Four security questions to ask when moving to the cloud

Security is a reasonable concern when considering moving your IT services to the cloud, but four key questions can help you assess the risk, says Chris Pace.

Four security questions to ask when moving to the cloud
Four security questions to ask when moving to the cloud

Security concerns continue to be the biggest barrier to the adoption of cloud services. Despite widespread uptake in cloud services, the perception that it carries risk remains high among security professionals, with one of the most significant barriers to cloud implementation being the increased compliance and regulatory challenges that organisations face when choosing to move to cloud services or hosted solutions.

Fear of the cloud is quite reasonable. The repercussions can bite, and so companies need to be assured that the cloud is the right step for their business. In the relationship between a firm and its cloud provider, trust is key. But trust shouldn't mean blind faith. A cloud provider needs to be able to demonstrate it understands and builds security into the solution from the get-go because scalability, flexibility, cost-effectiveness and all the other benefits won't matter if your data is compromised.  Here are four questions to start out asking a potential cloud provider.

Do you understand our compliance requirements?

In truth, the basis of most compliance regulations really are common sense security practices. Many businesses are less keen to move data and systems that fall under compliance requirements into the cloud as there is a widely held notion that on premise is more secure and migration of these systems is inherently more complex. Providers need to work to demonstrate expertise not just in providing the architecture that's required for the migration but also understanding data protection and threat intrusion technologies. A cloud service provider that's invested time in maintaining systems or deploying the latest technologies, may well be able to demonstrate that the data is at greater risk on premise than being managed by a dedicated and security-aware cloud provider.

Who could be accessing our data?

If you plan to work with a cloud provider to supply infrastructure you need to recognise that there is the potential for more individuals to be accessing your systems and data. If you're investing in a completely managed service make sure there's a way for you to see who's accessing your service and what actions they're taking. If you're using the cloud for IaaS or PaaS then strongly consider investing in a way to control access for administration, not just for your cloud provider, but also for your own teams. You should ask your cloud provider what steps they take to ensure access management is effective not only for their admins but yours, too.

Can we audit you?

Seeing is believing. Your prospective cloud provider might talk a good game but they should also be completely prepared to demonstrate to you that they can live up to the promises they make. Allowing you to audit them is also a clear demonstration that they'll take the security of your data as seriously as you do. Focus on getting reassurances around procedures and policies being correctly documented and implemented, especially in key areas like change management, event management and proposed service level agreements.  

Can we monitor your work?

The ability to record and audit activity on cloud systems is important for two reasons. Firstly, to ensure compliance and give you an audit trail in the event of a breach, but also to give you the kind of visibility you need to see how effective your cloud provider is. Identifying activity taken on a server before a problem arises, ensuring that service providers meet agreed SLAs and defined patching regimes or that work you expect to be undertaken has been successfully completed will undoubtedly give you peace of mind, especially if you can watch these activities in real time and even take action if you need to.

Not all cloud service providers are created equal. Some cloud service providers started out focusing primarily on scalability, ease of use and accessibility and then bolted on security after the fact. Others started out with security built-in and pursued rigorous certifications and accreditations to prove it. Undertake due diligence and select a cloud service provider who is able to demonstrate to you that their cloud services are designed and managed in alignment with security best practices and industry standards.

Contributed by Chris Pace, head of product marketing, Wallix. Also see Wallix's white paper on cloud security (opens PDF in new window).