Finding The Hidden InfoSec Story

Is Your Cloud Provider a Good Sailor?

Photo Credit: TeresalaLoba via Compfight cc

There is a saying that goes “With good sea, everybody is a sailor” that is to say, if there are no problems, drawbacks, bad weather, luggage is not lost and the ship does not sink, anybody can be considered to be a good sailor.

But actually the good sailor is the one who when faced with an incident, has the background, experience, resources and guarantees to respond adequately and save his ship and its contents.

If there is a breach, a storm, typhoon, are there preventive detection mechanisms? Does the ship comply with security regulations? Does it have insurance coverage for any possible damages and losses that could be suffered? Does it have a good reputation and sound experience? In the worst-case scenario do we have lifejackets and lifeboats? Does it have the best rescue team?

When we talk about cloud service providers, the same principles apply. What are the guarantees that we should consider before placing ourselves in their hands?

  • What security systems do they have?
  • Is data encrypted?
  • Do they provide me with information about where their data centres are?
  • In case of attack, virus, hackers what are the preventive measuresand response mechanisms?
  • Do they keep security copies?
  • Who is responsible in case of breach?
  • What legislation and jurisdiction governs the contract? Can I be forced to  go to the courts stipulated in the contract? Even if it does not fall within the realms of European jurisdiction?
  • Who can access my data? Do they share my data with third parties? On what grounds?
  • In the worst case scenario what damages are covered?
  • If I wish to change the cloud provider will they guarantee that company access to the data will be operable in a short time scale?

These are some of the questions that we should ask ourselves, If our business suffers damage, we get sanctioned for lack of adequate security measures or we cause damage to our employees or clients, full responsibility will lie with us for not choosing a better provider. And on top of that we will not be able to sue them for monetary compensation. As a consequence, when selecting a cloud provider don’t limit your judgement to the simple question of price.

A company committed to their business, their clients and theiremployees data, must apply due diligence in order to select a provider that can offer the best coverage and guarantees.

Lack of due diligence cannot be repaired when we put all our business and data in the hands of amateurs or in the hands of an unreliable navy which washes its hands of all responsibility or does not provide us with the necessary information, and sails without any guarantees in the middle of uncertain and dangerous waters.

Author: Laura Vivet

Share This Post On