When small companies choose cloud-based IT services, they immediately look to save time and money. But it is usually impossible to assess the security of a service βby eyeβ without experience. Even if companies read the cloud provider agreement carefully, they don't always know what to look out for.
The European Network and Information Security Agency (ENISA) decided to help small businesses and created Cloud Security Guide for SMEs . This guide describes the risks of information security for medium and small businesses, helps to formulate the right questions to the cloud provider and check the service level agreement (SLA). Not everything from this list can be checked for sure, but some points are fully confirmed by certificates and licenses.
Today we take a closer look at the list of questions to the provider. Let's evaluate it with a fresh perspective, supplement it with examples from Russian practice and find out what evidence from the provider can really guarantee data protection in the cloud.
1. How does the provider generally manage information security risks?
. , .
, :
;
;
. , , , Cloud Controls Matrix Cloud Security Alliance, ISO/IEC 27017:2015 , (STAR). , .
, , ISO/IEC 27001. , .
2. , ?
, .
. ENISA :
, . , SaaS , , β . , .
, :
, . , PCI DSS . :
, . , ;
SLA;
: , .
3. , ?
- .
, , . , . DR-, .
-. , , .
, :
-, , Uptime Institute;
- , ;
, ;
, , (RTO RPO).
4. ?
, .
, :
, , - ;
.
5. , ?
: . , , .
, .
, :
;
, ;
(, );
, .
6. ?
, . , - .
, :
ISO/IEC 27001;
PCI DSS;
;
(IdM), , .
7. ?
, . , β β, . ENISA , , .
, :
, , ;
;
: , , ;
.
8. API ?
- API. , , .
, :
;
-;
.
9. , , ?
, . .
, :
;
;
, SLA.
10. ?
, . - .
, :
GUI, API, ;
.
11. , ?
. , , . , . , .
, .
, :
;
;
;
SLA, .
12. ?
β β. 152- , .
:
-;
;
.
, - ENISA . , ?