The 12 Security Questions You Should Ask Your Cloud Provider

A recent ESG survey found that mid-market and enterprise organisations in the United States and Europe rank infosecurity as the highest priority.


28 April 2015

The 12 Security Questions You Should Ask Your Cloud Provider

Small and medium-sized enterprises (SMEs) probably have the most to gain from cloud computing, but that doesn't mean they should walk into a relationship with a cloud provider with their eyes closed to potential security risks.

The reason why the cloud is so attractive to smaller businesses is clear — they may not have the staff or expertise to securely operate their own data processing and storage facilities.

If you are responsible for information security at your company, then it's so much more attractive to hand over the job to a trusted third party who (hopefully) has invested significant time into building a service that takes security seriously, and is capable of withstanding denial-of-service attacks, and is less prone to downtime.

Yes, it's nice to have your most sensitive data and communications on servers that you physically own and control, but that's only if you are capable of protecting them as well as the businesses that specialize in such services and provide round-the-clock incident response — the cloud companies whose very livelihood depends on them keeping your information secure, available, and out of unauthorized hands.

Because security really does matter. A recent ESG survey found that mid-market and enterprise organisations in the United States and Europe rank infosecurity the highest priority as they move applications and systems to the cloud, outranking the likes of modernizing data centres or mobility.

The good news is that cloud services have matured, and offer more information about the security they can provide than ever before. Past high-profile hacks of cloud services may have resulted in a bad experience for the customers affected, but they have also pressured service providers to take security more seriously.

Moreover, cloud services that focus on the enterprises (rather than on highstreet consumers) have not had their hands tied by conflicting requests from the market that might have swayed their design decisions or pushed them in a particular direction.

At the same time, legislators have become more aware of the risks and demanded that firms treat privacy and security as a priority — particularly as many governments adopt a "cloud-first" policy to reduce costs and create better efficiencies.

ENISA (the European Union Agency for Network and Information Security) has just released its cloud security guide for SMEs [PDF] and it makes essential reading for any SME wanting to understand the security risks and opportunities they should consider when switching to cloud services.

Most of the opportunities and risks have been discussed many times before, but that's not to say that it isn't prudent for you to refresh yourself so you understand the step you are taking with your eyes open.

Perhaps most helpfully, the guide lists the 12 questions it believes smaller and medium-sized organizations should be asking cloud providers before procuring their services:

  1. How does the cloud provider manage network and information security risks related to the cloud service?
  2. Which security tasks are carried out by the provider, which type of security incidents are mitigated by the provider (and which tasks and incidents remain under the responsibility of the customer)?
  3. How does the cloud service sustain disasters affecting data centres or connections, and which data is backed up where?
  4. How is security of the cloud service guaranteed when there are legal issues or administrative disputes?
  5. How does the provider ensure that personnel works securely?
  6. How is customer data or processes protected from unauthorized physical and logical access?
  7. How does provider ensure software security and which software remains customer's responsibility?
  8. How is access to the GUI’s and API’s protected, and are their additional measures for administrators/high privilege roles (under the customer’s side)?
  9. How can the customer monitor the service, which logs are kept, and how can they be accessed, for example, when the customer needs to analyse an incident?
  10. Which standards make the cloud service portable and interoperable?
  11. How is increase of usage or peaks handled, and what are the corresponding costs?
  12. Which national legislation applies?

For each question, the ENISA report provides examples of the kind of elements that you might hope to see in any cloud vendor's response. Of course, it's important to bear in mind that you want to dig deeper than a "checklist" of features. It is essential for enterprises to also explore the maturity of those solutions which are critical technologies for their particular business.

A cloud provider which has the best interests of small and medium-sized organisations in mind won't be phased by you asking probing questions, and will expect you to be interested in "digging deep" into the specifics of their solutions to make sure that you have found the right fit.

Check out ENISA's Cloud Security Guide for SMEs now, and make sure that you are equipped to make the right decision when it comes to choosing cloud providers.



Graham Cluley

Graham Cluley

Graham Cluley is an award-winning veteran of the anti-virus industry, fighting cybercrime and raising awareness of computer security and privacy issues since the early 1990s. Find out more on his computer security blog or follow him on Twitter.