Although vendor-written, this contributed piece does not promote a product or service and has been edited and approved by Network World editors.
Finding a cloud provider you can trust has become a major responsibility. Cloud providers come in all shapes and sizes—from global organizations delivering a range of services to small shops specializing in a limited number of capabilities. To normalize the differences you need to ask consistent questions about key issues.
Security should be at or near the very top of your list, with their answers providing the transparency which will help build trust. An essential first step is to avoid making assumptions on what security is and isn’t with respect to a provider. Every provider is different, with different rules, service-level agreements (SLAs), and terms and conditions. Make sure you thoroughly understand what each service provider commits to you, the customer.
Look closely at their terms and conditions. Don’t shirk your duties in this area—don’t simply click “accept” and move on. Dig in and look deeply at different sections within the terms and conditions, and hone in on the data aspects of those details.
Finally, don’t assume that each cloud service has the same guidelines and service delivery targets even within the same provider. Look at terms and conditions for each service.
The good news is that cloud security concerns have diminished greatly in recent years as cloud providers develop a track record for successful security practices. Still, executives and their boards are concerned about whether their organizational data is truly secure in the cloud. These concerns should lead you to ask questions similar to the following.
* Who has access to my data, both physically and virtually? Physical access is different than virtual access. It’s important to ask about both types of access questions:
- What security posture does the organization have in place when their data center is accessed?
- Do their personnel have security clearance, and are they protecting the physical access of data from outsiders?
- What are the institution’s or the data center’s policies, and how are they protected?
- Who has access to the data virtually? Where is accessed from and why?
- How are they accessing it? Do they use VPN, and is the data encrypted? If it is encrypted, how are the encryption keys secured?
* Does the provider outsource data storage? Many companies leverage outsourcing companies to provide services, but it’s possible that your is outsourcing your data to another location or even to another vendor. If so, you need to decide if you’re comfortable with that arrangement.
* How does the provider handle legal requests for data review? Whether those requests come from their customers or from governmental bodies stemming from legal or regulatory issues, handling these requests requires finesse, experience and sensitivity to corporate governance policies, as well as compliance mandates. It’s not unheard of for the quality of your data to be impacted by legal requests, and you need to understand the traceability of the data and how requests are handled.
* How and when is data deleted? Because every provider is different, it’s important to understand that there are storage complications given how much data is traversing the world nowadays. You will want to understand how much data is stored by your cloud provider and, in particular, how much of your specific data is stored. In addition, ask how long your data will be stored, when is it deleted, and how data deletion decisions are made.
* What is the data architecture? Specifically, ask how your data is isolated from that of other customers in a multi-tenant environment. Ask your provider to explain how your data is segmented from other customers’ data and how that may change in the future.
* What certifications and/or third-party audits are performed? Certifications will provide you with a better understanding of how mature the provider is, what things they are concerned about, and whether they are committed to continuous improvement. From a third-party audit perspective, you’ll want to know how frequently the provider is looking at changes and making sure that they are meeting the expectations of their customers and vendors.
Security and privacy are tightly intertwined, but there are a number of questions unique to privacy that you should ask your cloud provider. And privacy questions, while obviously rooted in compliance, aren’t limited only to regulatory issues.
* What data is collected from our organization and how is it kept private? Privacy is a little bit different for each organization, so it’s especially important to define what privacy means for your key stakeholders within your organization.
* What is the data used for? It’s often amazing to learn about the different uses for your data—some of which will surprise or perhaps even concern you. Be sure your cloud provider understands your governance policies on acceptable use of data.
* How long does the cloud provider retain that data? The terms and conditions may state that data is collected for 30 days or perhaps 90 days or even a year. But that does not necessarily dictate how long the organization may keep your data. This will be very different for every provider, for every service, and for every piece of data that’s collected. You could have data that is anonymized, stored, and utilized for testing for many, many years, so make sure to ask about retention.
* Does the provider encrypt your data and in what manner? This is important to know, to ensure that anything that you deem classified or private or that you’re otherwise concerned about, will not be leveraged for other uses by the cloud provider.
* Where is data stored? Do you have any geographical data storage rules or regulations that provider need to follow? Cloud service providers are storing data in a lot of different locations for a lot of different purposes, and you need to understand that and how it aligns with your business practices.
* Is data rolled up and transmitted to other internal or external entities? We all know that this is pervasive across the Internet and that there are many different opt-in/opt-out programs. It’s really important to understand if the cloud provider shares data with anyone, how they share it, when they share it, why they share it, and where is it transmitted.
Beyond security and privacy, your cloud provider’s activities will intersect with many of your organization’s day-to-day operations. Understanding this will help you determine if the ways in which the providers handle your data and serve it to your constituents supports or impacts your operations.
* What is the database and storage architecture redundancy model? Redundancy, in particular, is important because it focuses on how to deal with infrastructure failure without impacting business continuity.
* What is the backup frequency? We’ve all heard this mantra since computers were introduced: back up, back up, back up. And it is extremely important to understand the frequency with which cloud providers do backups. Obviously, the more frequent the backup, the better your redundancy will be. It will make it easier for your provider to restore service to a specific point and time if there is any failure.
* What is the recovery time from failure? It is inevitable that your provider will have an issue at some point in time. It is imperative that you understand how long it will take your cloud provider to recover your data. Is it minutes, hours, days, or weeks? Failures will happen, but you need to know how quickly it will take to recover from that failure when you’re leveraging a service provider.
* How can we access or download data from the service? Asking this question helps you to understand the different philosophies of service providers and get better insight into how those steps align or conflict with your operational processes.
* Which analytical tools are available to view our data? The service provider may have a wealth of your data in their service, and you might not want to have to pull all that data out and leverage third-party analytics tools to compress it and make sense of it. It’s much more beneficial if the service provider provides you that service so that you can do aggregation and modeling of the data.
* If there is data corruption, what is the maximum data loss that we can expect? This should tie into the redundancy and recovery questions, noted earlier, and they should be closely aligned. How long will it take to recover from a data failure, and how will that recovery process actually affect the data quality?
As you go about the process of evaluating potential cloud providers, these security, privacy and operational questions can improve your confidence in the ultimate selection. Of course, these questions should be weighted and adjusted to reflect your organization’s business model, operational priorities and corporate culture.
These questions can also act as important reality checks on your ongoing assessment of your current cloud provider’s performance, and they serve as a periodic level set for new services you may need as your business evolves.
Tischart is the CTO for Cloud/SaaS at Intel Security and is responsible for leading the creation of Intel Security’s future-generation cloud solutions and creating sustainable competitive advantage. Intel Security, with its McAfee product line, is dedicated to making the digital world safer and more secure for everyone.