As we continue to hear the command “To the Cloud!” it seems that the cloud is not quite as resilient and secure as many were hoping.
Risks exist when relying on third parties to keep your business running and your information secure. So, you need to help minimize the chance of you or the business getting burned because of someone else’s lackadaisical approach to security.
Here are some critical security questions you need to be asking your current or prospective cloud vendors to show them that your business takes security seriously and to get some assurance that things are in check:
- Can you provide us with a copy of your latest penetration testing report? What methodologies, vulnerability scanners, and related security tools do you use to test your systems? When they insist their SOC 2 report has all the answers, ask them how secure their network systems and Web applications are. If they can’t answer these questions promptly find another cloud service provider.
- Do you have a security evangelist and/or someone who specializes in compliance on your staff? This can prove to be an invaluable resource for helping you with compliance issues related to your environment.
- Do you have locations in various jurisdictions (i.e. across state lines or international boundaries)? This can have a big impact on compliance and data access.
- Will our information be co-mingled? If it’s located with other customers’ information in the same database behind the same Web applications, then one customer’s security exposure could lead to an exposure of everyone’s information.
- What happens when there’s an incident? How are you going to work with us? A lot needs to happen when performing a forensics investigation, cleaning things up, and possibly even working with law enforcement.
- How can we be assured of business continuity if your company is acquired or closes down? If you don’t ask you won’t know until that time comes.
When it comes to cloud security oversights, I especially love this recent ZDNet headline: Trust in cloud security at all-time low: Execs still betting on the cloud. It’s a great example of just how disconnected IT and security are from management – and management from reality – when it comes to this critical area of business. It even seems that lawyers are calling the shots more than CISOs are today – often relying solely on contracts and SLAs.
If it were only that simple…Scary stuff. It’s job security for us all so I guess we shouldn’t complain.
Subscribe to Blog
Receive notifications of new posts by email.