Here's what you need to check for security measures from your Cloud service provider.
1. Access Privileges: Cloud Service Providers should be able to demonstrate they enforce adequate hiring, oversight and access controls to enforce administrative delegation.
2. Regulatory Compliance: Enterprises are accountable for their own data even when it’s in a public Cloud, and should ensure their providers are ready and willing to undergo audits. That apart, you should have a detailed inventory of hardware specifications, including manufacturers for all Cloud product offerings like disk drives, database hardware, security devices, load balancers, and/or any other hardware.
3. Data Provenance: When selecting a provider, ask where their data centres are located and if they can commit to specific privacy requirements. It’s also important to make sure that the providers guarantee complete data segregation, has the ability to do a complete restoration in the event of a technical failure.
4. Monitoring and Reporting: Monitoring and logging public Cloud activity simultaneously is a difficult task, so enterprises should ask for proof that their hosting providers can support investigations.
5. Business Continuity: Businesses come and go, and enterprises should ask hard questions about the portability of their data to avoid lock-in or potential loss if the business fails. Have formal Risk Analysis & Disaster Recovery plans ready, review it annually. Make sure you perform all significant tests on your Disaster recovery plan.
6. Mobile device access: Mobile device access capabilities and any security controls for protecting linking to lost or stolen customer mobile devices containing data.
7. Encryption protocols: Data in transit and file uploads or transfers must be secured with encryption protocols. Those protocols utilized should be explained by the vendor.
8. Impenetrable Encryption: For data in transit SSL should deliver at minimum 128-bit encryption and optimally 256-bit encryption based on the new 2048-bit global root, and it should require a rigorous authentication process. The SSL issuing authority should maintain military-grade data centres and disaster recovery sites optimized for data protection and availability.
9. For data in storage, check what Encryption technology is utilized for data storage.
10. For data in storage, analyse how are encryption keys for stored data managed?
11. Particularly for data backup and recovery, what technology is used to encrypt data backups and how are those keys managed?
12. If databases are utilized, upto which level encryption applied?
13. A description of the physical security measures in place within your data centres. Describe both the physical data centre access as well as server room and physical host access.
14. How are the logical and physical data centre services secured from other users and from external threats?
15. What level of support does the vendor provide for Single-sign-on (SSO) or authentication utilizing Lehigh identity management infrastructure?
16. A detailed description of those authentication methods.
17. Any support for two-factor authentication?
Cloud services offer high economic benefits, but they also pose risks in safeguarding information and assets. Make sure you have a neat checklist before you outsource your business to a Cloud Service Provider.