Questions to ask about cloud security

The way businesses store and access their data is changing. Due to the increased flexibility, agility and scalability of the cloud many are opting to move away from privately owned infrastructure and towards the public cloud.

Organisations whose hardware, software and data is located on site and directly under their control are free to determine their own security posture and policies. However, as the majority of businesses migrate to the public cloud, much of this oversight and control moves out of their hands and into the hands of the cloud provider. The level of involvement the business has depends on the model they are using –

Software as a Service (SaaS) – Hardware and software
Infrastructure as a Service (IaaS) – Hardware and instant computing infrastructure
Platform as a Service (PaaS) – An underlying infrastructure that allows deployment of software

Each model places different levels of responsibility on the customer. Organisations must be clear what security measures they are expected to take and where the responsibilities lie. As a basic rule, IaaS requires the most user management of all the cloud services, SaaS requires the least.

Check your security responsibilities

Does the cloud encrypt stored data? Who has control of the encryption keys, if it’s the cloud provider how do you know that they will be kept secure?
Data stored in Microsoft’s Azure cloud is encrypted at all levels and there are strict company guidelines about who is able to access this data.

When your data travels over the internet, will it be encrypted?
A VPN gives a high degree of privacy when communicating with cloud applications.

Will data be fully deleted when no longer needed?
When changing providers, or leaving the cloud environment, organisations need to know that data will be removed from all hard drives. In the cloud these resources will be reallocated to other users. Check how the provider intends to make data inaccessible to others and what guarantee they offer.

Will I be provided with a full security overview?
Many cloud providers offer self-service portals where you can access reports, logs. Check with the provider what these show and whether they give you adequate visibility of security incidents.

Check that any software used has been developed with security in mind.
For example, the Microsoft 365 security centre provides security administrators and other risk management professionals with a centralised hub and specialised workspace that enables them to manage Microsoft 365 intelligent security solutions for identity and access management, threat protection, information protection, and security management.

Using the cloud is often seen as a way to provide business continuity and recovery. What if your cloud provider has problems?

Check what redundancy and resilience the Cloud Provider has. Microsoft’s Azure cloud works to SLAs regarding resiliency and availability, with backup servers in different locations to ensure service up time.

If you’re considering a move to the cloud but aren’t sure where to start, TiG can help. Contact us or download our Compass factsheet to learn more about our services.

Enabling specialist UK businesses to unleash their true potential.

Get in touch