For years, the cloud hosting industry has been fighting the concept that hosting in the cloud is less secure than keeping data in your own data center (“data center” could mean anything from a few dusty computers in a closet to a state-of-the-art conditioned facility).
Now that Cloud Service Providers have convinced the market that the cloud is secure enough for their critical workloads, they are having to revisit the conversation. Customers are now expecting their security and compliance issues are taken care of simply by moving their data to a hosted solution.
But this is not the case.
So, what can you do to ensure your data is secure? Below are 5 security questions you should be asking your host to stay secure.
The 5 Security Questions You Need to Ask
1. Has Your Organization Ever Been Breached?
If you are lucky, the answer will be no, but unfortunately, it is more likely to be yes. A breach is not necessarily an indictment against an organization, just fact as part of living in this world. Due to legal reasons, there may be a limited amount of information they can provide. A quick Google search may also provide data for anything that was big enough to require public disclosure.
The key takeaway? If they have been breached, you want to understand the scope of the incident, how they handled it, and what measures were put in place to prevent it from happening again.
2. What Compliance Requirements Do You Cover From a Hosting Perspective?
When going through an audit, you will need to provide evidence that your hosting environment is as compliant as your corporate environment. Your provider should provide that evidence to you.
The requirements you care about will be dependant on your industry. They might include SOC 1/2/3 certification, PCI Attestation of Compliance, HIPAA independent audits or Privacy Shield and Data Processor Agreements for GDPR.
Remember, compliant does not necessarily mean secure, but it does indicate strong process and procedure. Any provider that does not have this solid foundation might be an indication of questionable security standards.
3. Do You Perform Regular (or Allow Customers to Perform) 3rd Party Penetration or Vulnerability Scanning?
Most will do some level of testing as part of their compliance requirements and internal security standards. You should be able to provide some information here, though it will likely require a non-disclosure agreement to share any assessment information.
Allowing a customer to perform scans like this can put your cloud computing neighbors at risk of degraded performance or can look like malicious activity. If you want to have an independent assessment done, be prepared to sign fairly strict agreements on the scope of what can be done here.
4. What Security and Compliance Options do You Have Available to Protect My Data? What Level of Support do You Offer for these Options?
This is where the shared responsibility model comes in. The previous security questions focus on protection of the underlying hosting infrastructure to ensure “customers” as a whole are protected.
When it comes to protecting a “customer,” the provider will have additional products and services that can be contracted to meet your needs. These offers will be designed, implemented and maintained around each customer’s specific environmental requirements.
Providers will have varying levels of service for these products. These range from fully managed to simple referrals where the customer (or 3rd party) is responsible for running the platform. Understanding how much of this work your provider can handle for you is an important factor when evaluating them.
5. Who Has Access to My Data? Is My Data Accessible by 3rd Parties?
Be sure you are comfortable with who has access to your data!
Many hosting providers have some sort of separation of duties so that any single employee does not have complete access to your hosted environment. An example might be the networking team that supports firewalls does not have access to customer servers; the front-line Linux support team has the access.
You might also consider asking what level of training is required for those employees who have access.
Common examples of 3rd party access would be off-site backups or a security service whose operations center analyzes data for malicious activity. Generally, any partnership of this nature will include some type of data privacy agreement between the providers. This means you are protected, at least from a legal standpoint.
Communicating exactly which data you are specifically concerned about can help drive more pertinent information. Much of the 3rd party access may not even apply to your specific hosted environment.
The concept to focus on when asking these security questions is “responsibility”. Think of this in relation to a RACI model when managing a project. Just because you have the “R” associated with your name doesn’t necessarily mean you have to do all the work yourself. It means that you’re responsible for making sure the work gets done.
The same is true for the security and compliance responsibilities when moving to a hosted cloud environment. Your provider will have a set of items they are responsible for, and you as the customer will have items that you are responsible for.
Be sure you know exactly what each party is responsible for and you’ll have a good base to be successful. To use an old cliche, knowing is half the battle.