By default, when you store, USE, share or COMMUNICATE your data in the cloud, usually, your data is in a raw, unencrypted format, known as ‘plaintext’, unless you have encrypted your data before being saved or transmitted.

If you leave your data unencrypted, you will face the risk that anyone who GAINS access to your account can read, copy or delete your data. This leaves your data leaked or exposed to unauthorized individuals and entities. Thus, end-to-end data encryption including your emails if stored in Cloud servers, at rest, in-use and in motion, is a must.

On the other hand, from the provider’s point-of-view, they will provide secure storage space and impose confidentiality obligations by limiting user access to those who are authorized to view, edit, add, delete the data based on your requests. What’s more, they will also protect the data from accidental or purposeful unauthorized access by internal or external actors.

Over and above that, you should gather the following information on data confidentiality policies, controls, practices, and technologies the provider has put in place:

1. Access

Whether the vendor provides various ways to securely access our data and services based on certain Access Control Matrix (ACM) constitutes of the users, groups,  permissions, privileges and credentials they offer.

1. Log Management

Whether the vendor provides log files to capture key activities occurring in our cloud environment so we will be able to monitor, analyze them and do follow up, for the purpose of an audit trail in particular.

1. Data ownership

Whether you as the customer maintain FULL control of your data and has the responsibility for managing your data, not only the provider’s services and resources. Ask for the GUARANTEE that they do not access or use your data for any purpose without your consent. Even more, they don’t utilize your content or derive information for marketing or advertising.

1. Storage

Whether you could choose which region, country, or a city in which your data is  stored and what type of storage deployed. Ensure the provider ensure they don’t move, modify, add, delete or replicate your data without your prior consent.

1. Encryption

Encryption provided by the vendor: the type (at rest, in transit, in-use), the algorithm (Symmetric such as Advanced Encryption Standard (AES) or Asymmetric with the likes of Rivest–Shamir–Adleman (RSA) and Elliptic Curve Cryptography (ECC)), the encryption keys and the Key Management.

1. Exception

Whether the provider has any exception policy in intentionally disclosing our data to other parties usually due to a legal obligation, illegal conduct, and or binding order. If it happens, you need to know to whom your data is being unveiled, for what purpose and the provider needs to notify you prior to the disclosure.