Authorized Access: 5 things you need to know about cloud security

For many enterprises, the decision to shift applications to the cloud is just the first step in what can be a lengthy process. And it’s also the easiest one. The next steps involve deciding which vendor to go with, performing the actual migration and ensuring cloud security.

security in the cloud

Know the right questions to ask about cloud security before you sign a deal.

Enterprises grapple with questions about which providers meet their needs, what applications should be moved to the cloud, and whether to select the private cloud over a public cloud. There are questions around cloud security, availability and disaster recovery considerations that need to be addressed as well.

Businesses, IT departments in particular, have to take the time to define their goals and ask questions to ensure the cloud provider they ultimately wind up with can deliver what they need. You may be okay with the “default” package that the cloud provider offers, or you may want to customize the configuration. A thorough vetting and an intensive information-gathering process will ensure you pick the cloud provider who can deliver to your specifications.

Here are five questions you should ask prospective cloud vendors to put you on your way to achieving cloud security.

Who has access to my data in the cloud?

What controls does the cloud provider have on its employees, and what they can see of your data? As administrators of your system, the provider needs to have some access, but you need to make sure controls are in place to prevent data being copied or emailed without your authorization. If your provider sub-contracts work with other third-party partners, then you need to make sure those partners comply with the same policy and security controls.

It’s easy to forget about the physical infrastructure when talking about the cloud. But there is a data center with physical servers running somewhere. How does the provider handle physical security? Who has access to the data center?

In a multi-tenant environment, the last thing you want is to have your data exposed to other organizations using the same provider. How does the provider separate information and systems? What kind of controls are in place to ensure all customers are properly segregated? That leads to the next question, about data protection.

How is my data protected in the cloud?

Make sure the cloud provider can give clear information about the data protection policies it has, about encryption, and how data is protected in transit as well as at rest. Backups should be protected, and regularly tested. There is nothing worse than finding out after a data crash that the backups are incomplete or corrupt.

Can the cloud provider show you a clear audit trail of who is accessing the data and what is happening within your environment? Having a formal change control process and a written information security policy is a good step. Don’t forget to ask about what kind of network monitoring and protection capabilities are in place.

How does the provider meet and maintain compliance? It’s easy to say that it’s the cloud provider’s job to make sure they are compliant, but the end responsibility rests upon you to verify the provider is meeting those requirements.

What do you do when something goes wrong?

“Something going wrong” can cover a whole range of situations, including service outages, equipment failure and data loss, cyber-attacks, and data breaches. Does the provider have a disaster recovery plan? When are you notified, and how will you be notified? How frequently does the provider run through disaster recovery simulations to test its processes?

Make sure you list all your requirements in the service-level agreement. More importantly, make sure the SLA defines remediation steps – what will the provider do when things go wrong (as they invariably will). Are you comfortable with the remediation offered?

How do I migrate my data?

This question goes both ways. You want to know what kind of changes you need to make to your existing applications to work on the cloud provider’s infrastructure. Different providers will have different requirements. Is there a migration tool of some kind to assist with getting your applications and systems ready? What kind of configuration changes will you have to make? Choosing a cloud provider that is running similar platforms to the ones you currently have in-house is a good place to start.

Maybe you will decide to move to a different cloud provider. Or, after trying out one service for a year, you will decide you want to go back on-premise and reclaim your data from the cloud. (It happens.) You need to ask at the outset how you will get your information back out of this environment. Does the cloud provider have are there tools available that helps you get everything–or will you have to leave some behind? Is there a termination fee or penalty for deciding to leave? What procedures does the provider follow for securely destroying their copies of your data and information?

It might feel strange discussing how to leave the cloud provider relationship even before you start one. But you don’t want to wind up stuck with a provider that isn’t meeting your needs. Most established providers offer information about how to retain control over your data so that you can move when necessary.

How have you handled security incidents for customers like me?

Don’t be nervous about asking for references. Ask about customers who have environments or applications requirements that are similar to yours. Cloud providers should be able to give you references to existing customers to back up their promises. Ask about examples of security incidents the provider has had recently, and how they dealt with these. Be leery of providers that claim they have never had a security incident.

Ask a lot of questions about cloud security. Ask questions you’re nervous about asking. Your business needs you to.

About the Author

Fahmida Y. Rashid is a security blogger and contributor to EnterpriseEfficieny.com, a UBM Tech community.

Fahmida Y. Rashid
Fahmida Y. Rashid is an analyst for networking and security at PCMag.com. She focuses on ways businesses can keep their data and networks secure without going bankrupt chasing after the wrong kinds of protection. Prior to landing at PCMag, she was a senior writer covering security, core Internet infrastructure, and open source at eWEEK. She was also a senior technical editor at CRN Test Center reviewing open source, storage, and networking products from 2007 to 2008. Before setting out her journalism shingle, she was a technology consultant, first at PricewaterhouseCoopers, and later with the Business Consulting Services group in IBM Global Services. She has worked in the trenches as help-desk, QA tester, software and Web developer, and network administrator.
Fahmida Y. Rashid
Fahmida Y. Rashid
Fahmida Y. Rashid
Tags: Cloud Computing,Data Center,IT Security,Storage,Technology