Ask These Due Diligence Questions to Ensure Security in the Cloud
Choosing a Cloud Service Provider (CSP) can be a daunting process, especially in today’s rising threat landscape. Even as cloud adoption continues to increase, security remains a major element of concern in the decision to move to the cloud. According to Crowd Research Partners’ 2017 Spotlight Report on Cloud Security, 81% of organizations today are concerned about security in the cloud. The report concluded that cloud security risks are the single biggest barrier to cloud adoption. Selecting the right CSP can help alleviate concerns over security, and the ideal provider will be transparent regarding their service terms and security practices. Immedion’s Director of Network Engineering, David Johnson, presented “Securing the Cloud” at Cincinnati’s comSpark Innovation Tech Summit held last week. He recommended asking the following due diligence questions to help evaluate which provider is the best fit for keeping your data secure in the cloud:
A clear service-level agreement (SLA) will help you understand and establish roles and responsibilities between you and the provider. The terms should indicate whether the service provider can match your performance, availability and data-protection requirements. Make certain that the controls the provider has in place meet the level of security and availability you require.
How do you ensure data segmentation?
Segmentation is the security best practice of separating trusted and untrusted data. A CSP must enforce isolation between client environments. Ensuring appropriate isolation in the Cloud may require mechanisms at the network, operating system and application layers. A guaranteed isolation of data should be established by the provider.
Do you explicitly retain ownership of your IP, including the data?
Be sure to clarify ownership and rights of intellectual property between the user and the provider so that it cannot be compromised. A contract for Cloud services should include clear language affirming a customer’s ownership of their data.
Can data be easily retrieved and downloaded in a usable, non-proprietary format?
Find out what the CSP’s process is for enabling you to retrieve data, including upon termination of service, so that you can ensure availability of data when you need it.
If SaaS, is stored data encrypted?
One of the most effective data protection methods is data encryption. If going the SaaS route, choose a trusted provider that includes encryption in their internal controls. This adds a protective extra security layer to prevent against theft or exposure.
Are you audited for compliance? (SOC 2, PCI, HIPAA)?
For a highly-regulated organization, a compliance audited provider is critical. A CSP should be able to show you its performance and security data in the form of reports. SOC 2 Type II compliancy is often viewed as the standard for service providers. A SOC 2 Type II report is useful in reviewing the provider’s controls, such as security, availability, confidentiality and privacy. This report will also include an analysis of the effectiveness of the measures in place. SOC 2 Type II compliance is required before a provider can acquire additional certifications such as HIPAA and PCI.
Is data immediately deleted upon termination of service?
You should account for the possibility that you may want to switch providers in the future. The provider should define how long your data will remain accessible after termination of a contract.
When it comes to security in the cloud, it is your responsibility to focus on the basics and make sure that your CSP’s environment can provide the level of security you are looking for in the cloud. We recommend conducting due diligence with a Cloud Service Provider before migrating. Download our Cloud Provider Checklist for more guidance on evaluating potential cloud providers.