Following our recent blog on Cloud Computing Security Threats & Concerns, we have put together a list of just some of the questions you should be asking when choosing a cloud service provider for your business.
The key to minimizing risk and ensuring that your move to the cloud is painless is choosing the right provider and understanding their processes and policies. So, when considering a solution, we recommend that you keep the below questions in mind.
How do you protect against data loss?
Your cloud service provider should have specific policies in place to mitigate against the risk of a permanent loss of data. This should include regular backups of data and ideally copies should also be stored offsite. The provider’s contingency plan in the event of data loss should also be reviewed in addition to checking the controls in place to restrict access to your data.
Where is my data stored?
It is important to know the specific geographic location or locations your data will be stored in. This may impact upon your regulatory compliance requirements and the level of threat to your organization’s data. Ideally you will want your data stored in a jurisdiction which is relatively stable and free from natural disasters. You should also inquire about the process in the event your data is moved and the cancellation procedure if you are not satisfied with the new location.
What infrastructure do you use and do you own it?
You should investigate whether your service provider fully owns and operates the data center or if they lease some infrastructure or share some resources with other service providers. You should also ask if any aspect of the service you receive is delivered by a service provider or any third party. In cases where third parties are involved, you should consider the level of compliance between the different operators and how third party activities may impact on your service.
What happens to my data if the contract is terminated?
It is important that you fully understand from the start what will happen to your data when the contract is terminated. Your service provider’s contract should include details on access to data and transition times in the event that you cancel the contract. You should also look for assurance that your data and backups will be accessible in the event the service provider goes out of business. Lastly, review the assignment clause in the contract in the event that the provider is purchased by another company.
How do you detect security compromises?
You should assess the policies your service provider has in place to monitor and detect a compromise in security and their specific intrusion detection methods. In addition, you should assess the provider’s specific policies and commitment to notification in the event that a data breach does occur.
Who pays in the event of a data breach?
A data breach can result in significant financial penalties for your organization if personal or sensitive information is extracted or accidentally leaked. As such, you should review the service provider’s contract to understand who is financially responsible for data breaches. You may also check if the provider has insurance to specifically cover the cost of data breaches.
How do you ensure deleted data cannot be recovered?
Equally as important as ensuring that your data is not lost or compromised is ensuring that deleted data can no longer be accessed. You should review the specific techniques the cloud provider uses to ensure that your deleted data is no longer recoverable and look for an industry standard or military grade deletion process.
Who owns the data?
Storing your organization’s data in the cloud may raise some concerns over the legal ownership of the data. It is relatively common for consumer cloud solutions to retain some level of ownership over the data uploaded to the service provider’s servers. However, this should not be the case with an enterprise solution and you should ensure that the contract clearly states that you will retain ownership of all of your organization’s data.
How is my data encrypted?
Ensuring that your data is protected while stored in the cloud is essential to reducing the risk of a data breach. You should investigate which encryption methods are used for data stored on the cloud provider’s servers and who is in control of the relevant encryption keys. In addition to stored data, you will also want to be certain that your data is encrypted during transfer between your network and the cloud provider’s network. Lastly, you should investigate how access to your data is recorded and logged as an added security measure.
Can I audit your access to my data?
Using a cloud storage solution will invariably mean that your provider and potentially third parties will have access to your data. Your service provider should have policies in place which allow you to audit their access to your data. This may include the ability to provide regular or even real time reports logging access to your data by the service provider.
What is your audit procedure?
You should review the specific regulations and laws which your service provider is required to comply with and how this may affect your data. You should investigate how the provider is audited and how the demonstrate compliance. In addition, you should review what the service provider can provide you with to demonstrate your regulatory compliance.
Under what circumstances can third parties access my data?
Storing your data on the cloud means you will lose a degree of control over your data. Undoubtedly, one thing you will want to be sure of is who exactly has access to your data. You should question your provider on this and ask in what circumstances a third party may have access to your data. Remember that third parties may include government agencies and the likelihood of this happening may differ depending on the jurisdiction your data is stored in.
Thinking of Moving to the Cloud?
If you are considering moving your organization’s data to the cloud or would like to know more about how your business can benefit from a cloud solution get in touch with the team at Waterford Technologies to see how we can help be clicking here.