Tuesday 20 October 2015

Cloud Provider Security Assessment

Not strictly a Linux post - it's relevant for any kind of hosting. It's also relevant if you store data anywhere but on your local network.

These days there are many providers of cloud data or application servers. If you are concerned about the security of your data, here are a number of questions you should be asking the provider:


  1. Can you provide an appropriate third-party security assessment?
  2. What certifications for data protection have you attained?
  3. Does this comply with an appropriate industry code of practice or other quality standard?
  4. How quickly will you react if a security vulnerability is identified in their product or infrastructure?
  5. How frequently are Operating System security updates installed?
  6. What are timescales for creating and deleting user accounts?
  7. What is your data encryption policy and how specifically do you encrypt data?
  8. How do you manage encryption keys?
  9. Is any of our data shared with third-parties?
  10. Should it be required, can you provide us with a copy of our data in a usable format?
  11. What internal controls do you have in place to prevent unauthorized viewing, copying, or emailing of our customer information?
  12. What audit trails are in place so you can monitor who is accessing which data?
  13. What is your backup and disaster recovery strategy? How often are incremental backups made? How many copies of our data is stored and where are they stored? How far back do the copies go? How often and how do you test your backup and recovery infrastructure?
  14. How quickly can our data be restored from a back-up in the event of major data-loss?
  15. How much control do we retain over our data?
  16. How do you ensure client (endpoint) security?
  17. How is our data isolated and safeguarded from that of other clients?
  18. Where is our data located?
  19. What will happen to our applications and data if you go out of business? How can you ensure they won't become property of creditors?
  20. What is the remediation process if you cannot live up to your security obligations? Token compensation may not be enough, as a serious breach can damage some organizations severly or even put them out of business.
  21. Do you offer periodic reports confirming compliance with security requirements and SLA's? Will you provide reports of attempted or successful breaches of your systems, impacts, and actions taken?
  22. Do you have an incident response plan?
  23. What visibility will you offer us into security processes and events affecting our data?
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)