- What about data tagging?
You may think this question is something of a cheat in that it's one the organisation should ask of itself rather than the cloud provider, but it's vital if your security model is going to remain intact during any cloud deployment.
Given that recent research carried out by BT suggests 44% of CIOs think they deal with information that is 'too sensitive' for the cloud, keeping control over what data goes where is key.
Data tagging, often done with the help of data leakage protection (DLP) technology, can be used to provide data classification to determine where data can and cannot go. Of course, it's also possible to ask the cloud provider for information with regards to tagging, for compliance issues surrounding the geographic location of the data. Does the cloud provider have a data tagging solution? Was it created in house? Does it work alongside encryption without exposing data by creating unencrypted index tables that are too transparent? If the cloud provider cannot provide transparency regarding where data is in the cloud as it moves between data centres or how its data tag policy works, and your compliance regime requires this knowledge, it should be a deal breaker.
- How does the provider authenticate and manage users?
The threat to enterprise data is not always external, and once that data moves outside of the organisation's physical control (where you no longer have access to the building where the data is housed, the staff that administrates that data or the day-to-day management of both), the insider threat becomes all the more problematic.
Be sure to ask any cloud provider about its digital access management practices, and how it authenticates users and determines their permissions with regard to customer data. Can the cloud provider query your existing identity management system, for example? What processes are in place to prevent potential system administrator privilege abuse? What log monitoring, analysis and alerting systems can be deployed to warn, for example, if a sysadmin has logged on without apparent reason? Don't be afraid to ask the same kinds of questions about cloud provider staff as you would when employing your own: Assess the checks the cloud provider has in place to prevent rogue operators from getting jobs at your provider and access to your data.
- Is the provider responsible?
In the cloud, it is not always simple and straightforward to determine where responsibility for security should lie. By all means, ask questions not only of your cloud provider about who holds the responsibility for security during the contractual negotiations phase, but also understand that the best you can hope to achieve is a sharing of the security burden rather than a total abdication of your duty of care.
This may be surprising, given that a tightly negotiated contract with a nailed-down SLA laying all the security responsibility on the provider leaves the legal position pretty clear. However, that will not stop the court of public opinion from drawing a different conclusion when it comes to apportioning blame, should a high-profile data breach occur. The cloud, by its very nature, is designed to be invisible to the consumer and does not become visible when something goes wrong, which is why it's vital -- from a brand-protection perspective -- that the organisation is seen to have asked all the right questions and made every effort to ensure data is properly secured.
- Is the provider's security up to standard?
Being a relatively new service technology, the matter of standards certification might not immediately spring to mind during the security due diligence process: Big mistake. Salesmen might try to make you believe that the provider's 'homebrew' service offering is going to be as or more secure than a standards-based system, but that's simply not the case.
For starters, ask your provider if it is ISO 27001 compliant. Such well-established and formal specifications are good indicators that a provider can walk the walk as well as talk the talk. Although new and cloud-specific certifications, such as the Cloud Security Alliance's (CSA) Certificate of Cloud Security Knowledge (CCSK), are not a real-world guarantee of technical competence, the fact that the cloud provider is providing some kind of training foundation and establishing a baseline of knowledge for staff is generally a good indicator of how seriously it is taking the security issue as a whole.
- And finally, how seriously does the provider take security?
It may seem broad or unnecessary, but ask potential providers the question: "How serious are you about the security of my data?" Most likely, the cloud provider will produce the standard templated responses until you start to drill down with the questions posed previously in this cloud security guide.
And here is one more final question that can reveal a lot about just how seriously a cloud provider really takes security matters: "Who is your CISO and what experience does he or she have?" Proceed with the utmost caution if the provider does not think such a position is required, or has hired someone with no real-world experience dealing with enterprise data security matters.
About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.