Archive for March, 2017

Cloud Computing Journey – Part 2

Cloud service provider questionnaire

In my previous post I gave you a short introduction to cloud computing.

When engaging with cloud service provider, it is important to evaluate the provider’s maturity level by asking the provider, as many questions as possible to allow you the comfort level to sign a contract.

Below is a sample questionnaire I recommend you to ask the cloud service provider.

Privacy related questions:

  • Does the cloud service provider has an official privacy policy?
  • Where are the cloud service provider data centers located around the world?
  • Are the cloud service provider data centers compliant with the EU Directive 95/46/EC?
  • Are the cloud service provider data centers compliant with the General Data Protection Regulation (GDPR)?

 

Availability related questions:

  • What is the SLA of the cloud service provider? (Please elaborate)
  • Does the cloud service provider publish information about system issues or outages?
  • What compensation does the cloud service provider offer in case of potential financial loss due to lack of availability?
  • Does the cloud service provider sync data between more than one data center on the same region?
  • How many data centers does the cloud service provider has in the same region?
  • Does the cloud service provider have business continuity processes and procedures? (Please elaborate)
    • What is the cloud service provider’s RTO?
    • What is the cloud service provider’s RPO?
  • What is the cloud service provider disaster recovery strategy?
  • Does the cloud service provider have change management processes? (Please elaborate)
  • Does the cloud service provider have backup processes? (Please elaborate)

 

Interoperability related questions:

  • Does the cloud service provider support security event monitoring using an API? (Please elaborate)
  • Does the cloud service provider support infrastructure related event monitoring using an API? (Please elaborate)

 

Security related questions:

  • What is the cloud service provider’s audit trail process for my organizational data stored or processed? (Please elaborate)
  • What logical controls does the cloud service provider use for my organizational data stored or processed? (Please elaborate)
  • What physical controls does the cloud service provider use for my organizational data stored or processed? (Please elaborate)
  • Does the cloud service provider encrypt data at transit? (Please elaborate)
  • Does the cloud service provider encrypt data at rest? (Please elaborate)
    • What encryption algorithm is been used?
    • What encryption key size is been used?
    • Where are the encryption keys stored?
    • At what interval does the cloud service provider rotate the encryption keys?
    • Does the cloud service provider support BYOK (Bring your own keys)?
    • Does the cloud service provider support HYOK (Hold your own keys):
    • At what level does the data at rest been encrypted? (Storage, database, application, etc.)
  • What security controls are been used by the cloud service provider to protect the cloud service itself?
  • Is there an on-going process for Firewall rule review been done by the cloud service provider? (Please elaborate)
  • Are all cloud service provider’s platform (Operating system, database, middleware, etc.) been hardened according to best practices? (Please elaborate)
  • Does the cloud service provider perform an on-going patch management process for all hardware and software? (Please elaborate)
  • What security controls are been used by the cloud service provider to protect against data leakage in a multi-tenant environment?
  • How does the cloud service provider perform access management process? (Please elaborate)
  • Does the cloud service provider enforce 2-factor authentication for accessing all management interfaces?
  • Is the authentication to the cloud service based on standard protocols such as SAML, OAuth, OpenID?
  • How many employees at the cloud service provider will have access to my organizational data? (Infrastructure and database level)
  • Is there an access to the cloud service provider’s 3rd party suppliers to my organizational data?
  • Does the cloud service provider enforce separation between production and development/test environments? (Please elaborate)
  • What is the cloud service provider’s password policy (Operating system, database, network components, etc.) for systems that store or process my organizational data?
  • Is it possible to schedule security survey and penetration test on the systems that stored my organizational data?
  • Does the cloud service provider have incident response processes and procedures? (Please elaborate)
  • What are the escalation processes in case of security incident related to my organizational data? (Please elaborate)
  • What are the cloud service provider’s processes and controls against distributed denial-of-service? (Please elaborate)
  • Does the cloud service provider have vulnerability management processes? (Please elaborate)
  • Does the cloud service provider have secure development lifecycle (SDLC) process? (Please elaborate)

 

Compliance related questions:

  • Is the cloud service provider compliant with certifications or standards? (Please elaborate)
  • What is the level of compliance with the Cloud Security Alliance Matrix (https://cloudsecurityalliance.org/research/ccm)?
  • Is it possible to receive a copy of internal audit report performed on the cloud service in the last 12 months?
  • Is it possible to receive a copy of external audit report performed on the cloud service in the last 12 months?
  • Is it possible to perform an on site audit on the cloud service provider’s data center and activity?

 

Contract termination related questions:

  • What are the cloud service provider’s contract termination options?
  • What options does the cloud service provider allow me to export my organizational data stored on the cloud?
  • Is there a process for data deletion in case of contract termination?
  • What standard does the cloud service provider use for data deletion?

 

Stay tuned for my next article.

 

Here are some recommended articles: