Cloud Data Security: 14 Security Questions You Need to Ask When Evaluating a Cloud Product

As many organizations move their business intelligence architectures to the cloud, they have the opportunity to consider a number of powerful cloud-based data products – like Matillion. When evaluating a cloud product, as with any product, you need to consider your organization’s cloud data security requirements or mandates.

Any company moving data to the cloud needs an enterprise cloud data security strategy that aligns with its overall data security strategy. However, as we say in our ebook, The Data Leader’s Guide to Enterprise Cloud Security, the question you should be asking is not, “Is my secure in the cloud?” Instead, ask, “Am I using the cloud securely?” This will help guide your policies around governance, security controls, and the right cloud deployment and service models for your organization.

There are several crucial questions you should ask about a product’s suitability for your cloud security model. Getting answers will help you clarify how you’ll be using the product, what your expectations are, and whether or not it’s actually going to work for you in the cloud.

No one product is the right answer for everyone. You might need something that allows more control over security. For example, Matillion ETL is cloud-deployed directly into your cloud infrastructure. This type of deployment gives you the maximum amount of control in the cloud. A SaaS product, on the other hand, puts more control in the hands of the SaaS provider.  Or you may have some combination of both, depending on your data.

14 Questions to Ask When Evaluating a Cloud Product

These security-related questions help drive discussion around cloud-based products and components and how they fit into the security requirements of your broader architecture. To help you gather information during your fact-finding, you can download this security question worksheet to use for reference and notes.

General questions

• Where is the product deployed: on-premises, cloud, or hybrid?
• What cloud service model is used by the cloud component (s) of the product (IaaS, PaaS, SaaS)?
• If using a PaaS or SaaS product, what other cloud providers are involved? What is their responsibility for your security needs?
• Can the cloud component of the product access all required data sources?

Preventive controls

These are questions that center around the security controls that help prevent a security breach.

• Is data encrypted while in transit and at rest, when used or accessed by the product?
• What roles or individuals at the cloud provider can access data that is stored in the cloud, but owned by the cloud consumer?
• What regulatory compliance mandates has the cloud provider been certified against?
• Does the product support role-based access for its users?
• What methods of user authentication are supported by the product?
• Where are standards or certifications needed in your cloud infrastructure?

Detective controls

Detective controls are the security controls that can alert you when a security breach occurs.

• What auditing capabilities exist in the product as it relates to access and usage of the product?
• How often does the provider perform vulnerability scans on its product?

Corrective controls

Corrective controls are the security controls that can help you recover after a security breach.

• What backup and recovery methods exist for the product and/or underlying data?
• If a cloud provider experiences a security breach, what processes are in place to notify impacted consumers?

When in doubt about cloud data security, turn to the experts

If you have any questions around security and the cloud, download our ebook, The Data Leader’s Guide to Enterprise Cloud Security, written by our Principal Solution Architect, Arawan Gajajiva.  This ebook gives you the lowdown on the sliding scale of responsibility in cloud security, important security controls, and more.