Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha

Searching Questions Your Cloud Service Provider Should Answer About Cybersecurity

Written by  Feb 06, 2020

When choosing from the variety of cloud providers operating in today’s market, you want to make sure you’re asking the right questions about how they provide security for your data in the cloud.

This list of probing questions will give you a clear understanding of not just the quality but the depth of service that your cloud provider offers.

How do you maintain compliance within your cloud?

Be certain that your cloud provider not only secures your data, but also adheres to the specified compliance regulations they say they adhere to. A provider’s cloud-delivered systems and services should be compliant with both regulatory standards (global, regional, and industry-specific regulations) as well as obligations they specify in service-level agreements (SLAs).

Will you sign legal agreements relative to the security of data, and data protection regulations like GDPR, or at least sign agreements relative to protecting customer data according to applicable industry standards, frameworks, and regulations?

Trusting what a cloud provider tells you about how they maintain compliance and having them sign a legal agreement are two different stories. You want certainty that regulations and standards will be followed and to be able to prove it when you're audited.


Cybersecurity Essentialsamazon uk

Can you demonstrate independent assessments and due diligence has been performed? And can you produce ISO 27001, ISO27017/18, ISO 9001, ISO 22301, SOC1, SOC 2, CSA STAR, HIPAA, HITRUST audit reports, certifications, or attestations?

When an audit comes around, cloud providers and their subservice organisations should readily provide compliance verification materials and reports. Select a supplier which can provide audit reports when asked, and can prove their assessments are being completed on a regular cadence. For publicly traded companies, you should also look to ensure its board has an audit committee to review risks related to information security.

How do you train the people who are handling our data?

Aside from assuring the compliance of a provider’s cloud services, you also want to ask about the people who are handling your data. Does the cloud provider perform background screening on new hires? Is their technical datacentre personnel government-security cleared? Do they provide them with training on information security awareness, secure data handling practices, incident response, data privacy and secure software development practices? These are questions to consider asking that are separate from only infrastructure compliance.

What happens to my data and applications if something goes wrong?

Disaster recovery solutions cover a wide array of possibilities, and enterprises should decide what applications and data need disaster recovery. This can range anywhere from a full suite of disaster recovery capabilities to only having data backup and recovery options for specific workloads, such as mission-critical applications.

How does your organisation guarantee disaster recovery for my data and applications?

After determining your disaster recovery needs, you should open up discussion to establish recovery-point objective (RPO) and recovery-time objective (RTO) capabilities. Likely, you will want SLAs created that can guarantee RPOs and RTOs.

You don’t have a disaster recovery solution? Then what should I do?

If you’re exploring public cloud services, you will find most don’t provide disaster recovery or data backup and recovery solutions as a standard component of their cloud services. This is fine for enterprises who don’t need disaster recovery, but enterprises who do need it will be forced to design, implement, and test their own solution themselves. This results in a time-consuming and costly process which will cause your staff to focus on deploying and maintaining your disaster recovery solution rather than innovation. Another option would be hiring a third-party contractor, but having this built-in to your cloud service provider’s offering is often easier and more cost effective.

google cloudSee also: New Google Cloud Service for Passwords

Do you have a secure software development lifecycle?

When migrating mission-critical applications, you want offerings which were engineered to be secure at every step. A security development lifecycle process can help reduce vulnerabilities and provide a highly trusted cloud platform. When considering software, you will also want to know if it has been tested against common coding vulnerabilities, such as the OWASP Top 10.

What additional security services do you offer for cybersecurity?

Most cloud service providers have ways to deliver the basic security your enterprise needs. In a traditional cloud, customers remain responsible for the applications, user access, and databases, while the cloud provider takes responsibility for the security and protection of the infrastructure that runs their cloud services. However, sometimes your requirements exceed this typical model, resulting in a need to shift security from the operating system and databases to the cloud provider.

 privacy for seniorsAlso see: Top Tips to Increase Your Online Privacy

Do you test for security vulnerabilities at the network, system, virtual machine, container and application layers via vulnerability scanning systems and qualified penetration testing teams?

