Whose responsibility is it?
Some cloud providers pass the responsibility of security/maintenance over to you. This is often the case with cloud hosting, servers, or software as a service. If it's your responsibility, you need to know what you are doing. IaaS/PaaS/SaaS have responsibility matrixes published per provider – AWS, GCP, Azure, etc.
Is there in-flight encryption?
No, we are not talking about in-flight entertainment. With internal services, getting away with HTTP (80/tcp) is not acceptable really, but less risky than transmitting credentials and data over a public network. Data and passwords move across various networks in milliseconds, and you need to know that they cannot be intercepted. Even the most basic website or cloud server should be operating TLS encryption.
Is data encrypted at rest?
Once the data has hit the server and been decrypted by TLS or a VPN, it's good to know it is stored in an encrypted form. This provides extra security from physical and virtual threats. One thing to remember is how the keys are stored. Are they on the same server, a separate server, in a CASB (Cloud Access Security Broker) or stored on your desktop/laptop?
May I handle the passwords or keys?
For better, more trusted security, you can set a client programme to encrypt data on the client side, meaning data on the server cannot be opened by the provider. For larger-scale products/services, use an integrated cloud HSM (hardware security module) or external CASB. Some backup providers for consumers and businesses can offer client-side encryption, which means the backup provider, in theory, holds data they cannot view.
Where is my data?
The problem with large providers for emails and SaaS is the question of where data and data backups are stored. Yahoo, Dropbox, AWS, Hotmail and Google have so many data centres that it can be difficult to figure out where data is. If you are paying, check the settings to find out. If you’re located in the UK, it's better to have it based in the UK or EU. Regulatory rules may also state this, like FCA/PRA or SOX/GBLA from across the pond.
How is it backed up?
What happens if the data centre blows up? Are there tapes/SANs/NASs onsite or offsite? If a truck bomb takes out the data centre, then the backup or replicated servers may go down with the primary. Ideally, have the backup in another part of the city, country or abroad, i.e. Dublin, Ireland or London, England. Also, check which country the backup is in.
Is it replicated?
RAID (redundant array of independent disks) is obvious, and hopefully, everyone is using it for the server or NAS. Replication means that if you have a web server, database or mail server in Slough, England, every few minutes, the data & settings are copied over to Heathrow, England so that if one site goes down, you can switch over fast.
Is layer 7 firewalling available?
With on-premise services, they may not have a public IP or be controlled by a hardware firewall. With the cloud, there is a high chance it has a public IP address or URL. Ask the provider about layer 7 firewalling so only you can access URLs or servers from your IP range. For the admin login, do not set it as a known user, i.e.
Does the contract have a right-to-audit clause?
A company can claim to do vulnerability scanning, pen testing or have external audits, but until you see proof, do not believe them. When signing contracts, add a right-to-audit clause, which means you can conduct your own checks with notice.
Do they have a layered approach to security?
With extra exposure, compared to on-premise, ensure you have a layered approach to security. Firstly, firewall the traffic, then decrypt the traffic so your WAF & IPS can analyse the traffic. Rather than in-cloud, you can use external services to check the traffic when it hits your cloud infrastructure.
Do you have the logs?
Your cloud setup contains all types of logs: access logs to the cloud portal, antimalware, firewall, IPS, WAF, O/S logs, application logs and more. If your SIEM/SOAR is on-premise, divert the logs to your on-premise log management system.
Are your staff vetted?
Staff vetting is not going to catch everything but it's something. Ask for details like DBS, BPSS, SC (govt. secret if applicable), DV (govt. top secret if applicable) or other standards. They should be checking for criminal records, past jobs, references, credit scores and more. Also, look into company reviews and company financials.
What tier is the data centre?
Data centres come in tiers 1, 2, 3 and 4 – 1 being the lowest and 4 being the highest. The tiers offer better or worse levels of redundancy, like network connections, generators, UPS, fire-fighting equipment, and so on. Aim for tier 3 since tier 4 is quite rare.
Does the data centre have 24/7 security?
A good data centre should have a 24/7 security team with multiple CCTV, swipe cards, biometrics, and training to check ID and question visitors. Also consider whether it is near a lake, river or canal which could flood.
Can I move my data out?
One day, you may want to move back to an in-house set-up or move to another SaaS provider, and the question is, how easy will it be to do this? Some cloud accounting systems restrict the number of fields you can extract or let you extract the data in an odd format which means re-imports are hard.
Is your company or data centre certified?
SOC 2, Cyber Essentials Plus, PCI-DSS or 27001 are certifications relating to the company and/or data centre. ISO 27001 is a tough certification to get and may suggest they take security seriously. Check who issued the certificate and the scope. Does the certificate certify just a department, building, room or the whole company?
Can their staff view my data?
Many companies will tell you that their staff cannot view your data. The fact is server administrators using the system have full root access to servers, so, in theory, they can access data unless it’s encrypted somehow. Access levels often vary by role, department and country. I.e. India, not being in Europe, would have less access to data than a level three support team in the UK or Europe.
What are your SLAs?
Ask about Service Level Agreements for uptimes, response times and fixed times. This is called the 9’s, i.e. 99.9%, 99.95%, and 99.99% uptime. Some providers will give you a refund for credit if they do not meet their SLA.
Are all your eggs in one basket?
We have all heard the expression ‘don’t put all of your eggs in one basket’. Put your website, backup, email and document storage at one data centre or company, and you could lose everything. It's a good idea to use several companies so, should one be breached and go under, you have only lost a part of your data.