January 27, 2010

Cloud Computing Security - 10 questions to ask yourself

In a recent CIO Magazine article, Tim Brown took the time to assemble 10 questions that should be investigated in detail before making the move the Cloud Computing.

Here is a brief recap on which I hope we’ll be able to brainstorm on them together:

1. Does Cloud Computing will change my risk profile?
2. Does it have an impact on my current information security policy, should it be modified in accordance?
3. Does cloud computing prevents us from meeting our regulatory obligation?
4. Is the selected provider is using / is certified on current security standards (ISO 27001, FINMA, FISMA…)?
5. What is the incident response workflow between them and our organization should an incident occur?
6. Who is responsible / liable for securing the data?
7. How do I ensure that only appropriate data is moved to the cloud?
8. How do I ensure that only authorized parties can access those data?
9. What is the hosting model and security architecture (clustering, zoning, isolation, segmentation, shared space…)?
10. How are we going to determine if we can trust this provider now and in the future?

The interesting thing about those questions is that they can be asked for any type of outsourcing deals.

My questions to you are:
- What are your top three questions in this list?
- What steps would you take to insure that you obtain adequate information to take a position on those three questions?

Have a great day and talk to you soon!

Martin Dion (CISSP/CISM)
ISO:27001 Lead Auditor & Trainer
CTO @ Above Security

No comments:

Post a Comment