Skip to main content

Three cybersecurity questions every organisation should ask their cloud service providers

(Image credit: Image Credit: Sergey Nivens / Shutterstock)

For one month each year, companies and governments around the world participate in National Cybersecurity Awareness Month, raising awareness about the importance of IT security in our organisations and communities. As a new decade unfolds ahead of us – it’s critical to remember that security awareness is not just a one-month endeavour. It’s a daily practice that needs to be omnipresent and deeply embedded within both organisations and the cloud providers they select.

When choosing among the variety of cloud providers operating in today’s market, you want to make sure you’re asking the right questions about how they provide security for your data in the cloud:

How do you maintain compliance within your cloud?

Be certain that your cloud provider not only secures your data, but also adheres to the specified compliance regulations they say they adhere to. A provider’s cloud-delivered systems and services should be compliant with both regulatory standards (global, regional, and industry-specific regulations) as well as obligations they specify in service-level agreements (SLAs).


Trusting what a cloud provider tells you about how they maintain compliance and having them sign a legal agreement are two different stories. You want certainty that regulations and standards will be followed and to be able to prove it when you're audited.

Can you demonstrate independent assessments and due diligence has been performed? And can you produce PCI, FedRAMP, NIST 800-171, ISO 27001, ISO27017/18, ISO 9001, ISO 22301, SOC1, SOC 2, CSA STAR, HIPAA, HITRUST audit reports, certifications, or attestations?

When an audit comes around, cloud providers and their subservice organisations should readily provide compliance verification materials and reports. Select a supplier which can provide audit reports when asked, and can prove their assessments are being completed on a regular cadence. For publicly traded companies, you should also look to ensure its board has an audit committee to review risks related to information security.

How do you train the people who are handling our data?

Aside from assuring the compliance of a provider’s cloud services, you also want to ask about the people who are handling your data. Does the cloud provider perform background screening on new hires? Is their technical datacentre personnel government-security cleared? Do they provide them with training on information security awareness, secure data handling practices, incident response, data privacy and secure software development practices? These are questions to consider asking that are separate from only infrastructure compliance.

What happens to my data and applications if something goes wrong?

Disaster recovery solutions cover a wide array of possibilities, and enterprises should decide what applications and data need disaster recovery. This can range anywhere from a full suite of disaster recovery capabilities to only having data backup and recovery options for specific workloads, such as mission-critical applications.

How does your organisation guarantee disaster recovery for my data and applications?

After determining your disaster recovery needs, you should open up discussion to establish recovery-point objective (RPO) and recovery-time objective (RTO) capabilities. Likely, you will want SLAs created that can guarantee RPOs and RTOs.

You don’t have a disaster recovery solution? Then what should I do?

If you’re exploring public cloud services, you will find most don’t provide disaster recovery or data backup and recovery solutions as a standard component of their cloud services. This is fine for enterprises who don’t need disaster recovery, but enterprises who do need it will be forced to design, implement, and test their own solution themselves. This results in a time-consuming and costly process which will cause your staff to focus on deploying and maintaining your disaster recovery solution rather than innovation. Another option would be hiring a third-party contractor, but having this built-in to your cloud service provider’s offering is often easier and more cost effective.

Do you have a secure software development lifecycle?

When migrating mission-critical applications, you want offerings which were engineered to be secure at every step. A security development lifecycle process can help reduce vulnerabilities and provide a highly trusted cloud platform. When considering software, you will also want to know if it has been tested against common coding vulnerabilities, such as the OWASP Top 10.

What additional security services do you offer for cybersecurity?

Most cloud service providers have ways to deliver the basic security your enterprise needs. In a traditional cloud, customers remain responsible for the applications, user access, and databases, while the cloud provider takes responsibility for the security and protection of the infrastructure that runs their cloud services. However, sometimes your requirements exceed this typical model, resulting in a need to shift security from the operating system and databases to the cloud provider.

Do you test for security vulnerabilities at the network, system, virtual machine, container and application layers via vulnerability scanning systems and qualified penetration testing teams?

Vulnerability scanning across the entire infrastructure can play a key part in lowering risk. Some cloud providers also deliver a recurring vulnerability report which can be used to schedule maintenance windows and system patches to ensure that the systems are kept up to date.

In addition to vulnerability scanning, you should ask providers about their approach to security monitoring. Ideally, your cloud provider will have a team focused on monitoring the security of your cloud 24x7x365, gathering analysing and monitoring security logs and events. A cloud provider should also have a clear process and SLA to notify you when an event of significance occurs, ensuring that threats to your systems and data don’t become incidents.

Do you offer data encryption solutions, IDS, AV, or other services?

You will want to understand the full range of services offered which you can take advantage of which help fit into your enterprise security model needs.

Find a cloud provider you can trust

Cybersecurity in an important component when working with sensitive data in a cloud environment, and organisations feel more comfortable when they receive this security from a cloud provider they trust. Going with your gut may be a more intangible factor, but make sure that any cloud provider you select has worked hard to understand your business’s needs and truly earn your trust.

Adam Lyons, director, security & compliance, Virtustream (opens in new tab)

With 18 years' experience in enterprise IT and Cloud operations, Adam leads Virtustream's audit, governance, risk management, compliance, privacy and penetration testing programs.