Eight Security Questions to Ask a Cloud Vendor Before You Sign Up

Cloud services whether PaaS (platform), SaaS (software), DraaS (disaster recovery) or another ‘as a service’ option are part of the business landscape now. However, in the vast majority of cases, using them means that your data is stored outside your organisation. No matter what the cloud vendor’s reputation, security must be evaluated, confirmed and applied. Here’s a list of ten security questions to help you safeguard your data, your confidentiality and quite possibly your business.

  1. Are the vendor’s information security policies clearly and completely documented? Lack of workable, relevant, written policies is a big red flag. ‘Unwritten’ can mean ‘unmanaged’ and even ignored.
  2. Does the vendor hold its subcontractors to the same rigorous security policies as itself? If anyone else has to handle your data, make sure they play by the same tight security rules.
  3. Is your data held separately and securely from other people’s? Don’t become collateral damage in a breach of security that hurt someone else and then spilled over to you.
  4. Are the cloud vendor’s backups satisfactory in terms of confidentiality and reliability? Encryption and backup restore testing are both critical items here.
  5. Does the vendor have solid disaster recovery plans? Look for proof of independent audit and any relevant certification to back up any claims made, together with evidence of regular (and successful) testing.
  6. Is access to the cloud vendor’s infrastructure restricted correctly? Check out both network/virtual and physical access security.
  7. Are the cloud vendor’s processes secure for destroying unwanted data? Whether this involves deletion from a hard disk or the physical destruction of a tape, for instance, make sure your old data can’t come back and bite you because of any cloud vendor shortcoming.

Does the vendor have clearly defined processes for change control? You can’t necessarily control the vendor’s decisions to change its actions, routines, or infrastructure, but you need to make sure that the vendor has it under control – including notifying you beforehand when such changes can affect your data.