Cloud computing comes with many key decision and considerations. There are decisions to be made around whom to choose, what to look for and what specific service it is that you ultimately need for your organisation.
When an organisation starts to think about moving to the cloud, the driving force is usually twofold: achieving a competitive edge in business and the cost saving benefits the cloud promises. While these are the incentives, the considerations when choosing a cloud service provider (CSP) need to be a lot more detailed. You are migrating your business from one form of technology to a newer and still developing one, and hence must consider scalability, control and security.
This can be a long, slow and painful process. CSPs are, ultimately, still subject the same cyber problems as your company was back when the humble server was the apple of the CIO’s eye. You may have decided on a CSP boasting near 100 per cent up time. But what about errors in the file system, misconfigurations, abuse attempts, programming errors and bugs? When they hit, service outages happen. Maybe not every time, but they can happen.
The Australian Government Department of Defence, Intelligence and Security have an online resource dedicated to advice for “Cloud Computing Security Considerations”. Aimed to assess the benefits and risk associated to cloud, the site also investigates the potential disasters associated when cloud provider drop outs occur.
The question the site raises is this: what happens if your data is housed in the cloud and your cloud service provider, for some unknown reason, becomes unavailable?
And this is one of the true problems of cloud computing. By placing your organisation’s data, information and trust in a service provider, you ultimately lose the ability to directly and independently fix problems if and when they occur. There is a whole world of security threats floating around that have the potential to wreak havoc with a business’ critical data and applications, and that can damage an organisation’s reputation and bottom line.
And, even more concerning, what happens if your trusted CSP unexpectedly goes out of business. Where does your data go? Who has rights to it? How do you recover it? Is it still secure? The plethora of questions that this potential situation brings up is enough to warrant serious concern, consideration and preparation.
So, below are five tips which you need to consider if and when, and ideally before, you migrate to the cloud to ensure that business can go on as usual if your provider becomes unavailable.
1. Demand connectivity and availability
The Cloud Computing Security Considerations highlights availability, bandwidth, latency and packet loss as the four key concerns when looking at network capacity from vendor to organisation. If there is inadequate connectivity, then ultimately your organisation will reduce its capacity to function as it should when working on the cloud. Similarly, you need to understand the provider’s availability. Availability can be affected by a host of things: targeted attacks, unsuccessful an ineffective maintenance, hardware problems and so the list goes on. As always, doing due diligence on your cloud service provider is critical. You need to ensure that the provider will meet your organisation’s cost, quality-of-service, regulatory compliance and risk management requirements.
The system housing your organisations information and identity must have capacity and ability to deliver a connected and available service, otherwise the CSP is redundant.
Ask yourself: is there any room to compromise on connectivity and availability when looking at my service provider?
Understand the service level agreement (SLA) so there is no confusion around the level and quality of service you are signing up for.
2. Be realistic – the threats are largely the same
Physical systems in offices can crash and fail – losing your data on site and in your office. Whether you have just migrated to the cloud, or have been a long-time resident, the risks you now face are the same as those you faced with a server purring in the back room. The loss of important data is another concern that businesses ignore at their own peril. A hacker or a disgruntled employee could delete important data. However, hackers and employees are not the only ones who might be responsible for such a circumstance. Important, mission critical data can be lost due to the negligence of a cloud service provider.
So what was your plan then? Assess the guidelines you had in place before migration, and then adapt these to the new technology.
Ask yourself: What are the bottom line security standards our organisation needs? Understand your key areas of weakness so you can develop a plan to protect them.
3. Back up. Again. And again.
Moving data to the cloud means it is no longer housed underneath your organisations roof. It is housed in a data centre somewhere across the globe. To future proof your data and ensure that you are not left in the lurch without important information and applications; your best option is to work with two cloud suppliers and house your data in both. This means that when one provider goes down its extremely unlikely the other will.
Either way, the cost is generally a good investment for peace of mind.
Ask yourself: is it worthwhile spending additional money on a second back up to ensure that business can run as usual if one CSP goes down?
4. Your SLA: The scheduled, the unexpected and the unsaid
Any service level agreement (SLA) will have listed the maximum possible unscheduled downtime that can occur without breaching it. The Cloud Computing Security Considerations notes that “typical SLAs that guarantee 99.9% availability can have up to nine hours of unscheduled outages every year without breaching the SLA”. 9 hours may sounds small in the scheme of things, but timing and deadlines could potentially render an ‘unscheduled outage’ catastrophic.
Likewise, your SLA should have an estimate on scheduled downtime, for key activities like maintenance. Understand what notice your contact says you will be given and what the parameters are here.
Another key consideration when it comes to SLA is compensation. Downtime can have huge effects on your businesses functionality and depending on severity could tarnish reputation.
By understanding your SLA you are more capable to assess the potential impact an outage could have, what you should expect in relation to downtime and if your organisation could manage this in day to day workings.
Ask yourself: how much time out can your business take without your business suffering. Is it an inconvenience or a hindrance?
There are huge discrepancies across SLAs for CSPs. Understand your SLA, and be aware that it is likely skewed in the providers favour. Knowledge is power.
5. Good relationships are founded on trust
You are putting sensitive data and critical applications in the hands of your provider. You need to have trust that if they can manage this data, they can manage to get you back on board in a reasonable time frame and without real stresses to your business.
Your provider needs to be reliable and secure, and ultimately be able to protect your data even when there is down time.
There should be minimal doubt when you sign that dotted line.
Ask yourself: what do you know about this provider, their history and their capacity. Understand your demands and their solutions. Do your research, and if you find any red flags, don’t hesitate to ask.
Original publication on CSO.