Whether you're a small business relying on Google Docs for document sharing or an enterprise moving your global ERP system to the cloud, you should demand that some common security and compliance requirements are met by vendors providing applications and services over the Web. These requirements involve who can access your applications and data, as well as the systems hosting them; where the data is stored; and whether the data is hosted on dedicated, rather than on shared, hardware. They also ensure that you get detailed logs of who has accessed your data and applications so that you meet corporate and regulatory standards, and they verify that data is properly encrypted -- a factor that's more critical outside the corporate firewall.
What you demand of the cloud depends on your corporate standards and your compliance needs, the amount and type of workloads you're moving to it, and how you are dividing administrative and security responsibility between your staff and your provider. Security requirements also vary depending on whether you're using software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS) offerings. But you should at least consider each of the following questions in your cloud security plans.
1. Who has authentication/access control?