Unless you’re an expert in security issues, doing proper Cloud provider due diligence can be daunting . Yet it’s essential, given the importance of your business’s data and applications.
So I offer seven questions for you to ask of every Cloud provider you’re considering. Pay attention to the answers you get and don’t hesitate to demand drilldown details. Remember: You’re contemplating putting at least some of the data and apps your business relies on into this provider’s Cloud environment.
- What access control model do you use? Who chooses the authoritative sources of access control policy and user profile information — you, or us, or a third party?
- Do you support retrieval of access control policies and user profile information from external sources? If so, via what formats and transmission mechanisms?
- Where do our accounts reside? How are they provisioned and deprovisioned? How do you protect the integrity of my data?
- What authentication mechanisms do you support? (These should be appropriate for the sensitivity of the data use.) Do you support federated authentication or single sign-on model(s)?
- What support do you provide for delegated administration by policy administration services?
- What log information do you provide? Can it be imported into our operational analysis and reporting tools?
- Can we specify external entities with whom to share information? If so, how is that accomplished?
Next time: 4 Cloud security must-dos.
