Ensure System Backups
Chapter 6, “Data Storage in the Cloud,” discusses cloud-based backups in detail. As a manager, you should consider different forms of backups. First, your company may backup user files from on-premise computers to disks that reside within the cloud. You should hope you will never require these backups, but that said, you should periodically audit the backups, perhaps by ensuring you can successfully restore a set of different users’ files.
Second, if the cloud provider stores data for your company, you need to understand the provider’s backup process (and include it within the SLA). Again, for governance purposes, you should know whether or not the data is encrypted, which employees have access to the data, and whether the company replicates the data to a remote facility and, if so, when and how often.
Likewise, if the provider uses a database to store your company data, you need to know if and how the data is replicated and whether your company has a private or multi-tenant database. You should also know the system’s guaranteed uptime. Chapter 10, “Disaster Recovery and Business Continuity and the Cloud,” examines the concept of a “disaster within a disaster,” which can occur, for example, when needed backup files are corrupt, out-of-date, or nonexistent. To avoid disaster-within-a-disaster situations, you must regularly test the quality of your backups. This not only applies to your company’s data files, but also data files that the SaaS provider stores on your behalf. As previously discussed, it is critical that your SLA specify the recovery-point objective (RPO), which is the specific point in time to which the provider can restore data (such as to a specific day, hour, or minute), as well as the recovery-time objective (RTO), which specifies how long the data recovery and resumed operations will take.
Depending on your company’s data (such as healthcare or financial data), you may have the requirement that your data and backups of your data only reside on servers that reside within the United States. In such cases, your agreement with the cloud provider should explicitly state the requirement. In addition, you may have specific encryption requirements for your data as well as your backups. As you specify your data-encryption requirements, make sure you understand how and where the provider stores the data-encryption keys.