Confidentiality of the information

Questions 40 to 72 — as with other information technology systems, see how secure information is in a public cloud service.

  • Authentication and access control

    Questions 40 to 45 — use a strong approach for identity management — see if the provider audits user accounts and has access controls and passwords for authentication that meet your security needs.

  • Multi-tenancy — multiple customers sharing a pool of computing resources

    Questions 46 to 48 — check if the provider has security controls for virtualisation and separating customer data, and will allow you to test its access controls.

  • Standard operating environments

    Questions 49 to 52 — properly configure and manage components of the public cloud service — identify who is responsible for the components in the service model you’re using.

  • Patch and vulnerability management

    Questions 53 to 59 — identify who is responsible for patching each component and make sure patches for vulnerabilities happen quickly.

  • Encryption

    Questions 60 to 63 — check your requirements for encryption — the why, how, who, where and when of the information you need to encrypt.

  • Insider threat from the cloud service provider

    Questions 64 to 68 — check if the service provider has security controls to prevent unauthorised access to your information by the people working there.

  • Data persistence — are you able to delete information?

    Questions 69 and 70 — when the provider scales down or ends services, or reuses or throws away equipment, see if you can delete information to keep it secure.

  • Physical security

    Questions 71 and 72 — see if physical security controls are in place to protect your information.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.