After understanding that Cloud can give you various advantages in terms of Scalability, Elasticity, and reduced costs, selecting a cloud vendor still requires a thorough security assessment before a customer can give the custody of their data to the Cloud provider.
Table of Contents
50+ Security Questions to ask your Cloud Vendor
Cloud Information security assessment has to be done from different angles. In this post, I am sharing some of the important questions to be asked before signing the agreement.
There are many assessment questions which can be broadly categorized in various areas Like
Governance and Compliance
Incident Reporting and Handling
Business Continuity and Disaster Recovery
Affiliates & Subcontractors Usage
In each of the above areas specific assessments can be done which a high level are subsets of these basic questions
Is the Cloud Vendor following the governance and compliance policies laid down in there region?
- Is my data secure?
- How does the cloud vendor report the incidents or attacks? How do they handle those incidents?
- Does the Cloud infrastructure provide Business Continuity and Disaster Recovery?
- How does the vendor manage vulnerability after test points and areas?
- What are the agreements with Subcontractors and Affiliates if used to handle customer data?
- How does the cloud vendor guarantee the Data Privacy of my business?
- Is the Application provided by the vendor (SaaS) secure?
let’s go in little details in each of the areas.
Governance and Compliance Questions
A cloud provider with a good information security policy will have a governance model and personnel accountable.
ISO 27001 provides a model to follow and ensures the providers cloud information security policy covers all the necessary requirements.
SSAE 16 & SSAE 18 are audit reports of an organization that assesses the security operations controls. A Top Cloud provider will be providing these reports.
ISO 27001, ISO 27017, ISO 27018 are the latest certification standards.
Data Centers should be periodically audited for having facilities as per standards. There should be at least yearly reviews and gaps should be addressed on priority.
If a cloud vendor allows independent testing customers can be assured of the audit reports and can specifically test control areas they are concerned about.
KPIs can help the customer understand the performance of the cloud computing application or infrastructure.
Risk management frameworks like NIST and ISO are there which outlines the controls to be established in a cloud computing environment.
Data Security Questions
Data security architecture industry standards ensures the security of customer data.
There should be controls to avoid data loss, privacy, and access controls with industry standards encryptions.
DLP Tools helps in data loss prevention.
Controls should be in place for third-party subprocessors and contractors.
Data stored when encrypted provides another level of control in data security.
Data transmitted over networks especially over public networks should be encrypted as per standards.
If the customer is allowed to manage keys they can add another level of security control and keeps the keys confidential to themselves.
Practice should be there to ensure data of different customers do not get mixed.
The recovery time objective should be as per industry standards and if the vendor can provide customized RTO that’s add on.
The vendor may have options to provide this feature.
There should be data retention and destruction policy in vendor services.
The physical security policy should be there to physically guard and monitor the location.
Controls and agreements should be there for those who can access the data.
If employees use remote access, security controls should be implemented for remote logins.
Antivirus should be used across org and data centers and frequently updated.
Vendors should have a program to keep checking the system for vulnerabilities.
Network scanning and testing is an important control to be followed by cloud vendors,
Access should be provided on a need-to-know basis only.
All employees and vendors should be identifiable if they are accessing facilities.
Data should be securely destroyed after the termination of service or end of life of storage media.
Third-party neutral audits are another level of security control.
Identity Federation should be possible with cloud services.
multifactor authentication like OTP and biometrics provide another level of security.
An incident response plan ensures proper actions to be taken in case of security incidents.
The policy should be kept updating at regular intervals.
Not every cloud service provider may provide this notification.
Employees should have the right training to handle incident reporting.
This data can help understand the current state of the cloud provider. Audit reports after the attack will help to judge if the issues were remediated.
logs should be created for the application, firewall, database transactions etc.
Proper process should be there to share only relevant data for inspection.
Depends on the cloud service provider policy.
BCP / DR
cloud providers have BCP DR plans with responsibility assigned to a head.
Plan should be regularly tested.
Recovery time objective (RTO) and Recovery Point Objective (RPO) help understand the availability of cloud systems.
BCP DR Plan should be as per industry standards.
Primary and secondary sites should ideally have the same level of controls so that it can be switched in case of DR.
Some customers may not want their data to be stored outside their region.
Vulnerability testing should be done as frequently as possible to check for the latest vulnerabilities.
Penetration testing Inhouse and by third parties help in identifying the vulnerabilities.
All vendor systems should ideally be hardened by disabling ports like USB, unnecessary software, accounts, controlled internet access
Generally, this is confidential data for cloud providers.
Cloud providers using subcontractors should have strict contracts with them.
Ideally, Cloud providers should audit their vendors for their service agreements.
The Cloud vendor’s vendor should ideally not have direct access to customers’ data.
Ideally, someone should have the responsibility of data privacy policies and enforcement.
Cloud providers should not read customer’s data except only required data for running the services.
Access should only be on a need-to-know basis. Role-based access should be implemented.
Regular training should be given to employees on data privacy and security.
Confidentiality agreements should be agreed upon prior to employment and misappropriation should have an employee termination clause.
Cloud providers should provision GDPR controls.
Cloud providers may have employees globally and thus they may be accessing customers’ data. Customers should be aware if this applies to their provider.
Someone should be responsible.
Data should ideally be classified in the range of confidentiality.
WAF is a security control to enhance application security.
Test , Dev and Prod instances should be separate and no production data should be used for testing.
Extracts should be in standard formats so can it can be imported to another SaaS if required.
SaaS should be complaint of above.
Strict Password policies should be there.