Moving to the cloud is the latest rage and probably not a bad idea for a lot of people. Even though the cloud is a good alternative, don't forget to do your due diligence and know what you are getting for your money. Dark Reading has a post with six questions to ask your cloud provider.
- Which responsibility belongs to which company? In other words, what does the customer have to provide and what does the cloud vendor provide? As an example, who provides encryption? Who provides access controls? Who is responsible for backup? You get the idea.
- What type of security is covered by your platform, in the context of this cloud service? Again, who does what? Does the cloud provider patch your systems or is that the user's task?
- What training does your security team need? I'm not so sure that the cloud provider is going to give you a training plan. Open the conversation, but don't believe that they will tell you exactly everything you should do. Do your gap analysis and train your folks to cover the missing items the cloud provider doesn't offer.
- What mistakes have other businesses made that left their data exposed? Don't expect that the provider will divulge the details or names of its customers. Nobody wants to admit they made a mistake, but ask the question anyway to get the response for any screw-ups.
- How much visibility do I have into the environment? This goes to transparency. Will the provider show you what information they have access to? Bigger players are more apt to "lift up their skirts."
- What third-party assessments will help me understand where the gaps are? Will the provider allow you to conduct an independent assessment? Don't trust the provider that there has been a third-party assessment. Run your own if possible.
There you have it. The 6 questions you should ask your cloud provider.
E-mail: firstname.lastname@example.org Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology