5 Key Questions Every Cloud Consumer Needs to Ask About Security

Joe McKendrick
Insurance Experts' Forum, April 14, 2014

There's a growing consensus that despite all the concerns about security of public cloud services, data and applications are actually safer in the cloud. That's because cloud vendors make it their business to adhere to best practices and certifications when it comes to security. Enterprise IT departments may have trouble keeping up with everything they need to do to ensure security.

However, that doesn’t excuse enterprise IT and business managers from being vigilant about cloud security. When something goes wrong, it's ultimately the fault of the cloud customer, no ifs, ands or buts. The onus is on the customer to uncover laxity or carelessness on the part of the cloud vendor. Just as a CEO is ultimately responsible for the behavior and competencies of his or her management team, the cloud consumer needs to be vigilant about the cloud services his or her companies consumes, and be willing to fire a service that doesn’t meet expectations.

Also see Enterprises Prefer Private Cloud Storage 

This vigilance starts with asking the right questions on the outset of a cloud engagement. In a recent post, Cisco’s Evelyn de Souza says that's what cloud security boils down to — simply asking the right questions. And this doesn’t happen enough.

“Cloud consuming organizations often don’t ask enough questions about what is contained in their service-level agreements, and about the process for updating security software and patching both network and API vulnerabilities,” she writes.

Here are some of the key questions that need to be asked before signing a cloud contract:

  1. What information does the cloud hosting partner/provider make publicly available about their security processes and services?
  2. What assurances can the cloud hosting partner/provider around secure data handling, storage and transmission processes?
  3. How often do they perform audits and what types of audits do they perform?
  4. What kind of physical security does my cloud-hosting partner maintain?
  5. Do they have customer references that you can speak with?

Along with de Souza's suggestions, I would suggest that you ask about two additional elements: the health of the vendor's business and the ultimate ownership of data; and the terms for returning data upon termination of the contract or if the provider goes out of business. Just as important as guarding against hacks is assuring that the viability of the vendor's business.

Also see Why Some Applications Should Go to the Cloud 

Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.

Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

IT Spending is Healthy, But Where's the Money Going?

IT leaders expect more money for cloud, virtualization and mobile — but no staff increases.

To Quantify or Not — That is the Question with Modernization

Making the quantitative case is a long-practiced ritual in many insurance organizations.

3 Reasons DevOps Matters

Every insurer needs to compete on products and information turned around in light-speed fashion.

Coordinate Coverages to Manage Social Media Exposures

The bottom line is that no one policy will cover all the exposures in the social media realm.

The Internet of Things: Helping Insurers Make Better-Informed Decisions about Risk

The IoT is a major game changer for the insurance industry, and will likely affect every part of the insurance value chain. After all, insurance is data-driven, and that’s exactly what the IoT can deliver—relevant, actionable, real-time data that can provide an accurate picture of what is being—or may be—insured.

Software-Defined Everything

What does it take to virtualize all the key components in your data center?