Cloud Computing Security Assessment

124 Views

SaveSavedRemoved 0

After understanding that Cloud can give you various advantages in terms of Scalability, Elasticity, and reduced costs, selecting a cloud vendor still requires a thorough security assessment before a customer can give the custody of their data to the Cloud provider.

Table of Contents

50+ Security Questions to ask your Cloud Vendor

Cloud Information security assessment has to be done from different angles. In this post, I am sharing some of the important questions to be asked before signing the agreement.

There are many assessment questions which can be broadly categorized in various areas Like

Security

Control Areas

Governance and Compliance
Data Security
Incident Reporting and Handling
Business Continuity and Disaster Recovery
Vulnerability Management
Affiliates & Subcontractors Usage
Data Privacy
Application Security

In each of the above areas specific assessments can be done which a high level are subsets of these basic questions

Is the Cloud Vendor following the governance and compliance policies laid down in there region?

Is my data secure?
How does the cloud vendor report the incidents or attacks? How do they handle those incidents?
Does the Cloud infrastructure provide Business Continuity and Disaster Recovery?
How does the vendor manage vulnerability after test points and areas?
What are the agreements with Subcontractors and Affiliates if used to handle customer data?
How does the cloud vendor guarantee the Data Privacy of my business?
Is the Application provided by the vendor (SaaS) secure?

let’s go in little details in each of the areas.

Governance and Compliance Questions

Do you have a Information Security Policy implemented with a governance model?

A cloud provider with a good information security policy will have a governance model and personnel accountable.

Is your organization certified for ISO 27001 standards?

ISO 27001 provides a model to follow and ensures the providers cloud information security policy covers all the necessary requirements.

Do you provide SSAE 16 / SSAE 18 reports?

SSAE 16 & SSAE 18 are audit reports of an organization that assesses the security operations controls. A Top Cloud provider will be providing these reports.

Is your data center certified against industry standards?

ISO 27001, ISO 27017, ISO 27018 are the latest certification standards.

Do you audit the data center facilities and access for controls? what is the frequency of audit?

Data Centers should be periodically audited for having facilities as per standards. There should be at least yearly reviews and gaps should be addressed on priority.

Do you allow independent Reviews and assessments for compliance against regulatory requirements which may include certifications and vulnerability testing?

If a cloud vendor allows independent testing customers can be assured of the audit reports and can specifically test control areas they are concerned about.

Do you publish you cloud performance KPIs?

KPIs can help the customer understand the performance of the cloud computing application or infrastructure.

Do you plan your DR as per any risk management Framework?

Risk management frameworks like NIST and ISO are there which outlines the controls to be established in a cloud computing environment.

Data Security Questions

Does your Data Security Architecture designed using an industry-standard? (ex. CDSA, MULITSAFE, CSA Trusted Cloud Architectural Standard, FedRAMP CAESARS)?

Data security architecture industry standards ensures the security of customer data.

How do you maintain data integrity and confidentiality?

There should be controls to avoid data loss, privacy, and access controls with industry standards encryptions.

Have you deployed and Data Loss Prevention (DLP) tools within your infrastructure?

DLP Tools helps in data loss prevention.

Will any third party access my data? will you notify us before sharing customer data?

Controls should be in place for third-party subprocessors and contractors.

Do you encrypt customer data in storage?

Data stored when encrypted provides another level of control in data security.

Do you encrypt customer data in transit?

Data transmitted over networks especially over public networks should be encrypted as per standards.

Who manages the encryption Keys? Customer or Cloud provider?

If the customer is allowed to manage keys they can add another level of security control and keeps the keys confidential to themselves.

How do you ensure that backed-up data is not commingled with other customer’s data?

Practice should be there to ensure data of different customers do not get mixed.

Is your RTO Flexible?

The recovery time objective should be as per industry standards and if the vendor can provide customized RTO that’s add on.

Can customer implement additional security controls in addition to the vendor security?

The vendor may have options to provide this feature.

How long you retain my data after ending of contract? How do you ensure the data is destroyed?

There should be data retention and destruction policy in vendor services.

How do you ensure physical security of my data?

The physical security policy should be there to physically guard and monitor the location.

Who can access my data? Are third party vendor used?

Controls and agreements should be there for those who can access the data.

Do your employees access the data remotely?

If employees use remote access, security controls should be implemented for remote logins.

Do you use antivirus and how frequently you update them?

Antivirus should be used across org and data centers and frequently updated.

Do you have program to identify system vulnerabilities?

Vendors should have a program to keep checking the system for vulnerabilities.

Do you scan you networks?

Network scanning and testing is an important control to be followed by cloud vendors,

Do You have Role based access control for data and systems?

Access should be provided on a need-to-know basis only.

Do all employees and contractors have unique IDs?

All employees and vendors should be identifiable if they are accessing facilities.

