You are coming from a line of business and have seen the benefits that cloud services can bring to your organization and want to leverage them?
You don’t have the technical background as your IT colleague has, but you are also concerned that your critical data is stored in and accessible via the cloud?
Here is a list of questions that you should ask a cloud service provider, when thinking about running cloud solutions. If your cloud service provider can address them, it’s the one of your choice... and should be good to stand in front of your IT department.
The questions are structured according to the top security concerns in the cloud that has been researched by various assessment of companies looking into cloud computing as a viable option to accelerate their business.
SaaS architectures involve Web-based applications and communication that occurs via the internet. The questions that should be asked here are:
- How are authorizations for data access handled?
- How is the communication between us and the vendor secured? What kinds of encryption protocols are used? SSL or TLS?
- Are the communication channels encrypted using a Wide Area Network (WAN) or Virtual Private Network (VPN)?
- How can be ensured that only authorized users can access my critical data?
- How is the protection of passwords managed?
- Is the access of information relied on a centralized administrator account?
Giving your critical data in the hands of your cloud service provider requires trust. Thus it’s important to know where it is stored and how it is protected. To have peace of mind the following questions should be processed:
- In which country/countries are you running your data centers?
- Can I choose in which country my data is stored?
- Do government regulations, such as export control rules, prohibit specific company data from being stored outside the country?
- How is the physical entrance to the data center managed?
- What happens when a natural disaster occurs?
- What disaster protection measures are in place?
- Does any data center have the same technical standards no matter in which location it is?
- Do you comply with location specific requirements?
In a SaaS model, your data is stored in the data center of the vendor together with data from other companies. Thus, the following questions should be answered and compliance regulations should be addressed:
- Is there a risk of losing data?
- What procedures guarantee availability?
- Where are backups stored?
- Can you ensure that heterogeneous data is separated for each customer?
- Can you read my data?
- Do every of your data centers have the same technical standards no matter in which location it is?
- Do data protection laws allow employee data to be stored in the cloud
- Is web access offered with one set of database tables which is shared by many customers or do I have my own to segregate my data?
- Is data base and file system encryption supported?
- Is each level, not only the top tiers (application, web) secured, my data is moving through?
Your provider must ensure that the general capabilities of secure and stable IT operations comply with industry standards and technology best practices. To achieve it, your vendor should be able to answers the following questions:
- Which requirements are met by the information security management system?
- Are system operations secured by international- and country-specific certifications such as ISO27001, ISAE3402 or SSAE16?
- How is the network isolated?
- Beyond the cloud server environment, is the administrator client infrastructure also secure?
- Do you comply with standards that confirm the reliability of your internal processes?
- Are you conforming to auditing standards and can you provide a Service Organization Control Report?
Data Transmission & Flow Control
SaaS uses the public internet to transmit data and therefore transmission security is required. Here the questions to be answered:
- Is transmission security designed into the system?
- Which connections between the customer and vendor are used by the provided solutions?
- What functions do the solutions use to prevent eavesdropping, tampering or eavesdropping?
- How is the web communication secured?
- Are outgoing messages from the solution encrypted and how?
- Is physical data transfer possible and how is it secured?
- What security policies are in place? Are they up to date?
- Do your employees have to read, understand and sign security acknowledgements?
- Do your employees get security training?
- Do they have to pass tests?
- Do you meet the latest compliance standards?
But Security it is not only about Certification & Data-center. The concept of a vendor needs to go far beyond that. It needs to address the operation of data, storage of data and e.g. the portability of my data because I might want it today on-premise and tomorrow in the cloud.
Last but not least one major aspect should be highlighted when it comes to security - the culture. But more on this later.
Employees of a cloud vendor should have this security thinking implanted in their DNA. Be careful with your passwords. Lock your devices whenever you’re not working with them. Take security serious at an early stage of developing new software. Employees of SAP are experts in that topic. Every employee gets a wide range of security training and has to pass tests on a regular base.
Any remarks? If yes, please let me know. Follow me on twitter to stay informed about the hot topics around the cloud. Sven Denecken (@SDenecken)