7 Cloud Security Questions You Need to Ask Your Cloud Provider

Business are moving to the cloud at a rapid rate. Though cloud computing has only been publicly available for about a decade, most enterprise today use the cloud in some capacity. The decision to move to the cloud isn’t one that should happen instantly, however. A business needs to plan out a cloud strategy first, which involves considering several infrastructure and operational factors. One of those factors, and arguably the most important, is cloud security.

Cloud security refers to security practices and tools that help secure data in the cloud. It’s a crucial part of planning a cloud strategy, and companies are aware of this. According to research by NETSCOUT, cloud security is the top barrier for enterprise cloud migration. They found that 61% of enterprises list security concerns as a major reason why they haven’t moved to the cloud.

Regardless of whether or not you’re already on the cloud, however, security is always an important factor to consider. Whether you’re consider cloud providers or have already entered an agreement with one, you need to be aware of their security policies and protocols. Specifically, there are certain questions you should ask your cloud provider to understand how their cloud security system works. Below, we list 7 cloud security questions you need to ask your cloud provider.

What security systems does the cloud provider have in place?

Your provider should inform you of what their current (and any planned) security systems are. By being transparent about how they secure cloud data, the provider keeps you aware of how your data is going to be protected. There are multiple layers to a security plan that your provider may enact, including:

Cloud hardware security

What does your cloud provider do to secure the hardware it uses to run the cloud? Security measures for hardware like servers and data centers should be outlined by the provider.

Cloud data encryption

When you transfer data into the cloud, you want it to be encrypted to prevent unauthorized parties from accessing it. You should know how your cloud provider encrypts data stored on the cloud. Many cloud providers encrypt data differently if it’s in transit or at rest; if your provider does, they should state so clearly and inform you of the different encryption methods they use.

Cloud monitoring

To keep the cloud environment secure, some providers offer monitoring functions to watch for any security or performance issues. If your cloud provider includes monitoring capabilities, they should tell you so, and also let you know what their monitoring tools look for.

What cloud security certifications does the provider have?

Security certifications show that a cloud provider meets or excels the cloud security standards that any provider should have. Your cloud provider may advertise these certifications directly, but you should still ask them about their certifications. In particular, look for SOC 2 and CCSP certifications. SOC 2 certified providers meet AICPA requirements for the current and future needs of cloud security. CCSP certifications are given by (ISC)² to providers that demonstrate technical expertise in designing and delivering cloud security practices.

Who is responsible for the various security tasks?

One of the key elements of any cloud provider’s service-level agreement is responsibility. This determines which party is in charge of handling what tasks in regards to security, or any other management functions. There are two parts to this question:

What is the cloud provider responsible for?

Because the provider manages the cloud environment, they should be responsible for most (if not all) of the security tasks they require. The provider should inform you of security operations that they perform, including how frequently the provider does them.

What am I responsible for?

Not all cloud providers will require you to be responsible for security tasks, but if yours does, you obviously want to be aware of it. Typically, the provider expects you to perform security practices to prevent internal security breaches on your enterprise’s end. For tasks like breach detection and specific incident response, your provider needs to inform you if you’re responsible for handling them.

How does the provider separate each client’s data?

Most public cloud providers operate a multitenancy system, which means multiple users will store and operate data on the same server. This approach saves costs for the provider and utilizes their data centers to the fullest extent. In order to provide a multitenant system, the cloud provider must partition parts of their server to each individual user. The provider needs to have protocols in place to prevent users from accessing data on the same server that isn’t part of their partition. They also need to take steps to stop data leakage from occurring and perform constant tests to ensure every partition is separated from each other.

How does the provider notify you of security breaches?

Even if the provider has proper security systems in place, a breach can happen at any moment. If a breach does occur, the provider needs to patch it out as soon as it can. Because security breaches can be either small or huge, not every breach will necessarily affect you, even if it’s on a server you use. However, your provider should notify you of any security breach that happens on their data centers, especially if they potentially affect your data.

Some cloud providers will inform users of breaches even if they affect an entirely different part of the data center. If they do, it’s helpful if the provider makes this known in its notifications. Just as important is breaches that can affect your data; providers need to tell you if your data is at risk. The best providers will outline steps you should (or need to) take to secure your data until the vendor contains the breach.

How does the provider destroy cloud data?

Getting rid of data your enterprise no longer needs isn’t as simple as it seems. While you can delete data, it doesn’t truly go away unless you destroy the data with either data destruction software or physically destroying the hardware it’s contained on. You can’t use either of these methods for cloud data; instead, the provider will destroy it for you. The provider should state how it deletes data and the process by which a user requests data to be deleted. Otherwise, you can’t be 100% sure your data is safely wiped out.

What happens if the provider fails to meet security obligations?

It’s unfortunate when it happens, but it is possible that a provider won’t fulfill their end of the bargain when it comes to cloud security. If this happens, your provider should inform you of any remediation that your company will receive from them. They should also clearly describe the process your enterprise needs to take in order to file for damages caused by the provider failing to secure their cloud environment. Of course, the other end of this scenario – what happens if you don’t meet your security obligations – is just as important. The vendor must outline the penalties you’ll pay if you violate the security agreement between you and the provider.

Our MSP Buyer’s Guide contains profiles on the top cloud MSP vendors for AWS, Azure, and Google Cloud, as well as questions you should ask providers and yourself before buying.

Check us out on Twitter for the latest in Cloud news and developments!

Daniel Hein