Cloud storage security: Questions to ask your cloud provider

You should expect cloud storage security to be better than in-house security, so how should we expect providers to look after data, and what are the key questions to ask them?

Cloud storage security should be one of the most important concerns for anyone considering outsourcing their data storage. If you want someone else to look after your data, you need to be as certain of its security as if you were storing it on your own infrastructure. So, how can you expect a cloud storage provider to look after your data, and what questions should you ask to make sure their cloud storage security is up to scratch?

In this interview, Bureau Chief Antony Adshead speaks with Chris Evans, an independent consultant with Langton Blue, about how cloud storage security is effected by cloud providers and the types of question you need to ask before entrusting your data to them.

Listen to the podcast on secure data storage or read the transcript below. How is security enabled in public cloud storage services?

Evans: I think—as you will imagine—the sort of questions that [arise in public cloud storage services] are pretty similar to those you’d ask about your own internal IT services. We can divide those into a number of areas.

Let’s start with physical security. One of the things you want to make sure is that wherever you’re storing your data, that service provider has a physically secure environment, has proper access controls and that environment is locked down and you know how the security has been implemented.

Obviously, if you’re a small [organization] and you’re just using it for something simple like DropBox, you may not ask all those questions. But if you’re a large organisation that outsources lots of data, then that physical security layer will be very relevant to you.

The sort of things [you’ll ask will relate to] whether they have proper access controls, how they monitor their staff, how they run the organisation, [whether it is] a 24x7 environment, and so on.

The next thing you need to ask them about is architecture. It’s likely that you’ll be deploying on infrastructure that’s shared with other customers, so you want to make sure that architecture is secure, that it’s multi-tenanted and that there’s proper user authentication built into it so that you know your data’s separate from everybody else’s and there’s no risk of you inadvertently seeing other people’s data or, worse than that, other people seeing your data.

The next level is the storage management side of things. [In an internal environment] you would have access controls around storage management provisioning, and you would want to make sure your cloud provider has a similar structure in place and similar processes and procedures.

Finally, [there’s one thing you do] slightly different to how you do it internally and that’s your client access. So, you’d need to make sure you had proper granular security access and control to the data you’ve put into the cloud. What are the key questions to ask service providers about cloud storage security?

Evans: Let’s take physical security as the starting point. You need to be asking how secure the environment is, and to what level, so have you got secure access controls in to different parts of the environment? Are there processes and procedures around physical access to the servers and the arrays that are storing your data? How do they vet their people from a security perspective? Are there controls around expiration of passes if they are lost? All those sort of things that relate to physical security, I’d want to ask my provider to make sure they have a good, tight operation.

From the architectural level, you [need to be sure] they have a proper multi-tenanted environment and that they are capable of operating that properly. [If, for example,] you were in a shared environment, you’d want to know what would happen if you were sharing an environment with someone else and they overuse their capacity. Would that affect your environment or is your storage guaranteed within the design of that architecture?

As we go on to security at the logical level, the client level, I’d [want to know] that the depth of security was good enough so that there’s no chance of the data being accessed by anyone else.

So, if the data is being accessed backwards and forwards, I’d want to ask the provider what security protocols they provide. I’d be expecting things like SSL [and] SSH security. I’d want to know how they secure my access, if it’s [via] password encryption or if it’s tokens and I’d want to know how strong it was. And on top of that I’d want to know if I could implement encryption on that platform or get it built in as part of the offering, because clearly that level of encryption is going to be really key if you’re talking about data that’s stored in someone else’s site.

One final thing that’s worth mentioning is auditing. Should the worst happen and [someone does access the environment] you want make sure you’ve got a full audit trail so you can go back and look and see where and how the breach happened and make sure it doesn’t happen again.

Read more on Data protection, backup and archiving