Understand the Security Responsibility of Your Provider

Security responsibilities of cloud providers differ between service models. For cloud providers that offer services, spanning the entire stack—infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS)—security is the sole responsibility of the provider, including physical, environmental, infrastructure, applications and data security as well as people, processes and technology. In contrast, vendors who only provide one service, such as Amazon’s Elastic Cloud Compute (EC2) IaaS offerings, are only responsible for security up to a certain point, and you’re responsible for the rest.

Read SLAs—yes, all the fine print—and understand them. SLAs offer guarantees on service delivery, and many providers offer compensation if said promises aren’t kept. While these offers are appealing on the surface, they don’t always equate to quality customer service. Wouldn’t you rather work with reliable partners who stand by their service than deal with ones who consistently fail to meet their guarantees? Additionally, look for a provider with industry experience and a dedicated team of experts who will work with you 24/7.

Regulatory compliance can be very complex and full of testing controls for each regulation. To help ease the IT burden, select a service provider that understands the different regulatory requirements, such as the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm Leach Bliley Act (GLBA). Additionally, you want a partner whose infrastructure is SSAE-16 certified, a key industry auditing standard. As a resource, always refer to ISO 27001, CoBIT or other applicable standards to help you make an informed and sound decision.

With an increasingly mobile workforce, securing data on smartphones, laptops and tablets should be a top priority for every organization. Mobile devices often carry critical data; however, a surprising number of businesses fail to adequately protect them. A recent study by the Ponemon Institute found that only 39 percent of surveyed organizations have the necessary security controls to mitigate risk posed by insecure mobile devices, placing an organization at great risk should they be lost or stolen. When choosing a cloud storage partner, ensure that they not only protect your company’s on-site data but also adequately safeguard your employees who are using mobile devices on the go.

A cloud partner must have outstanding security within its own network and infrastructure; it must guarantee that no data can be accessed without explicit permission from that data’s owner. Encryption is key, as well; the data you have with the provider should be encrypted from the moment it is originated in your network, protected during the transmission through the Internet, and stored and encrypted in the cloud.

In the late 1990s, a group of financial organizations formed an open community called BITS. The BITS Standard Information Questionnaire is a great way to evaluate cloud providers. It addresses operational environments, information security, policies and procedures for managing security programs, asset management, risk management and proper incident response handling. Cloud consumers can find the BITS long and “lite” versions at bits.org.

If you are a smaller company looking to outsource your data storage, it’s very likely that, as your business grows, you’ll want to bring these services in-house. Some storage vendors make this transition more seamless than others. Be sure to evaluate your business’ needs, not just in the near future, but for the long term, as well.

Over the past few years, data loss due to a slew of hurricanes, earthquakes, floods and storms has brought more attention to disaster recovery. It’s imperative that your data is backed up routinely to a remote, off-site data center. According to Forrester’s State of Enterprise Disaster Recovery Preparedness for Q2 2011, “Companies are not only consolidating their backup sites, they’re also decreasing the distance between them. This is a red flag for companies whose DR sites are close enough that they could be affected by the same disaster.” Choose a partner with a data center that is far from your main offices, and one that is certified secure so you’re absolutely certain of recovering from a disaster.

Many cloud products do not specify where customer data will reside. Some actually offer “locationless” clouds as a benefit. The actual physical location of data is very important for compliance purposes. Additionally, if you’re using cloud storage for your disaster recovery plan or attempting to pass strict security audits, then the location of the data and the mechanisms defined to make that data accessible are critical.

Cost, for obvious reasons, is one of the deciding factors associated with choosing a cloud storage partner. While it may seem like a simple evaluation technique, it’s anything but. There is a severe lack of consistency among providers regarding what customers pay for and receive; features vary widely and virtualization complicates pricing models further. Make it a point to understand exactly what you need, what you’ll be paying for and what the final costs are. Remember, you don’t need to move all your IT operations to the cloud at once; cloud/on-premise hybrids are often a logical choice. The reason you’re considering moving to the cloud may be to reduce costs, but with improper planning and a poor vendor selection, you can find yourself paying for services you don’t need or understand.