externally — when choosing a cloud provider:

1. What are they doing beyond SSAE 16 audits and periodic network scans? Both your organization and the cloud provider must be assured that systems are reasonably free of low-hanging fruit such as weak passwords, SQL injection, and other senseless flaws that are often overlooked. Interestingly, this is something that is often ignored.

2. Can you perform your own security testing? Some cloud providers will allow for this, but others will not. For those without good answers who will not allow you to test their systems, you have to wonder what they are trying to hide.

3. What metrics are used to measure performance both within and beyond the boundaries of your SLA? Looking past business continuity, think about system patching, hardening, audit logging and monitoring, and so on.

4. Will your cloud presence be co-mingled with other customer’s information? Co-mingling of systems and information often means that shared servers, databases and web application codes are being used. This means a security breach of someone else’s system can create the same exposure for your organization.

5. Who truly owns the information that will be processed and stored at your cloud provider’s facilities? You need to know your rights for accessing this information when the time comes.

6. How are information classification, retention and destruction handled? Will information linger indefinitely? It is imperative to know who is managing these processes.

7. What will happen with your information if your cloud service provider is acquired? Another aspect to consider is the chance the provider will go out of business.

8. Does your cloud provider operate in the same legal jurisdiction as your organization? State, provincial or international boundaries can have an impact on how compliance and incident response is handled.

9. What recourse do you have if there is a cloud-related security incident that impacts your business? Think about additional security controls that can be put in place on your end to help reduce the impact of security incidents that may arise.

10. Who is responsible for compliance?
This relates to the sensitive information that your third-party cloud provider is now storing and managing. Is your provider capable of handling industry-specific compliance challenges, such as HIPAA and HITECH for healthcare and PCI DSS for retail? Does the provider employ regulatory experts that can help?

This content continues onto the next page...