Cloud Security Questions and Considerations to Ask the Cloud Service Provider
February 26, 2016
The Best Practices for Choosing and Evaluating Cloud Service Providers (CSPs) for Security
The sole responsibility for security should not fall on the Cloud Service Provider (CSP). To ensure the overall effectiveness of your organization’s cyber security plans and systems, follow these best practices for choosing and evaluating a CSP’s security readiness.
1. Evaluate the CSP’s Track Record and Stance on Security
Prior to signing an agreement with a CSP, review their attention to security. Within this consideration phase, attain a comprehensive and even granular (as much as you want to see) picture of the overall security measures employed by the CSP.
Ascertain their overall attentiveness to security. What measures do they take to calm customer concerns and report upon their evolving state of security practices and measures? To put it plainly, how do they protect your data and communicate these matters to your points of contact.
Proceed with caution if their representatives balk when answering these inquiries. Transparency, especially with cyber security and communication, proves essential to a healthy relationship with a CSP.
Are they transparent with security practices, risk assessment, incident response, relationships with independent security teams or contractors? The level of transparency depends on your comfortability and trust in the CSP. If the CSP passed the first test above and they proved their security reliability through trusted clients and other evidence, then you may not need or want to know every component of their security measures, processes, or assessments.
Find the balance with the amount of need to know info with the CSP. You may not need to know as much information, but a number of security practices entail the consumer’s cooperation and attention, such as vulnerability management scanning and updates, data breaches, and incident response steps.
3. Security Controls
Do they provide information on their security controls to allow the consumer to compare and contrast their current internal security controls with? Solid security on both ends, from the consumer to the CSP, must align to an extent. History points to human negligence as the root cause of a large percentage of data breaches. Therefore, this practice is imperative to ensure smart security awareness on your end.
4. Security Standards and Practices 5. Review the CSP’s Security Policies and Service Level Agreement (SLA)
Does the CSP use secure coding practices, security standards and products that are subject to independent evaluations?
Previous TechRoots blog posts emphasize the utmost importance of independent penetration testing. Trusted independent contractors or companies are critical for testing applications, systems, and overall infrastructures.
5. Review the CSP’s Security Policies and Service Level Agreement (SLA)
Reviewing these details go beyond a lax approach for dealing with a CSP’s take on security. But the vigilant security professionals cannot remain too relaxed in a cyber landscape that’s rapidly evolving with new attacks and tools to combat those attacks. When reviewing the security policies and SLAs, ask yourself these questions:
- For access management, do they employ a password/username login approach or do they provide additional options for login such as SMS passwords, digital certificates biometry, password cards, or physical tokens?
- Does the CSP permit ethical hacking and penetration testing?
- Does the CSP provide a security architecture drawing that outlines the used firewall segregation environments, antivirus solutions, and intrusion detection software?
- Do they outline how duties and roles are segregated among individuals at the CSP? Are the logical and physical access to the equipment at the CSP segregated to reduce the probability of insider attacks?
- Does the CSP have access to the environment logs and systems to identify the traceability of users and access profiles?
- Do they protect the perimeter with email solutions for info leakage control, email monitoring, and appropriate antivirus software?
- Do they align with your organizational incident response, disaster recovery, and business continuity plans?
- How do they deliver information to official requests for legal obligations in case of data breaches and related incidents?
- In the event of ending the business relationship with the CSP, how do they manage backups, data tracking, export or destroy customer data?
Before Agreeing to Terms, Challenge All Security Concerns with the Prospective CSP
By agreeing to hand over the management of organizational data to a CSP, they accept a big responsibility. Therefore, it is critical for company stakeholders and the internal security teams to evaluate every aspect of the CSP’s security architecture, measures, and how those details are outlined and described in the SLA and security policies.