Talking to Your Cloud Provider About Data
In addition to issues surrounding security and privacy of your data as covered earlier in the chapter, we recommend talking with your potential vendor about the following issues because when your data leaves your premises in a cloud model, you need to ensure that the proper controls are in place to protect it:
Data integrity: What controls does your provider have in place to ensure that the integrity of your data is maintained? For example, are there controls in place to make sure that all data input to any system or application is complete, accurate, and reasonable? What about processing controls to make sure that data processing is accurate? Also, output controls need to be in place. This dovetails into any compliance issues that your particular industry might have.
Compliance: You are probably aware of any compliance issues particular to your industry. You need to make sure that your provider can comply with these regulations.
Loss of data: Your data is a precious asset. Key to any decision to go with a cloud provider is to find out what provisions are in the contract if the provider does something to your data. If the contract says simply that your monthly fee is waived, you need to ask some more questions.
Business continuity plans: What happens if disaster strikes and your cloud vendor’s data center goes down? What business continuity plans does your provider have in place — meaning how long is it going to take the provider to get your data back up and running? For example, a SaaS vendor might tell you that they back up data every day, but it might take several days to get the backup onto systems in another facility. You need to determine whether this meets your business imperatives.
Uptime: Your provider might tell you that you will be able to access your data 99.999 percent of the time; however, read the contract. Does this uptime include scheduled maintenance?
Data storage costs: Pay-as-you-go (you pay for what you use) and no capital purchase is appealing, but you need to read the fine print. For example, how much will it cost you to move your data into the cloud? What about other hidden integration costs? Then how much will it cost to store your data? You should do your own calculations so you’re not caught off-guard. You need to find out how the provider is charging for data storage. Some providers offer a tiered pricing structure. Amazon, for example, charges you based on the average storage used throughout the month. This includes all object data and metadata stored in buckets that you created under your account.
Termination of contract: How will data be returned if the contract is terminated? If you’re using a SaaS provider and it has created data for you, too, will any of that data be returned? You need to ask yourself if this is an issue for you. Some companies just want the data destroyed. So, you need to understand how your provider will destroy your data, in order to make sure it doesn’t continue to float around in the cloud.
Data ownership: Who owns your data once it goes into the cloud? Some service providers may want to take your data, merge it with other data, and do some analysis.
Data access: What controls are in place to make sure that you and only you (or whoever has access rights) can access your data? In other words, what forms of secure access control are in place? This includes identity management where the primary goal is protecting personal identity information so access to computer resources, applications, data, and services is controlled properly.
Threat management: What software and procedures does your provider have in place to counter a variety of security threats that might affect your data? This includes intrusion protection.