In the era of Sarbanes-Oxley, companies are held responsible for an exacting level of data monitoring and archiving. Even if a company contracts with an external cloud-based provider, these regulations hold the company itself responsible. Cloud-based providers should submit to audits and security certifications to ensure theyre able to hold up their end of the bargain.
Advice: A cloud computing provider that is unwilling or unable to do this is signaling that customers can only use them for the most trivial functions.
3) Data Location
With cloud computing, you wont know where in the world literally your data is stored. The servers might be in Malaysia, Canada, or Hoboken, New Jersey or a combination of the three.
Ask your provider: are they willing to give a contractual commitment that they are obeying the privacy laws of specific jurisdictions?
4) Data Segregation
Certainly cloud providers use SSL to protect data as it travels, but as it sits in storage it may share a virtual locker with data from other companies. Is your data properly segregated from the rest?
Its likely a provider will offer impressive tales about the strength of its ultra-heavy duty encryption. Youll hear great claims about key length and exotic encryption algorithm.
Still, if your data can be read at your providers site, then you must assume it will be read.
Advice: If your data will be stored and backed up in encrypted form, find out who has access to the decryption keys and whether its possible for authorized individuals at your company to gain access to their employees data in an emergency.
In theory, you dont have to worry about your data disappearing when using a cloud provider its easy for these providers to redundantly mirror your data in various locales, providing peace of mind against a system crash.
But will your staff have access to the data they need to do their jobs, 24/7? What if the virtual pipes are clogged, so to speak? Or some kind of internal snafu within your provider puts a brick wall between you and your critical data?
Advice: Organizations should define service-level requirements for any nontrivial IT workload and demand service-level agreements from the provider and ensure that the contract contains penalty clauses when the service-level agreements are not met.
Hopefully, the worst will never happen, and nothing resembling a total disaster will befall you, your provider or the world at large. But your provider must be prepared for this.
Essential question: Does your provider have the ability to do a complete restoration, and how long will it take?
7) Investigative Support
Its never easy to undertake an internal legal investigation, because it requires combing through masses of documents that may be spread across real and virtual locations. Its even harder to conduct such research when you use a cloud provider: data for many customers may be co-located and spread across a constantly shifting set of data centers.
Advice: If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible.
Will your provider get acquired or even worse go broke? If so, how will they return your data to you in a format that you could import into another providers infrastructure?
9) Support in Reducing Risk
Your staff will have a learning curve as they begin using an external provider. How easy does this provider make their interface? Does the provider help your managers set up monitoring policies? What about guards against malware and phishing?
James Maguire is the managing editor of Datamation.