Before we
move applications/data into the cloud we need to consider vendor’s SLA and
their security and our audit needs. Let’s get a basic list of questions
together as we review vendors SLAs to help frame what information we need to
consider. Some of these questions are basic but getting the answers will not
easy.
Access Control:
• What security controls are in place to
protect our data?
• How many instances of live data are
maintained and where is our data physically located?
• How many copies of backup data are
maintained and where is our data physically located?
• Who has access to the data?
• What is the nationality of people who
have access to our data?
• Can we specify who shares physical (or
logical) resources with us?
SLA:
• Is our cloud provider SLA in conflict
with any of our customer SLAs (right to audit,
etc.)?
Auditing:
• What ability do we have to conduct audits
or assessments?
• Will a 3rd party be allowed to audit the
system and can we have the results of that
audit?
• Can you provide assurance of data destruction?
• What ability do we have to conduct
pentests?
• Is operational-level information
available for review both by enterprise security personnel and by
internal/external auditors?
Security:
• What is the defense-in-depth architecture
of the system?
• How will we be notified if a security
breach occurs?
Operational:
• Who is managing our data?
• Where is our data replicated?
• What dependencies do our cloud providers
have?
• What about a denial of service that comes
from a peak load of one of your other customers?
• What is the financial viability of the
provider and what happens if the provider
fails?
• What is the cloud vendor’s backup and disaster-recovery procedures/plans
in the event of an earthquake, tsunami or other natural disaster?
• What tools will the customer’s IT team
use for administration control of cloud services?
No comments:
Post a Comment