Do you have a data destruction policy?

Data should be securely destroyed after the termination of service or end of life of storage media.

Is your facility audited by third party?

Third-party neutral audits are another level of security control.

Do you support Single Sign On with my Identity Provider?

Identity Federation should be possible with cloud services.

Do you support multi-factor authentication?

multifactor authentication like OTP and biometrics provide another level of security.

Incident Response

Do you have incident response plan?

An incident response plan ensures proper actions to be taken in case of security incidents.

How frequently you keep updating your incident response policy?

The policy should be kept updating at regular intervals.

Do you notify customer in case of security incidents?

Not every cloud service provider may provide this notification.

Are employees trained how to report the security incidents internally?

Employees should have the right training to handle incident reporting.

Can you share details of your last cyber attack and how it was remediated?

This data can help understand the current state of the cloud provider. Audit reports after the attack will help to judge if the issues were remediated.

Do you log all incident issues?

logs should be created for the application, firewall, database transactions etc.

Do you provide logs as forensic data in event of a legal inspection by Government for a Incident?

Proper process should be there to share only relevant data for inspection.

Will you share logs to customers for a security incident?

Depends on the cloud service provider policy.

BCP / DR

Do you have a Business continuity & Disaster Recovery Plan ? Is someone accountable?

cloud providers have BCP DR plans with responsibility assigned to a head.

Do you test your BCP / DR Plan Regularly?

Plan should be regularly tested.

What is your RTO/ RPO?

Recovery time objective (RTO) and Recovery Point Objective (RPO) help understand the availability of cloud systems.

Is your BCP / DR plan as per industry standards like ISO 22301?

BCP DR Plan should be as per industry standards.

Do you have a secondary site ? and do you maintain same level of security controls on secondary site as well?

Primary and secondary sites should ideally have the same level of controls so that it can be switched in case of DR.

Do you allow customers to choose the data center Location?

Some customers may not want their data to be stored outside their region.

Vulnerability Management

Do you do Vulnerability testing ? How frequently?

Vulnerability testing should be done as frequently as possible to check for the latest vulnerabilities.

Do you do penetration testing?

Penetration testing Inhouse and by third parties help in identifying the vulnerabilities.

Are your systems hardened?

All vendor systems should ideally be hardened by disabling ports like USB, unnecessary software, accounts, controlled internet access

Can you share your last vulnerability issue?

Generally, this is confidential data for cloud providers.

SubContractors/ SubProcessors

Do you use Subcontractors? If yes how do you make sure of the data access and confidentiality?

Cloud providers using subcontractors should have strict contracts with them.

Do you Audit your subcontractors for following the guidelines?

Ideally, Cloud providers should audit their vendors for their service agreements.

Do the subcontractor you use have access to customer data?

The Cloud vendor’s vendor should ideally not have direct access to customers’ data.

Data Privacy

Do you hold anyone in you organization for Data Privacy Issues?

Ideally, someone should have the responsibility of data privacy policies and enforcement.

Will you access my data?

Cloud providers should not read customer’s data except only required data for running the services.

How do you restrict your staff access to customer’s data?

Access should only be on a need-to-know basis. Role-based access should be implemented.

Do you train your employees for data security and privacy.

Regular training should be given to employees on data privacy and security.

How do you handle employee misconduct related to Customer Data?

Confidentiality agreements should be agreed upon prior to employment and misappropriation should have an employee termination clause.

Do you comply with EU and GDPR ?

Cloud providers should provision GDPR controls.

Will my data be access from outside my country?

Cloud providers may have employees globally and thus they may be accessing customers’ data. Customers should be aware if this applies to their provider.

Do you hold anyone in your organization responsible for data Privacy

Someone should be responsible.

Do you classify data ?

Data should ideally be classified in the range of confidentiality.

Application Security

How do you secure your SaaS application

Security Practices should be there for SaaS applications.

Do you deploy Web Application Firewall?

WAF is a security control to enhance application security.

Do you have separate Test , development and production instances?

Test , Dev and Prod instances should be separate and no production data should be used for testing.

How and in what format My data can be extracted from SaaS?

Extracts should be in standard formats so can it can be imported to another SaaS if required.

Do you ensure your software is free of back door and dangerous codes listed in the CWE and SANS Top 25 (http://cwe.mitre.org)

SaaS should be complaint of above.

What is your password policy for application user? Can it be customized?

Strict Password policies should be there.

Oracle Integration Cloud OIC Tutorial (Basics)

VBCS Interview Questions

What is Oracle ERP Cloud and Its Benefits?

Cybersecurity Training for Employees

What is Data Breach in Cyber Security?

Biggest Data Breaches in the Cyber World

Leave a reply Cancel reply

Thank you!

Ads Blocker Detected!!!

Compare items

Shopping cart