9 Security Questions To Ask Your Cloud Service Provider

Peace of mind goes a long way when choosing someone to manage your company’s information. Credibility, resourcefulness, and past successes are indicative of a strong business. Beyond the typical online research, there are additional important questions to ask anyone you trust with your data.

1. Were is my data stored?

Data is usually stored on computer hardware such as a computer or server. It is most likely on multiple computers and servers for your business. This question refers to where the provider physically stores its hardware. Is it located in the provider’s garage, at an in-house data center, or at an off-site secure data center? Clearly, the secure data center is the answer you are looking for. An off-site data center is typically manned 24/7 with security levels that make it physically very hard to break into. A data center is always prepared for power outages and interruptions in internet service. They are environmentally controlled as well. Even if the power goes out in your local area, your company website and email will still keep working.

2. Who has access to my data?

Now that you know where your data is stored, you need to know who has access to it. Access to your data should be limited to those employees who are required to access it for your support. It is important that each individual who has access to your data be properly screened by your provider. Ask to be informed when there is a staffing change, or a possibility of breach of security.

3. How is my data kept separate from that of other clients?

As cloud services grow, more and more resources are being shared in multi-tenant environments. This means both applications and resources can typically be shared. Although this may seem scary at first, modern systems are designed to keep data separate and secure between existing clients. Make sure that the services you are using are well known and trusted. Also make sure that your credentials are being encrypted when they are being stored.

4. How frequently are data backups performed?

Backups of your data ensure that you are covered in the event of a data loss. In Beware of Ransomware: How To Prevent Computer Viruses, we mentioned the increase in ransomware incidents, and how they can strike at any time. Employee error is another top culprit of data loss.

Ideally, you want your data backed up every day. In addition, you want to know that your provider is actively monitoring the backups to verify they happened and there were not any errors. A clear process should be in place to fix any issues and alert you based on your terms.

5. What is the estimated recovery time for your particular cloud setup?

Most providers use a software program to facilitate the storing and backing up of data. A provider is only as good as the program that is driving the business information. In addition to getting estimated recovery times, it is also important to find out exactly what files will be available during the recovery period. There are industry terms that you may hear: recovery time objective (RTO) or recovery time and point objectives (RTPO™).

Your provider should be able to share with you the marketing materials for the vendor they use. You can also do your own research. Take a look at Veeam®: Data Security and Backup Solutions for Businesses for information on our top choice.

The best answer to this question is based on your business needs. However, you can assume the shorter amount of time that you get access to your backups, the better.

6. How are my resources protected from malware and viruses?

There are many places where viruses and malware can gain access to your computer and network. Gone are the days where a simple antivirus application is enough to protect your company. Here are the areas and steps to take to make sure you are covered:

1. Firewall – Your firewall should have intrusion detection and prevention. In addition, most business class firewalls will also have the ability to do initial virus and malware scans of internet traffic before they reach your computers.
2. Network – Introduce a SIEM (Security Information and Event Management System) into your network. These systems protect your network by identifying suspicious behavior across your entire company’s network.
3. Antivirus – Your workstations should have managed antivirus software that can be configured to alert your IT support team. Single installations of antivirus are no longer effective. Your antivirus should be managed across your entire network to ensure infections are not being carried from machine to machine.
4. Malware Protection – There are categories of software that can be as equally damaging as viruses, but are not detected by antivirus software. Make sure your computers have an additional layer of protection by having anti-malware software installed as well.
5. Security Patches – The one thing viruses and malware have in common is identifying and exploiting security patches in your operating system and software. Make sure your provider is keeping your computers up to date with the proper security patches.

7. Do you actively monitor and log access requests?

Your provider should have a system in place that captures all remote logins to your network. Many, if not most, of all remote access software provides reports that show this information. Ask your provider to send you monthly reports detailing who, and how often, your network is being accessed.

8. Are you compliant with regulatory security standards such as HIPAA and PCI?

If your industry has regulatory requirements for the use and storage of your data, you need to know that your provider offers this protection. This is especially true when there are fines and audits involved. In addition to being compliant, ask your provider what role they play in assisting you with data requests during an audit. The answer to this should be yes, if you require it.

9. How do you handle support requests?

Access to support is as important as the support itself. As a client, you should be able to submit and receive support through a variety of ways including phone, email, and chat. Many providers even allow you to directly submit requests through the provider’s helpdesk portal. Stay away from providers who only allow contact by form submission or email. When there is a crisis, it is going to be more comforting to be able to speak to a live person on the other end. Lastly, do not assume every provider offers the same thing. Most providers use partners and software to deliver their services. You should be able to find a listing of some of their partners on their website. In addition, look for blog postings and social media as a way they connect with their customers. Ask for testimonials or case studies. Strong businesses want to share their successes with you.

Author: Aaron White, Date: 25th July 2016