If you are migrating to the cloud, you have to thoroughly scrutinize the security protocols of the provider you choose. No matter how much of your digital presence is in the cloud, you have to ensure your service provider has the best security measures in place to protect its infrastructure from the current cyber threat landscape.
According to the National Institute of Standards and Technology (NIST), cloud computing is, “A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
While this ubiquitous connectivity to resources is what makes cloud computing so convenient, it is also what makes such systems potentially vulnerable to attacks. Therefore, the cloud provider has to take the issue of security as one of the most critical components of its overall operations.
Cyber Security Questions to Ask Your Cloud Service Provider
Assuming the service provider has checked all the other boxes for your cloud computing needs, here are some important security questions you should ask to complete your vetting process.
What Types of Data Centers do you Use – and How Many?
The type of data center, (Tier 1, 2, 3, 4) will determine the service level agreement (SLA) it can provide. Tier 4 data centers are the most secure, requiring fault tolerant equipment including servers, storage, uplinks, heating, chillers and more. The availability guarantee for Tier 4 is 99.995 percent uptime, followed by 99.982 percent uptime for Tier 3, 99.749 percent uptime for Tier 2, and 99.671 percent uptime for Tier 1.
In addition to the types, find out how many data centers the company uses. The more redundancies it has, the better your chances for ensuring the safety of your data and rapid recovery.
What Certifications do you Currently Hold for your Data Centers?
Your business might have to comply with the Health Insurance Portability and Accountability Act (HIPAA,) Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standards (PCI DSS) or other regulations. Make sure the service provider you choose has compliance certifications in the areas critical to your business. Ask to see certifications and audits of compliance.
How Reliable is your Network Infrastructure?
In addition to security, you need to ask about the reliability of the connectivity between you and the vendor’s network. What is its availability, traffic throughput (such as bandwidth), latency and packet loss? Knowing the answers to these questions will let you know how quickly you can access the resources you need when you need them.
What is Your Disaster Recovery Plan?
Your service provider must have a disaster recovery plan designed to minimize the downtime of its operations. Make sure to ask what the plan is. This will also let you know where the company stores your data in the event of a breach or a major disaster.
Do you have Formal Written Information Security Policies?
If a service provider has formalized security policies, they should be able to produce a written out version of those policies for your inspection. A well written policy backed by quality SLAs is a good indicator of the security program’s maturity.
What Happens if the Business Folds or Merges With Another Company?
Ask for a written plan dealing with the solvency of the company, whether it goes out of business or is part of a merger and acquisition. This includes time tables for transferring all of your data. While on the subject of transferring data, you should also ask about the policy for changing to another provider.
How is Your Physical Security?
A data center is only as good as it physical security. If anyone can easily access the center, it means the servers can be compromised. Ask about the type of physical security in place at the data centers your service provider uses. That security should be in place 365 days of the year.
How do you Dispose of End-of-Life Hardware and Failed Data Storage Devices?
This is a question that might be overlooked, but remember you are responsible for the data that was given to you by your customers. The disposal process must be thorough and absolute. This means there is no chance of anyone using the discarded products to retrieve the data within them.
Some of the other questions you can ask here might include:
- What are your encryption policies?
- How isolated is my data?
- How are account activities monitored and documented?
- Can I visit the data center?
- Do third-party external contractors have to comply with policies and customer agreements?
By all means these are not the only questions you might ask, so be as thorough as you need to be to ensure the security of your data.
It is Your Reputation on the Line
Depending on how much of your operations you have migrated to the cloud, the cloud service provider will have key operational assets of your organization. If for any reason the vendor fails to provide the service as promised, your reputation is on the line. So don’t hesitate to ask any question which might compromise what you have worked so hard to build.
For more on how cloud-based services can help your business, contact Meylah today.