In our post yesterday, Amazon’s IT Director Jen Boden said that the company would never have considered using Amazon Web Services (AWS) did not provide a virtual private network. She further added that Amazon Web Services had recently completed a security audit, which helped her cause with auditors.

Bur Boden also had a level of resources available that could only come from a cloud computing provider. For the uninitiated, security is a daunting issue. IT is accustomed to controlling an IT environment. What you control in the cloud is a different matter. In the cloud, IT must be more aware of how data flows, tracking it more so than restricting it.

Mike Kirkwood makes this point in The Future of the Cloud: Cloud Platform APIs are the Business of Cloud Computing, the report ReadWriteWeb published today and now available for download.

He writes:

“In our emerging world of API communication and portable systems, a lot of security work will be focused on tracking the movement of data, rather than restricting it. Instead of minimizing the surface area of the enterprise, the next phase will be about tracking where all data is being shared, consumed, and altered.”

SaaS Chronicles has put together a good list that can help gain more insights into security and provide some additional context for the ways data does flow in the cloud:

  • Where will my data be stored?
  • Who will have access to my sensitive data?
  • What controls do you have in place to ensure safety for my data while it is stored in your environment?
  • What type of employee / contractor screening you do, before you hire them?
  • Will my data be replicated to any other datacenters around the world (If yes, then which ones)?
  • What is your Disaster Recovery and Business Continuity strategy?
  • Is your Cloud Computing service SAS70 compliant?
  • Do you offer single sign-on for your services?
  • How do you detect if an application is being attacked (hacked), and how is that reported to me and my employees?
  • Do I have full ownership of my data?
  • Will you provide me my data in a readable format – Pdf, Excel, Access…?
  • Do you offer a way for me to run your application locally and how quickly I can revert to

the local installation?

What do you think? What questions do you suggest asking about cloud security?