The word “Cloud” brings up a lot of mixed opinions regarding compliance and security responsibility. While some organizations understand the “shared” concept of responsibility with the provider, others consider the cloud as a complete transfer of their current on premise responsibility to their Provider.
When deliberating a move to the cloud an organization needs to understand how the Provider can help the organization meet its requirements. Asking yourself and the potential Provider some of these questions can help drive your decisions in the cloud.
Questions the organization needs to ask
- What data will I store in the cloud?
- How do I secure my data today?
- How robust is my own security program today? Is the provider’s program more mature or comprehensive?
- How much visibility or control do I want to have in the cloud?
- How much risk am I willing to accept to receive the business benefits of going to the cloud?
- What regulations and compliance does my data need to follow (i.e. HIPAA, PCI, GLBA, SOC I/II are just some examples
Questions to ask the Provider
- What cloud service model do you propose (IaaS, PaaS, SaaS or other?) What security role will each of us have to support the model?
- Are you compliant with the regulations I need for my business?
- How can you help me meet my compliance requirements?
- Can you provide a compliance report from a third party?
- What components are included in your security program?
Cloud Service Models:
The customer is always accountable for compliance and security in the cloud. However, depending on the type of service model, the Provider may assist the customer with the responsibilities of security. A clear and direct understanding of responsibility is important for both the customer and the Provider. The 3 most common cloud service models are as follows below:
- IaaS (Infrastructure as a Service)
- PaaS (Platform as a Service)
- SaaS (Software as a Service)
The diagram helps visualize customer and Provider responsibility. Where the Provider has some responsibility, it is important that the customer understands what responsibility the Provider assumes.
This blog covered security-related questions that are important to ask when contemplating a move to the cloud. An organization must consider what their security and compliance requirements are to evaluate the pros and cons of entrusting their data to the cloud.