Cloud service level agreements (SLAs) are common – but how well do they protect you, the customer? SLAs typically focus on performance, offering assurances of 99.9% or higher cloud service availability. But they often fall short in detailing how cloud service providers will secure and protect the data you place into the cloud. In essence, cloud SLAs are as much marketing tools designed to protect the cloud provider as they are guarantees for their customers.
Certainly, cloud providers strive to provide highly secure infrastructure and operations. Oftentimes they can provide better cybersecurity protections than customers can within their own data centers. Still, in one survey of 1,200 IT decision makers, nearly 20% said they had SLA and other contractual issues with regard to cloud security. Nearly one quarter said they lacked good visibility into security incidents that occurred at their cloud service providers’ operations.
If that’s the situation you find yourself in, you need to ask harder questions before signing up for any new cloud services.
Cloud Security Is a Shared Responsibility
First, a reality check. Just as it’s impossible for cloud providers to guarantee 100% uptime, it’s also impossible to guarantee 100% secure operations. As such, your goal should be to make sure the provider has a comprehensive security and privacy regime that provides protections that match the value and sensitivity of the data you’ll place in the cloud. It’s also important to determine how you and the cloud provider may share responsibilities to safeguard your data, and to make those respective responsibilities clear in any contract you sign.
The questions you need to pose to a prospective cloud services provider should explore every aspect of data security and privacy as well as general operational information. Among the most important:
- What physical security measures are in place at your cloud data centers?
- Do you have third-party audits or other evidence of compliance with relevant government or industry-specific regulatory requirements?
- What cybersecurity systems and techniques to you deploy (e.g., authorization & authentication systems, firewalls, antivirus scanning, DDoS detection & prevention, or behavioral analytics)?
- How and when is my data deleted?
- Do you have a comprehensive, and regularly tested, incident response plan in place?
- What is your data architecture, and how is my data isolated from your other customers?
- What is your database and storage architecture redundancy model and your backup procedure and schedule?
- What data do you collect from my organization, and how is it kept private?
These questions are just a sample of the full list of topics you should explore. Many questions will relate to the specific characteristics and needs of the operations and data you will place in the cloud.
One final caution when it comes to evaluating the security controls and assurances your cloud providers may offer: Don’t forget about performance. Security measures must be strong enough to provide adequate protections, but not so onerous and sluggish that they grind your service performance to a snail’s pace. One common problem to consider, for example, will antivirus solutions introduce long delays during scans because they aren’t designed for use in highly virtualized cloud environments?
Given all of these issues, it’s vitally important to look beyond the standard SLA promises of service availability and go the extra mile to investigate the security, privacy, and operational capabilities of any potential cloud provider.