Connect with us

Hi, what are you looking for?


Cloud Security

Five Security Questions You Should Ask Your Cloud Services Provider

Five Security Questions You Should Ask Your Cloud Services Provider

If you’re in the market for a cloud services provider, you should have several security questions at the ready. Consider it a shopping list of must-haves to run through with any provider, and the best way to ensure you’re getting the most secure and trusted IaaS offering possible.

Five Security Questions You Should Ask Your Cloud Services Provider

If you’re in the market for a cloud services provider, you should have several security questions at the ready. Consider it a shopping list of must-haves to run through with any provider, and the best way to ensure you’re getting the most secure and trusted IaaS offering possible.

Cloud Security Questions

1. Can you ensure isolation of my virtual machines (VMs) from those of your other customers? In a multi-tenant environment, for any offering to be secure, it must include proper isolation of customers’ VMs. Without VM isolation, you can’t be assured that infections or malware won’t proliferate from some other customers’ VM to your organizations VM or that your sensitive and valuable information will remain protected from unauthorized access. That’s why your IaaS provider must offer both highly granular firewall-based isolation for each VM or group of VMs via virtual firewall technology, as well as an automated security-enforcement process. This way, newly created VMs within a group inherit the security policy being applied to the resources of that group, ensuring that virtualization security and firewall protection is applied and enforced consistently and that your business remains decisively your business (and vice versa).

2. Are you able to deliver PCI-compliant operation of my VMs? Any business that processes credit card information needs to be in compliance with regulatory mandates, such as PCI. In a virtualized environment, to remain compliant, you will need the ability to restrict VMs to a single function and this can only be done with virtual firewall technology that can granularly restrict a VM to accepting and forwarding only certain types of traffic (i.e. by application, port, protocol). Therefore, you should ask your IaaS provider if they incorporate a virtualization security solution that offers granular visibility, segregation, and access control of VM use for PCI compliance. To boot, your provider should also offer the means to fulfill compliance reporting requirements in an automated manner.

3. As the customer, do you allow me to manage the security of my own VMs? Self-service options are always a plus. Ask if your IaaS provider can offer you visibility and manageability over your own security. While the cloud service provider may offer you properly configured and secured VMs you may want to ask if you can manage parts of the security policy governing access on your own. This way you can adjust VM access to quickly meet time-sensitive business objectives. An ideal model is one where the security experts of the cloud service provider deliver a properly configured VM that they secure and isolate but you are offered the option to make adjustments to your policy in concert with their security administrators.

4. How do you ensure maximum availability of my VMs? No business can afford downtime. That’s why your cloud services providers should be able to offer SLAs of three- to four-nines (99.9% and 99.99%) availability per individual VM workload that is inclusive of fault-tolerant, continually enforced security. In other words, you want maximum availability and security for your VMs – as opposed to one delivered at the cost of the other. To be sure that the IaaS provider has the latest and best technology you’ll want to ask if the virtualization security solution incorporated within is fault-tolerant. What happens to business flow and security enforcement if the firewall module that enforces security policy fails? What happens if that same module loses communication with its management system? The answer to both should be – business as usual. Traffic and security continues with a hot-standby mechanism providing the required protections.

5. Can I get reports of access activity and compliance for my VMs? When it comes to maintaining optimal VM security, compliance and peace of mind for that matter, the best offering from your IaaS provider is comprehensive reporting delivered on a schedule. You want to know the security health of your VMs and granular reporting can give you that picture. These types of reports should contain a complete inventory of your VMs, VM groupings, and their security state; a comprehensive list of all applications installed on VMs, including operating system patch levels and application versions; and an overall compliance assessment that gives the state of each VM relative to the desired state or policy (i.e. proof of white list enforcement).

Advertisement. Scroll to continue reading.

Keep in mind that as you evaluate your cloud services providers, they will have different offerings for security that will vary based on the underlying architecture that the provider has installed. Ultimately you want the most granular security and proof that this level of protection is continually in effect even in the highly dynamic world of cloud computing.

Related: Cloud Service SLA Security Tips – What Should You Be Asking Your Provider?

Related: Ten Criteria for Evaluating Virtualization Security Solutions

Related: Why Cloud Tenancy and Apartments Have More in Common Than You Think

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...