Ask potential cloud vendors these 10 security questions

Dominic Vogel offers his list of ten questions you should be asking cloud vendors about their security practices. Make sure you get the proof to back up their claims.

If you are like me (and for your sake I hope you are not) navigating through the abstruse marketing manure often leaves one dizzied and confused. As more business people are becoming enamoured with cloud services, evaluating the information security posture of a potential cloud provider is essential, but can often seem like an exercise in futility. If you are going to trust a third party you need to hold their feet to the proverbial fire by undertaking proper due diligence. Before deciding to engage with a cloud provider, ask them to answer (truthfully) this security questionnaire to gauge their information security maturity.

Does the organization have formal written information security policies?

This is an indication of their information security program maturity (or lack thereof). Companies that have not formalized their security policies should not be trusted with your sensitive corporate/customer data. Policies form the framework and foundation and without security is merely an afterthought.

Are external third-party contracts required to comply with policies and customer agreements?

Similar to the concept of subcontracting, if you entrust a cloud vendor with your information and they in-turn use another provider (to store your information for example) does the initial vendor ensure that their partners comply with the policies and security agreements that were laid out in your contract? If not, these partners weaken the overall security of the information chain.

Does the organization have a formal change control process?

Companies that implement changes and configuration in an ad-hoc manner are more likely to experience significant downtime in their environment. The leading cause of network outages can be attributed to poor planning and lack of change control. If the data you are sending to the cloud is time sensitive, you want to go with a provider that abides by a formal change control process, thus managing the inherent risk in unplanned changes.

Is physical access to data processing equipment (servers and network equipment) restricted?

Often overlooked, physical security is equally important as technical/logical controls. If someone can physically access your data, then all security bets are off. Ask your vendor about how they control physical access to their server rooms and what procedures they have in-place.

Do they follow secure data destruction processes for confidential data and IT equipment/media?

If you are storing confidential/sensitive data in the cloud and if the vendor does not properly destroy data from decommissioned equipment, the data is needlessly put at risk. Ask your vendor about their data destruction process.

Do they implement controls to segregate your data from other customers?

The multi-tenant paradigm of cloud computing introduces a significant avenue of attack. For instance, if a multi-tenant cloud service database is not properly secured, a flaw in one client application could allow an attacker access to other tenant's data. Additionally, check that the vendor is not using system-wide administrator accounts with "God" access to their entire cloud environment. Usage of such accounts should be minimal and should be monitored.

Does the organization encrypt (and regularly test) its backups?

An untested backup is a useless backup. An unencrypted backup defeats the security controls in the production environment. Information needs to be protected across its entire lifecycle.

Does the organization have regularly tested disaster recovery plans for data processing facilities? If the data your company is sending to the cloud is time-sensitive, check with the vendor to see if they regularly test their disaster recovery plans. Well defined plans will minimize the length and impact of the disaster. Can they provide results of a third-party external audit conducted within the past two years? Generally, companies that undergo an external audit have foundational security framework in place and an acceptable baseline of security can be expected. A less then scrupulous vendor may claim to have undergone extensive auditing while actually an auditor hadn't come within 10 square miles of their business. Ask a prospective cloud vendor to provide results of their last external audit. A transparent company will have no qualms in granting you those results. If they refuse, chances are they do not want you to know their shady auditing truth. Will they provide relevant certificates of applicable compliance certifications?

Vendors will often claim to be compliant with a whole gamut of certifications  -- ITIL, COBIT, ISO 2700, and the list goes on. Ask the vendors to provide proof about such claims. If they balk, chances are they are hiding something.

The cloud can be as secure as you make it. It is up to each and every cloud user to hold their cloud providers to an expected standard of security. The vendor's underlying cloud environment is likely more secure than your local data centre, but without asking the probing security questions you'll never know. What questions do you ask prospective cloud vendors? How do you assess the information security of a cloud service provider? Include your thoughts in the comments section or contact me @domvogel.


Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.


I remember evaluating a secured data center (complete with then current SAS 70 I and II audits), finding an open door, walking past all of the main power controls and continuing to walk through one-way (push to open) doors to the front office where a security guard sat (ostensibly) reviewing monitors. He said nothing as I signed-in as Mickey Mouse and flashed my driver's license with a thumb over the picture. There were other flaws that eliminated this installation from being chosen as a co-lo for our financial data. Bottom line -- audits are only snap-shots in time, prepared by well-paid auditors who tend to pre-flag problem areas for management correction before writing a final report -- investigate before you invest (hat tip to the Better Business Bureau).


The point made on third party audit is a valid one, some audit mechanisms will provide value to third parties and others won't. If you rely on a audit report or process which doesn't provide you (as the reliant party) any form of redress then it might give you a picture that doesn't give you any legal protection... The question you have to ask is what legal liability does the auditor have to you (on the basis you didn't commission the audit) if you rely on their findings


There are a few obvious other ones... off the top of my head my next few (let's not argue over the ordering) would be: 11) What controls have they got in place to detect attacks and breaches 12) What circumstances/criteria would they follow in notifying their customers of a breach 13) Where is the data actually stored 14) How do they prevent a breach or attack on one client affecting other clients services (i.e. service segregation, rather than data segregation) 15) what access to the audit logs, security event logs, traffic details will they provide (e.g. if you are trying to get to the bottom of misuse by a legitimate user) 16) What is the process mechanism to extract your data/virtual servers from the cloud in the event of service/contract termination - what format will the data/systems arrive back in 17) Do they have any high profile/high threat/high risk customers - what criteria would they use to determine whether a new customer poses a significant risk to their existing customers


Good list and nice additions. I can't say I wholeheartedly agree with #9 though. A recent financial audit is certainly better than no audit but external audits have a narrow focus/purpose with limited if any verification in the area of security controls and only report internal control issues if they are material to the bottom line, which takes an awful lot. A SSAE16 report is what you really want.

Editor's Picks