Before we move applications/data into the cloud we need to consider vendor’s SLA and their security and our audit needs. Let’s get a basic list of questions together as we review vendors SLAs to help frame what information we need to consider. Some of these questions are basic but getting the answers will not easy.
• What security controls are in place to protect our data?
• How many instances of live data are maintained and where is our data physically located?
• How many copies of backup data are maintained and where is our data physically located?
• Who has access to the data?
• What is the nationality of people who have access to our data?
• Can we specify who shares physical (or logical) resources with us?
• Is our cloud provider SLA in conflict with any of our customer SLAs (right to audit, etc.)?
• What ability do we have to conduct audits or assessments?
• Will a 3rd party be allowed to audit the system and can we have the results of that audit?
• Can you provide assurance of data destruction?
• What ability do we have to conduct pentests?
• Is operational-level information available for review both by enterprise security personnel and by internal/external auditors?
• What is the defense-in-depth architecture of the system?
• How will we be notified if a security breach occurs?
• Who is managing our data?
• Where is our data replicated?
• What dependencies do our cloud providers have?
• What about a denial of service that comes from a peak load of one of your other customers?
• What is the financial viability of the provider and what happens if the provider fails?
• What is the cloud vendor’s backup and disaster-recovery procedures/plans in the event of an earthquake, tsunami or other natural disaster?
• What tools will the customer’s IT team use for administration control of cloud services?