Questionnaire for Cloud Security Requirements

By | May 6, 2014


Today, cloud computing is allowing companies to outsource their data processing to commercial providers, have become a popular and rapidly growing market. But the nature of such services makes customers think primarily about data security.

Specialists of the Alliance for the cloud security (Cloud Security Alliance), which includes companies like eBay, Intuit, DuPont, and ING, the questionnaire was drawn up for the certification of web hosting providers.

Of course, ideally it would personally inspect the data center and meet with staff. If only to see firsthand what all is specified in your contract, there is in reality. But in fact – it’s modal facility with very strict control system on the territory of which, in most cases, the usual customers are not allowed.

So if you are not able to visit the data center provider of e, then all you need can be determined using the probing questions asked. “This set of questions will facilitate the identification of key issues, development of best practices and methods of control, it should help organizations to build a certification process of cloud providers, according to safety”, – say in the CSA.


– Does the provider regularly test the possibility of entering into the system, as well as internal and external security audits, with results that can read the customers?

– Do customers have an opportunity to perform tests on the vulnerability?

– Whether the data is divided logically for different clients and whether they are encrypted for each client, the data is one of them which is accidentally been issued with the data of another, for example, at the request of law enforcement?

– Will the provider be able to recover the data from each client in case of loss?

– What are the measures for the protection of intellectual property service provider takes?

– Does the provider registration of virtual and physical servers used by each client, and whether he could guarantee that the data is stored only in certain countries, if required by the relevant national legislation on the storage media?

– What is your host, policy response to requests for data on clients from government agencies?

– What policy is used by the provider to preserve customer data and whether it has the opportunity to follow the policy of the customer, requiring the removal of data from the network provider?

– Does the provider have an inventory of their assets and a history of relationships with suppliers?

– Was he teaching his staff to make use of security controls – their own and client – and documented such training?

– Is the monitoring and control of user has access rights?

– What are the measures and the scale of the response to security incidents? And also what is responsible for this provider and client.

And although this is not an exhaustive list of tips, but even this is enough to get an idea about the level of security and the right choice of service provider.