5 steps to choosing the right cloud provider
December 19, 2011
Is your business considering a switch to cloud computing in the New Year? If so, you might want to take note of the following best practices from Andy Brewerton, Country Manager for cloud back-up specialists, EVault.
According to a recent Forrester Research report, about half of all midsize companies are either pursuing cloud-based services as part of their business practices, or they’re in their near-term implementation. Why? The realised benefits are clear– reduced infrastructure costs, pay-as-you-go services, flexibility, agility, and significantly reduced IT management and oversight.
Yet despite the massive migration to the cloud, businesses are still confused when it comes to data ownership, data privacy, data location, and cloud IT governance oversight…
Some of the frequently asked questions are: “Do I own my data in the cloud? Who is responsible for protecting my data? How secure is my service provider? How can providers safeguard my data from ending up across the globe? And, who is actually providing the oversight?”
It seems that there are always the issues of trust, reliability, compliance and security when you’re looking to partner with a cloud service provider, so to make sure that you are choosing or working with the most secure cloud service provider for you, follow these best practices…
Top 5 Best Practices:
Perform an audit report of your provider’s environment
It’s important that a cloud provider has outstanding security within their own network and infrastructure, so they can guarantee that no user can ever access another user’s data without explicit permission from the owner. And your data should be encrypted from the moment it is originated in your network, protected during the transmission through the Internet, and stored encrypted in the cloud.
To achieve trusted data assurance, third-party cloud auditors conduct controlled audits of cloud provider environments, and issue a report if the provider has the proper controls in place. The most common audit is SAS 70–developed by the American Institute of Certified Public Accountants (AICPA). Ask your provider about network penetration tests. And look for providers who use data centres that focus on security and availability. You can always trust, but it’s important to verify.
Select a service provider that understands regulatory requirements
Regulatory compliance can be very complex. To help ease IT burden of testing controls for each regulation, select a service provider that understands the different regulatory requirements, such as Sarbanes Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA) and the Gramm Leach Bliley Act (GLBA), an actual privacy act, protects non-public information for financial service industries.
And always use ISO 27001, CoBIT, or other applicable standards to help you make an informed and sound decision.
Understand the security responsibility of your provider
It’s important to understand that security responsibilities of the cloud provider differ between service models. For cloud providers that offer services that span the entire stack (IaaS, PaaS, SaaS) security becomes the sole responsibility of the provider including physical, environmental, infrastructure, applications, and data security as well as people, processes, and technology.
Providers like Amazon’s EC2 infrastructure includes vendor responsibility for security only up to the hypervisor level such as physical security, environmental security, and virtualization security and you’re responsible for the rest.
Know the location of where your data is actually kept
Many cloud products may not offer specific locations for where customer’s data will reside or actually offer ‘locationless’ clouds as a benefit.
The actual physical location of a data is very important for compliance and if you are utilizing cloud-storage for your disaster recovery plan or attempting to pass strict security audits, then the location of the data and the mechanisms defined to make that data accessible can be critical.
Evaluate your cloud provider
Back in the late 1990’s, financial organisations formed an open community called BITS. The BITS Standard Information Questionnaire is a great way to evaluate cloud providers.
Key areas addressed are operational environments, information security, details around the staffing environment–how administrator background checks are being done as part of the hiring process, policies and procedures for managing security programs, asset management, risk management, and proper incident response handling just to name a few. Cloud consumers can find the BITS long and “lite” versions from bits.org.
Now it’s time to rate your providers based on feedback from the BITS questionnaire, your assessment of their key controls and security responsibilities, perhaps a review copy of their Statement of Insurance, and their audit report. If all the results point to a secure, trusted provider, well then, you have found your match.
Finally…
You must remember that evaluating your cloud provider is not a one-time event. You have to do it continuously. It’s something that you should include in your business practices, and expect your service providers to do as part of their business practices. The best providers will continue to improve governance of their IT infrastructure, and submit evidence that they’re actually doing it too.