You've finally decided to move your storage and apps to the cloud. Great, but it is not just a question of uploading files to a new server. What do you know about your cloud provider? Is their infrastructure secure? Do they meet all of the privacy or security standards you need to meet? Do you even know the questions you need to ask? Here are 5 of the most important questions to ask your potential service provider before you sign your contract.
1. What security are you, the service provider, responsible for and what security am I responsible for? This might seem obvious, but terms of service differ from provider to provider. Normally you can expect the service provider to be responsible for security for its infrastructure only and you, as the client, need to layer on security for your apps and data. The kind of security you are able to layer on and, more importantly, test, will depend on the kind of service you buy. For example, many providers will not permit you to run penetration tests against the production servers, but often the providers will have a separate set of servers with the same network security to which you can run pen tests. Also, you need to bring your own identity and access management to the cloud; don't expect the provider to offer any granular security.
On the plus side, you should expect the provider to have 24/7/365 network monitoring of the infrastructure that will go a long way to reduce network outages. Your service-level agreement will spell out a lot of these details, but often there will be a lot of questions left unasked and unanswered. Do not let the legalese of the SLA intimidate you — if the service provider does not make understanding both theirs and your rights and responsibilities easy to understand, you might want to look elsewhere
2. Which security and privacy standards do you meet? Compliance is a big deal and you will do yourself no favors if you opt for a cloud provider who cannot demonstrate that they meet the same standards you must. For example, you would not want to hire a provider that cannot meet HIPAA compliance certification if you are in the medical field. Make sure you ask for and receive copies of the requisite certifications you need to be compliant in your industry. Your auditors and compliance team likely will want to vet any contract first as well.
3. If your company handles data about Europeans, is your cloud provider compliant with the General Data Protection Regulation (GDPR)? GDPR is a new set of privacy rules from the EU that go into effect in May 2018. Fines can be extremely high for serious violations of privacy for EU citizens — up to four percent of worldwide revenue (not profits) or €20 million, whichever is higher. Make sure that your cloud service provider can demonstrate that it is in compliance with GDPR regulations. This is no small task, but in the long run it is worth ensuring that your service provider, along with its supply chain of service providers, are compliant with security and privacy regulations.
4. What's your business continuity plan? Companies are well aware that they need to keep backups of their data and have a business continuity plan in case an emergency hits, but so must your cloud provider. Ask your provider to show you their business continuity plan and ask them about their data backup strategy. If your provider does not back up your data or have plans to keep you operating in case their site is hit with an emergency, you might well want to look elsewhere. If their plan does not meet your compliance requirements, you need to address that before signing on the dotted line.
5. Do you provide an audit trail? Bad things sometimes happen; there's just no getting around that. Ask your service provider if they have an audit trail that shows which of their employees took certain actions on their systems, whether it was conducted directly at the cloud provider's site or if it was done remotely through an API or a web interface. Having that audit trail that identifies the provider's employees will help you determine if data was the victim of an attack or perhaps a benign action that might have impacted your data accidentally or as collateral damage.
Obviously there are a lot of questions that must be asked before you sign a contract with a cloud provider. We will look at other questions in other stories, but for now, these are among the most important you will need to address.