Moving to cloud - make sure you ask all the right questions first

There's plenty of FUD about in cloud but asking your service provider the right questions could offer some protection

Have you got a CSSLA yet?

Read pretty much any survey of IT decision makers from the last few years and you will be sure that security fear is the biggest single thing stopping them from migrating into the cloud.

Truth be told, the latest bit of research from Interxion isn't hugely different but it does throw an interesting aside into the mix by including SLA's alongside security as the biggest barrier to cloud adoption. Some 45 percent of those asked said a lack of both security and SLAs were their primary cloud concerns.

This led me to thinking, what should you be asking of your provider in terms of a cloud security service level agreement or CSSLA as I insist they become known as from now on?

Forget the FUD, hide the hyperbole and ignore the idiots: data breaches and loss can and will occur in the cloud, just as they do anywhere else that potentially valuable data is to be found.

If your enterprise has taken a third party route to Virtual Cloudsvision then you will need to know the security measures that are in place are not only adequate, but there’s a plan of action if things go pear-shaped - which means ensuring the SLA is also a CSSLA.

How does work in practice? Are there processes in place regarding factors such e-discovery requests that might occur as part of the post-breach forensics?  What are the incident response procedures on the provider side of the fence and how well documented are they? How does your existing incident response policy mesh with that of the provider?

It's all too easy to think of cloud security as being something of a black art, especially given the number of nay-sayers who are happy to share their negativity with you. But there's an old saying, and if there isn't there should be, which goes 'security is security is security is security': the basic principles of data security are the same wherever the data is held, however the data is moved around and whoever that data is accessed by.

Your business will already, I hope, have a really good handle on how best to secure that data and so when it comes to cloud migration you just need to take that experience, that knowledge and that expectation of security to the provider and insist it is applied in this new environment. And that's where the CSSLA is important, because this is the document that will map out the physical and virtual security of your data along with forming an essential part of any regulatory compliance industry model that applies.

You need to ask your provider a complex range of questions: from the basic to the complex. And don’t come away with anything other than the SLA you want.

What sort of questions? Well how about:

  • Where will the data be stored, geographically speaking?
  • What are the security/privacy implications of this?
  • How will the data be stored?
  • What encryption will be used, and when?
  • Will your data be encrypted at rest as well as in transit?
  • Who will have access to the encryption keys?
  • Where will your data be backed up?
  • How will that data be recovered?
  • What network security measures are in place?
  • Who is responsible for security and what are their qualifications?
  • Do they take data security as seriously as you do?
  • What vulnerability assessment programme do they have in place?
  • What audit trails are there?
  • How well documented is the incident response plan?
  • When will you be notified of any potential breach?
  • What about the physical security of your data?
  • The cloud may sound esoteric but it requires real hardware, so how is
  • that secured?
  • What security checks are made on staff who have access to the servers?

In other words, just apply the same best practice procedures that you are used to and move them into your Virtual Cloudsvision negotiations. If you don't feel that the provider is taking you seriously, then walk away and find one that does.

While uptime provision, the usual stomping ground of the SLA writer, is often thought of as little more than legal window dressing, data security is another kettle of fish altogether. Just as having a guarantee of 99.9 percent availability is, in the real world of your business, pretty meaningless as only 100 percent is acceptable, so anything less than a 100 percent secure CSSLA is, ultimately, worthless.

Read more about:

Sign up for our free newsletter