Questions to Ask Cloud Providers
Mar 15, 2016
How Can I Tell If a Cloud Provider is Worthy of My Trust?
The benefits of cloud computing are obvious: it eliminates high up-front infrastructure costs, lets you make nimble technology decisions, offers you virtually unlimited storage capacity, and receives regular software updates.
But how can you determine which cloud providers to trust with your data? We've compiled some questions you should ask to determine if a cloud provider is worthy of your trust.
Questions to Ask Cloud Providers
DO YOU HAVE A FORMAL INFORMATION SECURITY PROGRAM?
You need to know that the cloud provider is serious about security. This means that they have more than just written policies in place. They need a full-fledged information security program that clearly outlines exactly how they protect your data. This should include a dedicated team focused on protecting your data and procedures in place for monitoring and responding to incidents.
WHAT PROCEDURES ARE IN PLACE TO FIND AND FIX VULNERABILITIES AND PREPARE FOR INCIDENTS?
If a cloud provider is committed to protecting your data, they will be vigilant about finding weaknesses in their service, and fixing them quickly. They should be conducting regular vulnerability scans and several penetration tests a year. On top of managing vulnerabilities, your cloud provider should also have structured security monitoring and response procedures (like file integrity and anomaly detection tools for alerting on abnormalities in the system ). That way, they can detect an incident and respond to it accordingly.
WHAT SECURITY STANDARDS DO YOU COMPLY WITH?
At a minimum, your cloud provider should comply with relevant security standards like the CJIS Security Policy and ISO 27001. They should also be able to do more than just say they comply with these standards. Your cloud provider should be able to demonstrate compliance, providing certificates and audit reports when asked.
HOW DO YOU KEEP MY INFORMATION CONFIDENTIAL?
As cloud technologies become more prominent, cloud providers need to encrypt growing amounts of data. But encryption capabilities aren't the only key to your data's confidentiality. You also need to know which people (if any) at your cloud provider can access your data and what tools you'll have to manage user access. Your cloud provider should provide detailed audit logs, so you clearly see who has done what and when.
HOW DO YOU PRESERVE THE INTEGRITY OF MY INFORMATION?
Your original files should never be altered. Your cloud provider should be able to make that promise, especially for critical data like evidence. You should learn if the cloud service offers chain of custody reports and a deletion workflow that protects against accidental deletion of data.
ARE YOU READY TO REBOUND FROM A DISASTER?
If a disaster occurs, you should expect your cloud provider to weather the storm. Your cloud services should be robustly built and managed to handle any type of emergency. Business continuity and formal disaster management programs are necessary to ensure your data is available even after a disruptive event.
WHAT'S YOUR COMPANY'S TRACK RECORD?
When it comes to trusting a business with your valuable data, reputation matters. Make sure your cloud provider is a company with a sustainable business model and a proven track record of supporting its customers. Evaluate a cloud provider's overall long-term viability, which includes financial health and cash resources, before making any commitments.
Interested to learn more about the cloud? Check out our latest whitepaper, "5 Key Considerations When Deciding Between Cloud vs. On-Premise."