
Security In the Cloud: Ask These Questions and Put Your Mind at Ease
By John DeWolfIf you’re like most companies and you’re about to store LOTS of data in the cloud with a new SaaS provider, you do your homework. Hopefully you’ve done your cloud security research before you sign the dotted line. Below are key questions you should be checking off your list before putting crucial data in the cloud.
- Does the cloud provider’s privacy policy protect your end users? For example if this cloud provider is based in Europe, ask if they are compliant with the EU’s Data Privacy Directive. Similarly, if they’re in the US, are they part of the US Department of Commerce Safe Harbor program?
- Has your cloud provider had a SOC2 Type II audit against the WebTrust Security Standard? This external audit is conducted to verify independently that security practices at the cloud provider meets the WebTrust standard which is a best practice. Any cloud service that has had an audit would have this on file to share with you.
- Does your cloud provider contract with a 3rd party to conduct penetration testing on an annual basis? This is also a best practice in the industry – ask a cloud provider to see the results of their latest tests.
- Is the provider open with encryption practices? Make sure you understand how keys are generated, where they are stored, and who has access to them. Ask about what types of encryption algorithms are being used. And if you’re not a PhD in Computer Science – fear not… just ensure that they are using an industry standard algorithm such as AES or RSA. You should feel confident that your data is always secure.