Embed Size (px)
Citation preview
5 Security Questions To Ask A Cloud Service Provider
Do you keep a signed audit trail of which users performed what actions when, both
through their UI and API?• It's important to help protect against both mistaken and malicious
actions -- when users know there is an audit trail, they will act with greater potential to detail, and also be dissuaded from using the platform as a vehicle for an attack. Having an audit trail is also helpful for troubleshooting purposes and root cause analysis.
Bernard Sanders, CTO, CloudBolt Software
What is my role and your role in the protection of my data?
• Understanding that enterprises have to play a critical role in protecting their own data and how that data is accessed, even if leveraging a cloud provider, is critical for risk management. Most cloud providers will require a shared responsibility for security and enterprises cannot assume the provider is liable for data breaches
Rehan Jalil, CEO, Elastica
Do you encrypt all data transmissions, including all server-to-server data
transmissions, within data centers?• Security is only as strong as the weakest link. While it is very
common to encrypt the traffic between the customer and the service provider in order to ensure integrity and confidentiality, it is less common for service providers to encrypt intra-server communications within the companies own perimeter. Too often attackers are able to exploit this type of weakness once a single breach in the perimeter has occurred
Paul Hill, senior consultant, System Experts
What access do you provide to logs?
• As simple as it sounds, access to logs should be one of the top concerns when evaluating providers. End users are not going to get the rich log information set that they would get from the server in their data center as they will get from a cloud provider and the organization must carefully consider what information they will and will not obtain from the provider. While some information may not be relevant to the organization, it is possible that other critical pieces might not be revealed and if necessary the organization should try to negotiate relevant log access early on.
Rob Ayoub, research director, NSS Labs
Where do the servers, processes, and data physically reside?
• Although cloud computing is often promoted as a borderless construct, cloud providers must house all of your organization’s processes and data in real countries, which have varying legal requirements for data privacy and security. Be aware of the requirements of both your home country and the country where your assets will be hosted.
Stephen Ellis, manager, iSIGHT Partners
Stay Tuned For More Information
https://www.facebook.com/tyronesystems
https://www.linkedin.com/company/tyrone-systems
https://twitter.com/tyronesystems
Source: http://www.darkreading.com/informationweek-home/10-security-questions-to-ask-a-cloud-service-provider
