There’s much we can do to secure our assets in the Cloud and I am quite sure that most of you, IT Security Pros are on the go! However, I would like to share with you a couple of points worth noting before choosing your Cloud provider.
During the search for Cloud providers take a note of certifications such as, ISO, PCI, etc. they have achieved as these will help you differentiate between providers that commit themselves to operational and security best practices and others that operate for the sake of making money. Remember that certifications and regular audits make vendors follow some rules! That’s a plus, isn’t it?
Search for online docs or FAQs on the provider’s site that state responsibilities and liabilities in clear English. Quite often customers come to know about liabilities after an incident which may have legal implications on the business. Therefore, I suggest that you understand the division of liabilities and responsibilities before signing any agreements.
Other aspects of the Cloud that implies direct or indirect security concerns are the account interface, data backup and management of resources. How secure the account interface is? What kind of backup mechanism they have, if any? How backup media is handled? Is data wiped out completely from terminated resources? Is the provider internal staff with higher privileges monitored?
These are the kind of questions we need to ask and if some providers lack to answer then I would place them in my blacklist. After all, cloud providers should deal with security as a business enabler!