I was recently interviewed by Christine Parizo, SearchCompliance (a TechTarget publication) for an article on how to maintain security and compliance during public and private cloud deployment. The article covers cloud data monitoring strategies as well as cloud data regulatory management best practices. I found the questions Christine recommends asking cloud providers when evaluating their services to be right on target:
- Does it have the ability to encrypt data at rest and in transit?
- Does it have the ability to pull audit information via logs?
- Does it include role-based access control?
- Does it have the ability to map roles according to enterprise hierarchy, or a facsimile of the enterprise organizational structure?
- Can it authenticate against a central system-of-record based on user roles and assignments?
- Can it integrate with existing command-and-control systems?
- Can it back up data off the cloud?
- Does it have built-in disaster recovery capabilities?
If you are looking to move significant pieces of your operations into the cloud, I recommend that you check out Christina’s article.
Based in the Philadelphia area, Jeff VanSickel is a seasoned Information Security Professional with over 20 years’ experience in the areas of Information Security, Information Technology, Audit Compliance, Risk and Project Management. Jeff, being a Payment Card Industry (PCI) Qualified Security Assessor (QSA), a certified CISSP and CISM, he is highly knowledgeable about US Federal and State Law (including SOX, HIPAA, GLBA and Breach Law), US Regulations, ISO-27001/2, NIST, and PCI-DSS.