Ericka Chickowski of Dark Reading recently asked security experts to contribute key questions to ask a cloud security provider. While I’m please that two of my questions were included in the article , I have three additional questions you should ask to help you assess the risks of cloud services.
1) What security compliance programs and audits do you perform on at least an annual basis?
Established compliance programs such as ISO 27002, CSA’s CCM, and PCI-DSS examine a broad set of controls and are designed to ensure that companies are following recognized security practices in all aspects of the organization.
2) Do you support two-factor or multi-factor authentication by customers?
There have been many articles published about the death of the password, although it remains the most prevalent form of authentication. Many breaches would be prevented if two-factor or multi-factor authentication were used instead of relying solely on a username/password. In recent years an increasing number of consumer oriented services have started offering additional authentication methods, including the sending of a one-time password to a cell phone associated with the customer’s account.
3) Is all customer data encrypted while stored on disk?
Proper encryption of stored data, in addition to data transmissions, reduces any attacker’s ability to steal customer data. The cost of achieving full encryption of stored data has dropped significantly in recent years, hardware security modules (HSMs) are widely available at affordable prices. And a wide variety of product now integrate easily with third party HSMs, making this a practical solution for the security conscious.
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. He joined SystemExperts full time in March 2012 and coordinates the SMARTday practice.