Vulnerability scanning across the entire infrastructure can play a key part in lowering risk. Some cloud providers also deliver a recurring vulnerability report which can be used to schedule maintenance windows and system patches to ensure that the systems are kept up to date.

In addition to vulnerability scanning, you should ask providers about their approach to security monitoring. Ideally, your cloud provider will have a team focused on monitoring the security of your cloud 24x7x365, gathering analysing and monitoring security logs and events. A cloud provider should also have a clear process and SLA to notify you when an event of significance occurs, ensuring that threats to your systems and data don’t become incidents.

Do you offer data encryption solutions?

You will want to understand the full range of services offered which you can take advantage of which help fit into your enterprise security model needs.


Cybersecurity in an important component when working with sensitive data in a cloud environment, and organisations feel more comfortable when they receive this security from a cloud provider. They must work hard to understand your business’s needs and truly earn your trust.

1 comment

  • Will Anderson
    Comment Link Will Anderson Thursday, 06 February 2020 10:28

    Excellent questions and well thought out answers

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.


Popular News

May 06, 2020 IT Security News

Popular VPNs Exposed Users to Attacks

Researchers analysed some of the most popular VPNs and discovered that two of them were affected by vulnerabilities that...

May 22, 2020 Cyber Security

EasyJet will be sued over customer data breach

Legal firm PGMBM, a specialist in group legal action, has issued a class action claim under Article 82 of the General Da...

May 19, 2020 IT Security News

EasyJet data breach: Over 9 million customers affected

The personal data of over 9 million EasyJet customers has been infiltrated by hackers, including over 2,000 users' credi...

May 18, 2020 Cyber Security

UK power grid operator Elexon hit by cyberattack

The UK’s power grid middleman Elexon has announced it has fallen victim to a cyberattack, which did not compromise pow...

May 05, 2020 Cyber Security

The importance of cybersecurity for UK businesses

Technology is constantly changing and at a pace which is hard to keep up with, but 'safety first' always applies. ...

May 11, 2020 Cloud Security News

Tips to help secure your cloud data in the UK

In this digital age, it’s not a great idea to trust someone with your sensitive data. ...

Apr 01, 2020 IT Security News

Online privacy is all but gone, say Brits

Nearly 80% of UK consumers believe they have lost any real control over how their personal data is collected and used by...

Apr 10, 2020 IT Security News

The importance of security for UK office printers

When it comes to digital security, we tend not to think about printers as they are often seen as dumb devices with a few...

May 07, 2020 Cyber Security

Three quarters of UK homeworkers haven't received cybersecurity training

As Covid-19-related cybersecurity threats continue to multiply, three in four of home workers are yet to receive any cyb...

May 14, 2020 IT Security News

Windows 10 is getting DNS over HTTPS (DoH) support

DNS is one of the last protocols that still runs unencrypted on the Internet. ...

May 27, 2020 Cyber Security

UK scared cybercriminals will use NHSX Covid-19 Tracing App to launch attacks

Nearly half (48%) of the UK public surveyed about the NHSX COVID-19 tracing app do not trust the UK government to keep t...

Apr 11, 2020 IT Security News

Tips for testing an IT security experts worth in the UK

There is no shortage of people presenting themselves as security experts. Some of them truly are, the others may or may ...

May 20, 2020 IT Security News

To VPN or not to VPN for business users

It’s a question many organisations are asking as they work to provide secure and reliable remote access at scale. ...

May 25, 2020 Cyber Security

Beware of security threats before deploying remote working

Remote working is receiving a great deal of attention recently for obvious reasons. The world has changed and remote wor...

Apr 22, 2020 IT Security News

Kaspersky shares 10 security and privacy tips when using Zoom

The recommendations from Kaspersky come following recent concerns regarding Zoom's security and privacy. ...

Apr 07, 2020 IT Security News

Eighty per cent of exposed Exchange servers remain unpatched

Over 350,000 Microsoft Exchange servers have not been patched against the CVE-2020-0688 post-auth remote code execution ...

Symantec Home 120x60