There's a growing consensus that despite all the concerns about security of public cloud services, data and applications are actually safer in the cloud. That's because cloud vendors make it their business to adhere to best practices and certifications when it comes to security. Enterprise IT departments may have trouble keeping up with everything they need to do to ensure security.
However, that doesn’t excuse enterprise IT and business managers from being vigilant about cloud security. When something goes wrong, it's ultimately the fault of the cloud customer, no ifs, ands or buts. The onus is on the customer to uncover laxity or carelessness on the part of the cloud vendor. Just as a CEO is ultimately responsible for the behavior and competencies of his or her management team, the cloud consumer needs to be vigilant about the cloud services his or her companies consumes, and be willing to fire a service that doesn’t meet expectations.
This vigilance starts with asking the right questions on the outset of a cloud engagement.
“Cloud consuming organizations often don’t ask enough questions about what is contained in their service-level agreements, and about the process for updating security software and patching both network and API vulnerabilities,” she writes.
Here are some of the key questions that need to be asked before signing a cloud contract:
- What information does the cloud hosting partner/provider make publicly available about their security processes and services?
- What assurances can the cloud hosting partner/provider around secure data handling, storage and transmission processes?
- How often do they perform audits and what types of audits do they perform?
- What kind of physical security does my cloud-hosting partner maintain?
- Do they have customer references that you can speak with?
Along with de Souza's suggestions, I would suggest that you ask about two additional elements: the health of the vendor's business and the ultimate ownership of data; and the terms for returning data upon termination of the contract or if the provider goes out of business. Just as important as guarding against hacks is assuring that the viability of the vendor's business.
Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.
Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at joe@mckendrickresearch.com.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.
