As we enter 2020, cybersecurity preparedness across organizations get more serious then the year of 2019. Organizations have already identified key trends that may have potential to carry cyber-attacks and posing potential threats. This will also impact their decision making to secure themselves more than ever before.
Every year companies and governments around the world participate in cyber awareness conferences; meet ups and come together on a common platform to discuss various strategies to secure their vital data, information and review third party security policies including cloud providers.
The senior leadership and infosec professionals of various organizations already have it in their mind how to protect their data which is stored in cloud as usage of cloud increases day by day. They also understand that it is a daily practice and need of the hour to deeply imbibe the importance of cloud security within their organizations.
Cloud service providers not only provide services but they are also required to adhere to specified compliance regulations. Therefore it becomes imperative to ask right questions to cloud service providers operating in market and how they are going to provide security to our data in cloud.
Question companies should ask their Cloud Security Provider
The first question will be focusing around the compliance level and thereby making sure the cloud service provider is following all the specified compliance regulations that are required. A provider’s cloud-delivered systems and services should be compliant with both regulatory standards (global, regional, and industry-specific regulations) as well as obligations they specify in service-level agreements (SLAs).
The next will be to sign the legal agreement known as service level agreement (SLA) that is required for security of data. Will they sign an agreement that will secure customers data applicable as per industry standards and framework is equally important. The legal agreements signed will be relative to the data relative protection regulation like GDPR, HIPAA etc.
The cloud provider or supplier should be able to provide with audit reports when asked or readily provide compliance verification materials and reports while audit comes around. Can the provider produce PCI, HIPAA, HITRUST, ISO 27001, ISO27017/18, ISO 9001, ISO 22301, SOC1, SOC 2 audit reports, certifications, or attestations?
People are weakest link in cyber security. Companies have every right to ask the cloud service provider on the level of training they are providing to their people who are handling their data. Background screening forms an essential part on new hires. Do they provide them with training on information security awareness, secure data handling practices, incident response, data privacy and secure software development practices? These form important questions apart from infrastructure compliance.
If anything wrong happens to data and applications of companies, then having a backup for data and disaster recovery forms an integral part in the contract. The recovery can happen from full suite of disaster recovery capabilities to only having data backup and recovery options for specific workloads and mission critical applications. In this scenario the question is how does the cloud service provider guarantee disaster recovery or data backup and recovery solutions as a standard component of their cloud services?
Determining disaster recovery options companies should open up discussion to establish recovery-point objective (RPO) and recovery-time objective (RTO) capabilities. The SLAs created that can guarantee RPOs and RTOs.
At the same time it is also important to have mission critical applications to be secured at every step while migrating to cloud. To reduce vulnerabilities and provide a highly trusted cloud platform for software of companies, who want to know if it has been tested against common coding vulnerabilities, such as the OWASP Top 10.
Additional security services that are important for companies while asking for cloud service would be securing the networks. Most cloud service providers have ways to deliver the basic security that enterprise needs. However requirements shifts happen often from the operating system and databases to the cloud provider.
So companies can ask service providers if they test for security vulnerabilities at the network level, systems, container and application layers via vulnerability scanning systems and qualified penetration testing teams
As a cloud service provider it is utmost important to keep focus on monitoring the security of your cloud network 24x7x365. This includes gathering analysing and monitoring security logs and any events. Cloud provider should also have a clear process and SLA to notify companies when an event of significance occurs and ensure that threats to systems and data don’t become incidents.
Lastly it is important to ask cloud service providers about their encryption policy and if the providers are offering IDS, AV, or other services. At the same time any data that is left behind should be deleted even after the SLA agreement is over. Organizations feel comfortable when they work with cloud service provider they trust and who can give them assurance of complete security for their service. There is a huge responsibility as companies handle huge sensitive data from cyber security point of view and selecting a cloud service provider who understand the business thoroughly.
(Image Courtesy: www.xcellhost.cloud)