Security is a top concern when you’re evaluating cloud services providers (CSPs). When your organization’s data and applications move to the cloud, they’ll be more dependent on the provider’s security practices. While you’ll retain control over some areas of security, such as data security, the cloud provider handles security for infrastructure components such as servers, networks, and platforms. So it’s important for customers to carefully evaluate a cloud provider’s security before migrating data and applications.

What do you need to know about a provider’s cloud security?  One area is the security technology that they use. You’ll want to know the firewalls, intrusion detection, access controls, and web gateways they use so you can evaluate the quality of those solutions. Most providers will readily tell you about their security solutions. In fact, many advertise the names of their security technology partners and products on their web sites. That’s helpful to customers but potentially risky as it also gives cybercriminals useful knowledge for hacking the provider’s environment.

However, more important than technology is the provider’s internal security processes and best practices. After all, you can have the best security software, but if you’re running old code that hasn’t seen a security patch since 2018, then you’re still at risk. A security-conscious cloud provider focuses on security fundamentals, such as patching schedules and development processes.

Questions to ask your cloud service provider about security

Here are some of the questions I advise asking a prospective cloud provider:

Describe your vendor relationship management processes.

To ensure cloud security, a CSP must carefully evaluate and manage all of their relationships with networking and software vendors. A vendor relationship should be treated as a long-term partnership, and vendors should be evaluated with that goal in mind. They often provide more than just products and services, but strategic advice and connections to other potential partners.

Vendor relationship management is about much more than price.  A typical process starts with an inventory of your suppliers with details such as their track record, reputation in the industry, hiring practices, and proof of regulatory compliance. A vendor or partner management manager should review the vendor’s situation every year, while keeping an eye out for important changes, such as financial losses or lawsuits.

What risk assessments do you conduct on new vendors?

A vendor risk assessment evaluates the risks of doing business with a provider based on regulatory compliance and security controls. Every vendor that handles your data or that provides IT products or services should be asked to answer a self-evaluation questionnaire and provide additional information during a follow-up visit or call. The evaluation should ask about data security practices and technologies, security incident response processes, authentication and access controls, disaster recovery systems, financial stability, and evidence of certifications such as SOC 2.

How often do you perform vulnerability assessments?

A vulnerability assessment identifies potential risks to IT systems. It’s usually done with an automated scanning tool which finds and ranks potential risks by severity and category, so that IT security employees can begin fixing them. An assessment may scan for vulnerabilities in the network, hardware, and server software. A cloud provider needs to conduct a vulnerability scan at least once a month.

Do you run penetration tests of your systems?

A “pen test” is a component of the risk management and assessment process. It scans for security gaps in web and cloud applications. Pen tests allow provider if its security practices and controls are working. A Pen tester job is to try and prove if an exploit will work on a given asset. This exploit is detected during the initial vulnerability assessment scan.

Strategic Guide to Cloud Computing_2020 edition

How often does your company update its hardening templates?

Hardening guidelines for cloud servers and other equipment should be reviewed every year. Your cloud provider may use the Security Configuration Benchmarks from the Center for Internet Security (CIS) as the basis for their security templates.

What do you use for edge network security?

An edge security device provides security at the point of connectivity between networks.  Gartner calls this category of hardware and cloud services Secure Access Service Edge (SASE). SASE combines network security functions, such as web gateways, cloud access security brokers, and cloud firewall services.

How do you review your network security device configurations?

A cloud provider should have a schedule for reviewing the configuration of firewalls, intrusion detection systems, network access controls, routers, and other network devices that deal with security. Any changes to a device’s configuration should be automatically logged, with an alert sent to an appropriate IT manager. Automating configuration management helps to catch malicious activities, as well as human error.

What system configuration management (SCM) tools do you use?

Configuration management tools ensure that systems are configured correctly and haven’t accidentally drifted over time. You’ll want to know that the provider has an active SCM process and tool-set, and is able to discuss it in depth. SCM helps prevent mistakes such as neglecting to change factory default settings or failing to notice a change that may indicate a hacker at work. Catching these vulnerabilities early is critical to stopping an attack early in the process.

What are your access control solutions and processes?

Access controls limits the scope of an end-user’s access to enterprise data and applications and ensure that only authorized users can access IT systems. Access control applications use role-based policies and authentication tools such as smart card readers, biometrics, and password tokens. The role-based restrictions on access help to limit how much damage a hacker can do with an employee’s account credentials. Unless the hacker has stolen an administrative account, he will only be able to access a portion of data and applications.  

Who audits your security controls and practices?

Do you self-audit or bring in a third-party auditor? A self-audit is a good start, but it isn’t as accurate as an audit by a neutral third party.

Do you have data leakage controls?

Public cloud services use a multitenant architecture, which enable customers to share servers and applications. That optimizes resources and reduces costs, but it also introduces potential risks. Cloud providers create partitions on the server to wall off each customer’s data and applications. However, data leakage can still occasionally occur. Ask about the provider’s partitioning processes and other data leakage controls.

What types of encryption do you use?

Cloud providers may encrypt data differently depending on whether the data is in transit or at rest. Your provider should explain what encryption methods they use and why. This would include the type of encryption methodology and strength.

As your cloud environment grows, you want to know that your data and applications are secure. Vetting your cloud providers’ security practices and processes is the first, most critical, step in ensuring cloud security.

We can help you with your cloud security strategy

TierPoint provides a range of cloud hosting options and managed cloud security services, from Security as a Service to regulatory compliance consulting. Contact us to discuss how TierPoint can help you to protect your cloud environment. Also, download our Strategic Guide to Cloud Computing  and Strategic Guide to IT Security to learn more about your cloud computing options and today’s top cybersecurity challenges.

Strategic Guide to IT Security_2020 edition

Shawn Connelly is the Senior Director of Digital Forensics and Security Infrastructure at TierPoint.

Subscribe to the TierPoint blog We'll send you a link to new blog posts whenever we publish, usually once a week.