Virtustream Blog

Alleviating Cybersecurity Concerns by Asking the Right Questions


in Compliance, Security, Trust

During the month of October, companies and governments around the world participated in National Cybersecurity Awareness Month, raising awareness about the importance of security in our organizations and communities. Now that October is far behind us, it’s critical to remember that security awareness is not just a one-month endeavor. It’s a daily practice that needs to be embedded within both an organization and the cloud provider they select.

Securing Your Information Assets with the Right Cloud Provider

When choosing between the variety of cloud providers that exist in today’s market, you want to make sure you’re asking the right questions about how they provide security for your data in their cloud environment, such as:

“How do you maintain compliance within your cloud?”

Be certain that your cloud provider not only secures your data, but adheres to the specified compliance regulations they say they adhere to. A provider’s cloud-delivered systems should be compliant with both regulatory standards (global, regional, and industry-specific regulations) as well as obligations they specify in service-level agreements (SLAs).

“Will you sign legal agreements relative to the security of data, and data protection regulations like GDPR, HIPAA, or at least sign agreements relative to protecting customer data according to applicable industry standards, frameworks, and regulations?”

Trusting what a cloud provider is telling you about how they maintain compliance and having them sign a legal agreement relative to maintaining that compliance are two completely different stories. You want certainty that regulations and standards will be followed, and, just as important, you want to be able to prove it when you're audited.

“Can you demonstrate independent assessments and due diligence has been performed? And can you produce PCI, ISO 27001, SOC 2, CSA STAR, HIPAA audit reports, certifications, or attestations?”

When an audit comes around, the cloud provider you choose should provide the reports needed to verify compliance. Select a cloud provider who can provide audit reports when asked, and can prove their assessments are being completed on a regular cadence. For publicly traded companies, you should also look to ensure they have an audit committee as part of their board who reviews risks related to information security.

“How do you train the people who are handling our data?”

Aside from assuring the compliance of a provider’s cloud services, you also want to ask about the people who are handling your data. Does the cloud provider perform background screening on new hires? Is their technical data center personnel government security cleared? Does the company provide them with training on information security awareness, secure data handling practices, incident response, and data privacy? These are questions to consider asking that are separate from only infrastructure compliance.

“What happens to my data and applications if something goes wrong?”

Disaster recovery solutions cover a wide array of possibilities, and enterprises should make a determination before selecting a cloud provider regarding what applications and data need disaster recovery. This can range anywhere from a full suite of disaster recovery capabilities to only having data backup and recovery options for specific workloads, such as mission-critical applications.

“How does your organization guarantee disaster recovery for my data and applications?”

After determining your disaster recovery needs, you should open up discussion with your potential cloud provider regarding their recovery-point objective (RPO) and recovery-time objective (RTO) capabilities. Likely, you will want SLAs created that can that guarantee their RPOs and RTOs.

“You don’t have a disaster recovery solution? Then what should I do?”

If you’re exploring public cloud services, you will find most don’t provide disaster recovery or data backup and recovery solutions as a standard component of their cloud services. This is fine for enterprises who don’t need disaster recovery, but enterprises who do need it will be forced to design, implement, and test their own disaster recovery solution themselves. This results in a time consuming and costly process which will cause your staff to focus on deploying and maintaining your disaster recovery solution rather than innovation. Another option would be hiring a third-party contractor, but having this offering built-in to your cloud service providers offering is often easier and more cost effective.

“Do you have a secure software development lifecycle?”

When migrating mission-critical applications, you want offerings which were engineered to be the most secure at every level. A security development lifecycle process can help reduce vulnerabilities and provide a highly trusted cloud platform. When asking a provider about software, you will also want to know if their software has been tested against the common coding vulnerabilities, such as the OWASP Top 10.

“What additional security services do you offer for cybersecurity?”

Most cloud service providers have built-in ways to deliver the basic security your enterprise needs. In a traditional cloud, the customer would remain responsible for the applications, user access, and databases, while the cloud provider would take responsibility for the security and protection of the infrastructure that runs their cloud services. However, sometimes your requirements exceed this typical responsibility model, resulting in a need to shift security from the operating system and databases to the cloud provider.

“Do you test for security vulnerabilities at the network, system, virtual machine, container and application layers via vulnerability scanning systems and qualified penetration testing teams?”

Vulnerability scanning across the entire infrastructure can play a key part in lowering risk. Some cloud providers also deliver a recurring vulnerability report which can be used to schedule maintenance windows and system patches to ensure that the systems are kept up to date.

In addition to vulnerability scanning, you should ask potential cloud providers about their approach to security monitoring. Ideally, your cloud provider will have a team focused on monitoring the security of your cloud 24x7x365, gathering and monitoring security logs. A cloud provider should also have a clear process to notify you when an event of significance occurs, ensuring that threats to your systems and data don’t become incidents.

“Do you offer data encryption solutions, IDS, AV, or other services?

Your will want to understand the full range of services offered which you can take advantage of which help fit into your enterprise security model needs.

Find a Cloud Provider You Can Trust

Cybersecurity in an important component when working with sensitive data in a cloud environment, and organizations feel more comfortable when they receive this security from a cloud provider they trust. Trust is at the foundation of Virtustream’s strategy, and is essential to customers who rely on us to maintain the security, compliance, and integrity of their most important applications. We are committed to sustaining customer trust, which is why we feel confident letting you know what we are doing, when we are doing it, and why.

To discover how Virtustream keeps customer workloads and data secure visit our Trust Center. Visit StaySafeOnline to learn more about the recent National Cybersecurity Awareness Month and see what you can do to promote a safer and more secure internet for everyone.