Moving to a cloud-based solution means giving up control over your environment in order to achieve flexibility and scalability. In today’s world where cyber threats run rampant, letting go of this control can be a difficult choice. After all, your business stability and growth depend upon the data that you’re handing over, so there should be some worry over how that data will be handled by the service provider.
12 Security Questions To Ask Cloud-Based Service Providers
If you’re considering a cloud-based option for your business, take time to ask your provider the following questions:
- Have you undergone any prior security breaches? What happened and what has been done to address the potential for the incident to recur? How is your security incident management organized?
- What industry-standard certifications do you hold? How and when are you audited for compliance?
- How is data in transit encrypted? How is stored data encrypted? Who holds the encryption keys?
- What backup procedures are in place? Are backups encrypted?
- Where is the data center located? What procedures are in place for physically security of the data center? Access control? Fire protection? Protection against power failure?
- What authentication requirements have been put in place?
- Are logs kept? Who has access to these?
- What patch management processes do you have in place?
- How is data segmentation ensured?
- What are your monitoring procedures? What’s the process for mitigation and notifications if attacks are identified?
- Are any components of the service provided by a third-party? If so, which and what data protection efforts do they have in place?
- What happens to our data upon termination of the contract?
Create a Culture of Questioning
There is no single right answer to all of the questions above. For instance, as a cloud-based help desk solution, we know that our customers require the highest level of security possible. They use our system to track and record all aspects of their end-user relationships, from contract information to service catalog, so we have stringent practices in place. In contrast, we use a third-party service for storing photos of our employees for use in marketing collateral. While we certainly don’t want anything to happen to that data either, the risk to our business if this were to be hacked is far less. So for you, the goal is to understand the level of security that you need in each situation and compare that to the answers above so that you can clearly evaluate if the vendor’s security practices offer you the level of protection that you require.
For you, the goal is to understand the level of security that you need in each situation and compare that to the answers above so that you can clearly evaluate if the vendor's security practices offer you the level of protection that you require.
Additionally, it is important to discuss these ideas with other business units so that they learn about how important it is to be cautious – and what is meant by being cautious – when working with cloud-based service providers. After all, it’s very easy to click a few buttons and sign up for a new service, but do your HR, marketing or sales teams really understand the risk that they could be inviting into the company when they do so? Take time to review this list with them, and put a process in place to ensure that the IT team is routinely part of the decision-making process when signing up for new cloud-based services.
There are, of course, potential benefits when using cloud-based solutions too. Things like 24-hour monitoring or round-the-clock physical security guards for your data center may well be cost-prohibitive for your business. So, cloud-based solutions can certainly have security advantages too: it’s just a matter of finding out what the vendor offers before committing to a new service provider, so use these questions to help guide you during the decision-making process.