What Cloud Security Questions Should You Be Asking?
So, you’ve decided to hire a Cloud Security provider. You’ve got your list of questions for each vendor, and you’re ready to go, right?
Well, not quite. Some questions are just things that people never think to ask. And they never ask because they’re not in the security business.
We’ve already discussed some common questions that you might want to ask your security vendor. What we want to talk about are those questions that people should be asking their cloud security providers.
Do You (Zero) Trust Me?
Asking about Zero Trust can really tell you a lot about what your provider thinks about security.
We’ve talked about Zero Trust security and how it’s critical to any security system’s success, but here’s the short version:
Zero Trust means that you design your security system that assumes your employees and users won’t do the right thing. That doesn’t mean that you need to start looking at everyone as a bad actor. It’s more of a security philosophy. It’s about setting up a security system that accounts for people making mistakes. Whether that’s someone clicking on a strange email link or even something more nefarious.
The other security philosophy that is common is one we’ll call a perimeter system. It views security like a castle. A perimeter system protects everything inside of it. The only problem with a perimeter system is that it assumes everything inside the perimeter is okay. And we’ve seen breaches where that isn’t the case.
A Zero Trust system removes a lot of the risk that comes with the mistakes that people make. Asking your cloud security provider how they can implement a Zero Trust system is a great question that they should be happy to answer.
Are You Prepared?
It’s a question that we never get asked, but should. Maybe it’s because most people would assume that a security vendor would have some sort of plan in place to address threats of all kinds. But you’d be surprised what people don’t ask. Some great preparedness questions to ask your vendor include:
• What happens in the event of a catastrophic failure (natural disaster, massive data breach, etc.)?
We’ve mentioned before about asking some common worst-case scenarios, but asking this question to your vendor is something that doesn’t get answered often enough. Does your vendor have a plan for this scenario? What is it? Your vendor should have a response plan in for this type of scenario. If they don’t, it might be time to seek services elsewhere.
• What happens in the event of a failure that leaves our cloud data temporarily (or permanently) inaccessible?
As the data owner, you’re going to be primarily responsible for your data, but it is helpful to know what exactly your security provider is doing to prepare for the absolute worst-case scenario. Good answers should outline some kind of response plan that includes notifying you of the problem and an estimation of downtime, which can allow you to either enable your backup solution or plan accordingly.
• What security threats of the future do you see for long-term archival data that you might have to keep for extended intervals (10+ years)?
It sounds like a niche question, but if you’re running a business that deals in large quantities of sensitive data you need to keep for regulatory purposes (financial records, etc.), it’s a question that should be a priority for you. Some of the biggest breaches of the past decade were of sensitive data that’s held for long periods of time. If you’re serious about securing that data, it’s important to ask your cloud security provider.
There are many items that could be considered cloud security challenges. But you’ve probably already asked about them. The questions you should be asking are about the integrity of the vendor you’re working with. That applies for physical/digital integrity and moral integrity!
Both questions above about practicing Zero Trust and preparation for the worst are two areas of expertise that any good cloud security provider will be more than happy to discuss with you.
And while you shouldn’t rely completely on your vendors for your security solution, these questions can root out which companies are serious about security, and which companies aren’t.
Want to know more about cloud security? You’ve come to the right place. If you liked this blog post, follow and subscribe to our blog!