Data loss is a reality and a sizeable chunk of all data-loss incidents can be attributed to third-party providers. As a result, you need to know whether the service provider, who is the administrator of the system, can see your data. Most admins have this ability. Therefore, does the provider have the controls in place to avoid sending, copying, e-mailing, etc., of your data?
It's vital to employ a carefully defined risk analysis of IT systems and procedures before deciding which cloud technology and service is best for your organization, writes Cyber-Ark VP Adam Bosnian in “Cloud Computing: Understanding the Risks and Questions to Ask Your Service Provider.” That analysis must be done before starting later steps such as creating service level agreements, remediation procedures and penalty clauses.
The four main stages in this analysis are as follows:
ID management and access control –Who is authorized to do what and when?
Regulatory requirements – Basel II, SOX, PCI, SAS70.
Data-handling processes – Where is the company's data located? And how is it managed?
Staff management – What happens when someone leaves, comes on board or changes roles?
While cloud computing changes the data-handling ballgame significantly, the gap between network and cloud-based security analyses is not as great as some experts report it to be. (That is provided the IT security technology being employed – or planned – by the organization can handle cloud, as well as conventional, IT data-storage systems.) It's necessary to assess the expectations that management and the business have for the cloud outsourcing contract. What precise functions must the outsourcing company complete? And to what performance and security criteria will that provider be held? The six questions Bosnian recommends are ideal for IT departments moving toward their first contract with a cloud provider. And be sure to read Adam’s full article, which elaborates on the answers that the IT department needs to be comfortable with before negotiating a final contract with a provider.