Over the past year, the IT world has seemingly fallen head over heels for the cloud. Cloud computing has great potential in terms of collaboration and efficiency, and it’s already delivering strong results for organizations that have leveraged the cloud model.
For all the hype, though, it’s important not to overlook one of the most basic yet crucial aspects of the cloud: setting up a reliable SLA (service level agreement) that ensures your organization’s data is as secure in the cloud as it is in your own data center.
What follows are five questions that you should be sure to ask your prospective cloud provider as you set up your SLA.
1) Do You Know Where Your Data Lives?
Most organizations are bound by at least one of the major compliance mandates, be it PCI, SOX, HIPAA or something else. This raises one of the most important — and oft-overlooked — issues for organizations moving to the cloud: knowing where your data lives. Many countries have enacted legislation that outlaws moving data out of the country, even involuntarily via a cloud provider.
This phenomenon is particularly common in Western European countries, where cloud data centers are often housed in Eastern European countries with less-stringent regulations. It’s of the utmost importance that you define where you data lives in your cloud SLA. “Cloud-hopping,” as it’s often called, can cause serious problems for an organization should data be lost or breached while out of the country, since different laws apply.
If your data is hosted in a foreign country, it’s also important to know what your cloud provider’s plan is in the case of a natural or political disaster that affects communications and the data center. Best practice dictates choosing a cloud provider that is able to quickly move your data and infrastructure to another data center in the event of local strife. It’s also important to back up your data early and often.
2) Do You Know Who’s Guarding Your Data?
For all of the talk about the cloud and virtualization, it’s important to remember that our data still exists in a physical state somewhere. At the end of the day, cybersecurity is only as good as a data center’s physical security. The easiest way to steal data is through physical access, so it’s important to make sure that you’re comfortable with your data center’s security setup.
You should find a data center that has dedicated on-site security 24 hours a day, 365 days per year to protect the cloud provider’s security policies and, most importantly, your data. The hiring process for these security positions should include both a background and a reference check. It’s not out of the question for you to request to review your cloud provider’s hiring policies for data center security guards or professionals. You can also check on visitor authentication — is there a readily defined process for visitor authentication and on-site security? How are visitors logged into the data center? Is there a readily available audit trail?
3) Do Your Outsourcers Outsource?
Outsourcing cloud services is the most practical and cost-effective method for the majority of organizations with a cloud deployment, and for good reason — we don’t all have the massive IT infrastructure like the Oracles and Amazons of the world.
However, just because you’re outsourcing responsibilities to a cloud provider doesn’t mean that they’re not turning around themselves and outsourcing certain components to third-party vendors. If this is an issue for you or your organization, be sure to say so up front. You can also request the first right of refusal. To ensure full accountability at the end of the day, you need to know who is accessing your data, and how.
4) How Is Your Data Being Stored, and Who’s Responsible for Backing It Up?
Since most cloud deployments occur in a public — read: multi-tenant — environment, it’s of the utmost importance that you understand the nature of your data: Does it include sensitive credit-card data, your company’s IP, and so on? When your information is stored on the same cloud as that of another organization (or organizations), you should be sure to encrypt all sensitive data. While critics may argue that encryption slows performance, performance issues are the cloud provider’s responsibility to overcome. Your responsibility is protecting sensitive data from any possible breaches.
You should also be sure to establish responsibility for maintaining a secure backup of your data between your organization and your cloud provider early in your relationship. It may not always be realistic for you to keep a secure backup of all of your data depending on the size, so make sure that your cloud provider is also backing everything up and offering you a periodic snapshot.
Finally, for safety’s sake, having a local copy of your unencrypted data is always safe.
5) Do You Know What They Know?
Many IT managers don’t realize that cloud providers aren’t always required to notify them when a breach has occurred, which can put your organization in violation of compliance without you even realizing it. It’s a good idea to work a clause into your SLA that requires your cloud provider to notify you of all breaches as soon as they occur.
While cloud computing is a rapidly evolving field, best practices don’t change overnight. Insist on the level of security that you’ll be expected to deliver, and don’t be afraid to hold your provider accountable.
Dimitri McKay is security architect for LogLogic.