Although vendor-written, this contributed piece does not promote a product or service and has been edited and approved by Network World editors.
Finding a cloud provider you can trust has become a major responsibility. Cloud providers come in all shapes and sizes—from global organizations delivering a range of services to small shops specializing in a limited number of capabilities. To normalize the differences you need to ask consistent questions about key issues.
Security should be at or near the very top of your list, with their answers providing the transparency which will help build trust. An essential first step is to avoid making assumptions on what security is and isn’t with respect to a provider. Every provider is different, with different rules, service-level agreements (SLAs), and terms and conditions. Make sure you thoroughly understand what each service provider commits to you, the customer.
Look closely at their terms and conditions. Don’t shirk your duties in this area—don’t simply click “accept” and move on. Dig in and look deeply at different sections within the terms and conditions, and hone in on the data aspects of those details.
Finally, don’t assume that each cloud service has the same guidelines and service delivery targets even within the same provider. Look at terms and conditions for each service.
The good news is that cloud security concerns have diminished greatly in recent years as cloud providers develop a track record for successful security practices. Still, executives and their boards are concerned about whether their organizational data is truly secure in the cloud. These concerns should lead you to ask questions similar to the following.
* Who has access to my data, both physically and virtually? Physical access is different than virtual access. It’s important to ask about both types of access questions:
- What security posture does the organization have in place when their data center is accessed?
- Do their personnel have security clearance, and are they protecting the physical access of data from outsiders?
- What are the institution’s or the data center’s policies, and how are they protected?
- Who has access to the data virtually? Where is accessed from and why?
- How are they accessing it? Do they use VPN, and is the data encrypted? If it is encrypted, how are the encryption keys secured?
* Does the provider outsource data storage? Many companies leverage outsourcing companies to provide services, but it’s possible that your is outsourcing your data to another location or even to another vendor. If so, you need to decide if you’re comfortable with that arrangement.
* How does the provider handle legal requests for data review? Whether those requests come from their customers or from governmental bodies stemming from legal or regulatory issues, handling these requests requires finesse, experience and sensitivity to corporate governance policies, as well as compliance mandates. It’s not unheard of for the quality of your data to be impacted by legal requests, and you need to understand the traceability of the data and how requests are handled.
Sign up for CIO Asia eNewsletters.