Content Hub

Cloud Security

Published 2nd April 2020

The questions you need to be asking your business and your provider.

On-Premise Private Cloud – questions to consider in your business

Physical security

      1. How do we vet staff, and 3rd part contractors e.g cleaners?
      2. How are windows and other access points secured?
      3. Is there CCTV in operation?
      4. Should we invest in digital access, to monitor and audit physical access?
      5. How resilient is our power source?
      6. If the power goes out, are the CCTV and alarms on generators?
      7. What is our offsite backup in the event of fire, and the security at that location?

Single PERSON of Failure?

        1. Are we heavily reliant on one person in the team? Do they hold all the admin keys?

Certification and accreditation

          1. Do our clients require formal accreditation such as ISO-27001?
          2. If yes, is that difficult to attain in our office environment?

 

Public Cloud – questions for your cloud provider

    1. When you delete a VM how long is the data retained on primary storage and secondary backup storage?
    2. How can you guarantee that data has been fully destroyed?
    3. How can you encrypt data over the network, in storage, on backups?
    4. Who holds responsibility for VM-level and application patching?
    5. Can you guarantee that the answers to these questions won’t change in the future?

 

Private Cloud -questions for your cloud provider and your business to consider

    1. Who has responsibility for infrastructure-level (virtualisation and storage platform) patching? How will you become aware of new vulnerabilities?
    2. What are the processes and policies for disposing of failed storage drives?
    3. Have you allowed adequate budget for offsite backup and disaster recovery services?
    4. With full control of the network stack do you have the expertise and processes in place to ensure network security is maintained and accidental access points aren’t left open?
    5. How is communication between the compute nodes and storage tier physically routed and secured?
    6. Does the provider have management access and how is that secured?
    7. Dedicated private infrastructure is great but is the automation/orchestration layer adequately secured or is this a simple attack vector?
    8. Who is responsible for capacity management and monitoring?
    9. Who is responsible for infrastructure and hardware availability monitoring?
    10. Will your private cloud hardware be under continuous upgrade to mitigate legacy security issues in firmware?

 

Download

Any questions? Call us to speak to an expert directly…