When you move to the cloud, you transfer the responsibility of data security to a third party. But do you have to make a leap of faith in choosing a provider? If you know what questions to ask, you can decide with confidence.
Use this resource to discover the questions that will uncover the reality of cloud providers' security offerings.
Note: this tool is intended to stimulate focused conversations about the security scenarios of cloud computing providers. For a complete assessment of your needs, please contact your Bell representative for the latest information on our offerings and sample implementation scenarios. You can also request that a Bell representative contact you.
Section A: Service offering
What level and kinds of services does your cloud computing provider offer? First, you need to know that you can trust them, and second, that they can provide the kind of assistance that you need.
1. What kind of documentation will give you confidence in a provider's security abilities?
- SAS 70 certification
- PCI certification
- Other certifications important to my business, such as PIPEDA in Canada or HIPPA in the U.S.
- A broad review by a trusted third party such as an accounting firm, management consulting firm or similar
While SAS 70, PCI and other certifications are important, their scopes are narrow. Top results from a broader third party review will give a more complete picture of potential providers' operations.
2. Will your provider help you with integration activities at the edge?
- No, it's our responsibility
- We have to do it, so we will use a third party
- Not sure
- Yes, they have specific services designed around edge services
3. Will your cloud provider customize their service offering to suit your security parameters?
- No
- Not sure
- Yes
Unlike most provider relationships, with cloud you should look for a formalized process that allows for all of your security parameters. Cloud computing offerings are finely tuned machines, and any customization of security processes introduces risk.
Section B: Compliance and meeting corporate policy
Because you're putting the security of your data in their hands, it's important to know that your cloud provider can meet your security and compliance standards. But what happens in the event of an incident? Consider the following:
1. With cloud computing, remote workers bypass your private, auditable network routers, connecting directly to your cloud provider. How are you going to police user behaviour in order to safeguard PIPEDA and other privacy laws?
- Don't know
- If there is a breach, we will take action
- Our provider can supply us with real time or frequent log reports
- Our provider has the ability to police traffic and submit reports concerning security policy breaches and irregularities
2. Does your cloud provider review their internal processes regularly to ensure that they meet security policy mandates?
- Yes
- No
- Don't know
3. How will you make sure that your cloud provider meets your corporate policy objectives–from security parameters and tolerances to compliance with all regulation?
- Don't know
- Not sure if our provider has the capability of doing this
- We've looked at their policies and operating procedures and feel that we will be adequately covered
- We will regularly review and evaluate their actions
- Their service level objectives (SLOs) dovetail with our policy
- Our service level agreement (SLA) stipulates specific behaviour, and that our provider will report to us regularly on all parameters that we specify
4. If your cloud computing environment is audited and found to be in breach of regulation, who is responsible for any damages, fines, etc?
- Not sure
- We are
- We are, but our provider will be expected to quickly return us to a state of compliance, at no cost to us
- Our provider should be responsible for any damages, as our SLA specifies that they remain in compliance with applicable regulations at all times
To avoid potentially expensive misunderstandings down the road, be certain that your SLA takes all such compliance scenarios into account and includes contingencies.
5. How would you conduct a forensic investigation in the event of a security incident?
- We would ask our cloud provider for the raw data logs
- We would ask our cloud provider to do a manual analysis or use a separate software tool for analysis
- Our cloud provider would summarize their findings for us
- Our cloud provider would make available a correlation engine solution that aggregates the raw data into useful information
- Not sure
Section C: Security parameters
How well can your cloud computing provider react to a security event? How secure is their network? Just how capable are they at dealing with Internet-borne threats? Consider the following:
1. Moving day-to-day security management to the cloud may delay action because there is a reliance on a third party to execute. What sort of turnaround times can your provider guarantee when they must perform the action?
- A matter of days
- A matter of hours
- A matter of minutes
2. If your cloud provider makes use of a content delivery network (CDN), how can they guarantee that the security of your data is maintained at all points along the network?
- Not sure
- The network is domestic only, ensuring that all data resides in Canada
- The network is an international solution, and maintains a high standard of security across different environments and geographical locations
- All CDN storage points conform to the same high physical and digital security standards
3. How does your cloud provider deal with distributed denial-of-service (DDOS) attacks and other threats?
- Don't know
- They detect DDOS attacks directly, by implementing dedicated devices at one or more data centers.
- They detect DDOS attacks directly, through a distributed network that handles a large portion of Canadian Internet traffic
- They subscribe to a trusted third party detection system
Further reading
If you found this resource useful, you might also be interested in the following:
- Expert Q&A with Strahan McCarten on how changes in cloud computing can help your business
- Network evolution assessment: Increasing returns
- Navigating the cloud: 15 tips for a successful implementation
- Demystifying cloud computing and virtualization
Talk to Bell
Since moving to the cloud entails a shared responsibility for data security and compliance, your choice of cloud computing provider is crucial. Not all providers can guarantee the security of your data, nor do all have reliable contingency plans, should an incident occur. To learn more, contact your Bell representative, or request that a Bell representative contact you.