4 security questions you should ask your cloud services provider

December 29, 2011 Off By David
Grazed from InformationWeek.  Author: Sridhar Sarathy.

Cloud Computing is definitely the biggest trend in the market. However, the transition to cloud computing won’t realize its full potential until more vendors and buyers fully understand security requirements in the cloud. If you’re overseeing your company’s migration to the cloud, you need to ask some tough questions and consider getting an assessment done by a third-party before committing to the migration. 

The questions can be broadly classified in one of the following categories –

1. Can you ensure segregation of my data from that of your other customers?…

In cloud-based architectures, one does not exactly know where the information is hosted. Typically, there are multiple customers sharing the same infrastructure. The multi-tenancy model is adopted to take advantage of the price and performance advantages that come with economies of scale. But in such an environment as a customer, you aren’t always clear on which type of architecture the cloud service provider is using and what is their role and responsibility for protecting your information from others.

The key to securing your data is to ask the cloud provider about data segregation i.e. what are the policies and encryption schemes being used that ensure that others cannot access my data either knowingly or unknowingly. Without isolation, you cannot also be assured that infections or malware won’t proliferate from some other customers to your data and make the data totally unusable.

2. Are you able to deliver data security standards to my machines?

As more sensitive information moves onto the network and into the cloud, the complete security, privacy, and regulatory compliance of such information must be assured. In most cases, the customers (and not the cloud service providers) are ultimately responsible for the security and integrity of their data. So, the service providers themselves need to undergo regular external audits and security certifications.

For example, any business that processes credit card information needs to be in compliance with regulatory mandates, such as PCI DSS (Payment Card Industry Data Security Standard). The underlying service provider needs to have policies, processes and technologies in place that conform to PCI regulations. This is why anyone looking for a PCI compliant deployment in the cloud has to make sure that the service providers they are dealing with are themselves PCI compliant to begin with.

In addition, you need to get a contractual commitment from the Cloud Service Provider to support specific forms of investigation by the Government and law enforcement agencies. This is particularly important in the current atmosphere of heightened security.

3. As a customer, do you allow me to manage the security of my own machines?

Authorization and access management—or what resources an individual can use, for what purposes, and under what circumstances—is another critical function that must be built into the cloud. While the cloud service provider may offer you properly configured and secured machines, you may want to ask if you can manage parts of the security policy governing access on your own. Ask if your IaaS (Infrastructure-as-a-Service) provider can offer you the option of managing your own security and access policies on his infrastructure. This is particularly critical for sensitive data stored on the cloud.

4. How do you ensure maximum availability of my machines?

No business can afford downtime. No cloud provider can promise 100 percent availability, and there is always a risk of an outage, however small. Even in case of a system upgrade, you should have complete access to your data at any given point of time. It is therefore important to know what procedures a provider has in place to help its customers recover their data and to get back up and running if an outage or upgrade happens. Your provider should be able to offer a service agreement of at least 99.9 per cent, or higher availability of your data.

Important considerations include the speed of recovery in the event of an outage, and the degree of redundancy built into the provider’s cloud infrastructure. And again, it is worth asking where your data is replicated to – in other words, where it might end up if the providers’ primary data center suffers an outage and systems need to be redirected through its other facilities.

Cloud service providers owe it to their customers to have the latest and best approaches as available options. Customers must ask and be clear about the ways in which they share responsibility for their security and the security of their customers. Customers must demand transparency and avoid vendors who do not provide detailed answers to the above questions.