It’s vital to employ a carefully defined risk analysis of IT systems and procedures before deciding which cloud technology and service is best for your organization, writes Cyber-Ark VP Adam Bosnian in “Cloud Computing: Understanding the Risks and Questions to Ask Your Service Provider.” That analysis must be done before starting later steps such as creating service level agreements, remediation procedures and penalty clauses.
The four main stages in this analysis are as follows:
ID management and access control – Who is authorized to do what and when?
Regulatory requirements – Basel II, SOX, PCI, SAS70.
Data-handling processes – Where is the company’s data located? And how is it managed?
Staff management – What happens when someone leaves, comes on board or changes roles?
While cloud computing changes the data-handling ballgame significantly, the gap between network and cloud-based security analyses is not as great as some experts report it to be. (That is provided the IT security technology being employed – or planned – by the organization can handle cloud, as well as conventional, IT data-storage systems.) It’s necessary to assess the expectations that management and the business have for the cloud outsourcing contract. What precise functions must the outsourcing company complete? And to what performance and security criteria will that provider be held? The six questions Bosnian recommends are ideal for IT departments moving toward their first contract with a cloud provider. And be sure to read Adam’s full article, which elaborates on the answers that the IT department needs to be comfortable with before negotiating a final contract with a provider.
Click through to see six important conversations you need to be having with your cloud provider.
Data loss is a reality and a sizeable chunk of all data-loss incidents can be attributed to third-party providers. As a result, you need to know whether the service provider, who is the administrator of the system, can see your data. Most admins have this ability. Therefore, does the provider have the controls in place to avoid sending, copying, e-mailing, etc., of your data?
You need to ask your cloud service provider what its data-protection policy is and what its audit procedures are. And then you should perform due diligence on those procedures.
What does the third-party organization do to separate information and systems? Could your competitor, who is also using the service, get its hands on your data? Remember that, in the cloud, you cannot tell whether your data is copied. So you really need to get this one answered!
How many copies of your data does the third party have? Does ituse incremental backups and can it reconstruct an image of your data at a given point in the past from these partial backups? How far back do the backups go in calendar terms?
This is a question few companies ask – until it’s too late. Porting data between cloud service providers is a relatively new capability and only a small number of service providers have implemented what will become a very necessary service.
The SLA is the contract between you and the cloud service provider. While figures are usually central to most SLAs, you need a remediation process should the service provider fail to live up to the agreement. Things can, and do, go wrong. So it is important to agree to the remediation process, as the fate of your company could rest on the integrity of the agreement. Compensation is only part of the equation. By the time the money is paid, you could be out of business.