Most organizations today are either moving their IT workloads to the cloud, or they are researching their options to decide if they are comfortable making this move. Strategically there isn’t one answer for every organization. Your organization must understand the value that a cloud implementation can provide for this approach to be successful for the long term.
For many companies the overall concerns typically begin with concerns around security, and rightfully so. Almost weekly there is a new IT related security breach being covered by media. If organizations cannot keep their on-premises data safe, why should anyone feel comfortable moving their data to the cloud? The answer lies within the questions you ask up front, and within the approach used by the cloud provider you choose.
Most cloud providers understand they are assuming a large liability when they allow you to put your corporate data in their environment. The highest of quality offerings today have implemented security in many cases better than we can do on-premises with the proper reporting to support their outcomes and results.
With a security breach meeting the media headlines almost weekly why shouldn’t this be front and center? You are right, it should be but let me define some of the facts before the word security stops you in your tracks.
When you think about the approach that you use to secure your on-premises environment, the one you use for cloud should at a minimum meet those same criteria. So that being the case when approaching any application, server, or workstation migration to the cloud we should be keeping our on-premises security requirements in mind. In order to justify the move of corporate data to the cloud the security we demand should exceed what we expect within our current on-premises designs.
Cloud Provider Security Checklist
So how can we ensure that this is being done, and that we have chosen a high quality provider to support our long-term business goals? It ultimately comes down to the questions we ask, the liabilities outlined in the contracts we sign when we commit to our provider of choice, and the monitoring we can leverage to understand the overall environment.
So what questions should you be asking about security and monitoring? Here is a list of many of the important considerations that you should start with.
- What is their data loss prevention strategy?
- Can they offer you redundant data centers?
- Can a disaster recovery option be leveraged?
- Who is responsible for backups of your corporate data?
- What level of monitoring and reporting they offer you, or is it best to look at a 3rd party option for the depth of information needed to successfully understand your cloud environment?
- Ensure that the provider has detection mechanisms that will:
o Scrutinize traffic and keep security violators out of the environment.
o Have the ability to detect and prevent (Denial of Service) DOS attacks before they cause an outage.
o They should have a reporting mechanism for your organization to report abuse back to them.
- Ensure that you can implement two-factor authentication for secure logins
- Their offering should allow your organization to change all passwords on a schedule using complex formats, or integrate with a solution that does.
- There must be data encryption between site connections
- Understand their API configurations to understand if they are secure. Some APIs have weak security parameters.
- Know if you are sharing resources with other companies, or if you have isolated resources.
- Understand who has access to your cloud-based environment, and what level of access they have.
- Ensure who is responsible for protection from phishing or malware protection and at which levels. This could be your organization, the cloud provider, or a combination of both.
- Is the cloud-provider responsible for software-level patching responsibility or are you?
The value that asking these questions up front will provide you with the understanding of their security design model. Knowing if their model will work for your business is key. If they are securing their environment better that your organization does on-site today, then it’s time to start considering the move.
If organizations can overcome their security concerns, then a cloud implementation becomes a more relevant conversation. I would strongly encourage you to start having discussions with the cloud providers you may be interested in working with. This allows you to do your complete due diligence, and ultimately provide your business with the confidence to know that the cloud solution selected is truly the best offering for your business needs.