Is your cloud vendor secure? 10 questions you need to ask

Improved security is a big motivator for many small and midsize businesses looking to move their data and technology to the cloud. Unfortunately not all vendors are created equal in this regard, so it's important to do your homework before making the jump. With each cloud vendor you use, you are trusting your data to an outside company.

Along with asking the right questions about pricing, service level agreements and tech support, it's important to ask about cloud security. Here are 10 questions to keep in mind when talking to your cloud security vendors.

1. What types of security features do — and don't — you provide? What third-party software or services do you use?

At minimum, the answer to this should include firewalls, DDoS protection, and authentication.

What else? It depends in part on what type of cloud service you are buying, e.g., platforms, virtual machines, OS instances or specific applications. For some, the provider should include anti-virus/anti-malware and other network/content filtering — but for other services, this will be up to you.

Since the cloud security provider is likely using virtualization and or containers, don't forget to ask about security at the hypervisor and OS level.

2. What “class" of data center do you have?

The levels describe the availability of data from the hardware at a location. The higher the tier, the greater the availability. Tier 4 is best, including “fault tolerant site infrastructure."

3. Tell me about your data center's security certifications and compliance.

These should include:

• Successful completion of a SOC 1 audit under SSAE-16 guidelines (showing that they've done their part in terms of shared-responsibility security).

• As relevant, certifications for FISMA (Federal Information Security Management Act), ISO 27001, FIPS 140-2 (Federal Information Processing Standard) and others.

• At a minimum, they need to be compliant with any relevant government and industry regulations regarding loss of unprotected data, such as HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach Bliley Act), PCI DSS (Payment Card Industry Data Security Standard), FINRA (Financial Industry Regulatory Authority), and PIPEDA (Personal Information Protection and Electronic Documents Act).

Also look for auditing certifications, e.g., having been audited against AICPA/CICA standards. Don't just ask to see a list. Ask to see documents that substantiate their claims, such as a SOC2 (Service Organization Control) or SOC3 report.

4. What physical security measures are used to protect your data centers?

How are the physical premises protected against intruders? Against rogue employees? What about protection from fire, water, smoke, earthquake, floor, tornado and other weather/environmental factors? Does the provider have mirror or backup sites? Is copying continuous or periodic?

5. Where and how is data protected digitally?

Look for encryption in transit — not just between your company and the data center, but also intra-center, between servers — at rest, and on mobile devices.Also ask what types and levels of encryption are supported. Currently, look for 256-bit AES (Advanced Encryption Standard) SSL for data in transit, and 256-bit AES for data at rest.

6. Who — other than my company's authorized users — can access my company's data?

More to the point, how are data center IT staff and other employees, other customers, and cyber-intruders prevented from viewing, copying, changing or deleting your data? What encryption, keys, and other authentication are used? Where are keys kept?

For any multi-tenant services, ask:

• Is appropriate user authentication built in, to ensure each customer's data is separate and other customers can't see your data?

• Do they limit and monitor the use of system-wide administrator accounts, to prevent a flaw in one tenant's application from allowing an attacker to access your data?

7. What aspects of cloud security are the provider's responsibility? What are my company's? Which are shared?

Working with a cloud security vendor can offload many cloud security considerations that you would otherwise need to manage yourself, but it does not completely absolve you of responsibility.

Talking with your vendor about this can help ensure that you're not opening up vulnerabilities by assuming it's being handled elsewhere.

8. Can we talk to your security team directly?

The representative or the sales person you are working with may not always be thoroughly educated on the security elements of the business. If you aren't security-savvy enough to handle in this type of conversation, it's highly advisable to engage a security consultant to do this on your behalf.

It's important to know what support resources you will have at your disposal, and how easily they can be reached when needed. If you're moving business-critical elements of your technology into the cloud, it's crucial that you have 24/7 access to someone who can resolve any issues that may arise.

9. What are your protocols in the event of a security breach?

Ask what security breaches the service has experienced to date. What was the impact? What steps has the vendor taken to prevent recurrences? Make sure they provide a clear statement on how quickly you will be notified in the event of a cloud security breach and what their response includes. Also clarify what, if any, insurance or other financial compensation is offered if you suffer losses due to a cloud security breach.

10. Look for vendors with a good cloud security track record

Odds are that the cloud vendor you chose to work with has the appropriate cloud security — and provides more comprehensive security than what most businesses have on their own. But that doesn't guarantee that given vendor is doing enough to protect client data or has the expertise to address your specific needs. Past performance isn't always indicative of the future, but if a company has a well-earned reputation for providing secure service, they're more likely to continue doing so.