It’s one thing to say that you want to expand your business processes to the cloud. It’s another thing to do so without any regard for the business choices that can protect your business.
However, when we’re unsure about the services another business offers – whether that’s watering the office plants or hiring a recruiter – sometimes we aren’t even sure what questions to ask. These initial guidelines dive right to the heart of your fears: Is my data safe and secure?
Hosting your enterprise process and data online—rather than on corporate servers—begs an important question: “How can I be sure my data is safe?” It’s a common misperception that cloud-based solutions are intrinsically vulnerable to security breaches and loss. In fact, vendors are so committed to the security of their clients’ data that many offer far heftier security measures than their clients themselves could provide. They’re motivated to do so. You think in terms of protecting your own company. If the vendor screws up, they didn’t create a disaster for just your business; they’ve failed to protect their own.
Security has two key dimensions when it comes to cloud computing; it involves both physical and logical protection of the platform.
Physical protection involves protecting the perimeters where the systems are running including the controlled and auditable access, the network security, the internal systems security, data movement and data backup security, various policies and procedures followed by everyone who has or needs access to any part of the system, and finally third party certifications (like SSAE16), and security audits. What this means is that business IT services providers or companies that provide Cloud Computing services are compliant with reporting standard that promotes financial transparency, that they demonstrate they are financially responsible and equipped to best handle their clients’ data.
Logical protection involves securing your application with proper access controls which includes user authentication and authorization. Below the application layer is the security around making the hosting environment like the servers (many times these are virtual servers) and logical network. Vendors should also capture proper logs that can be the audit trail on who accessed the system. What this means is that – on a cloud service you can get a virtual instance of your own network, storage and servers which are properly secured from other clients environments.
Logical and physical securities are both important to ensure your business processes run on a safe and reliable environment. In other words: a reputable cloud vendor ensures that the only people who can get to your data are the people to whom you grant access.
You don’t have to know all the right “techie” questions yourself. Often my team works with customers who bring us a detailed questionnaire (typically called RFI – request for information). Sometimes they hire a third-party security audit company to run their due-diligence process.
Reputable cloud computing companies make disaster recovery a top priority. The question you should ask is not if the vendor has disaster recovery in case of natural disaster or other failures – they must, or they can’t really be serious about their business – but how long the service would be unavailable in the case of an emergency. What is the potential data loss during a data center failover?
Disaster recovery typically is provided by failing over the service from one geographical data center to another. To provide complete disaster recovery, the vendor must have data backup procedures whereby the data is replicated from the primary data center to the disaster recovery data center, hopefully in real-time. The disaster recovery data center must have equivalent compute capacity and properly configured software compared to the primary data center (hopefully 1:1) so that the failover, in the event of a failure, can be performed in minimum possible time.
Additionally, the vendor’s data centers should be geographically dispersed so that a natural disaster in one region does not leave the vendor’s entire infrastructure vulnerable. It would also be a valuable data point in your decision process if the vendor provided guidance on how often they test and how they test to ensure the disaster recovery site is functional and that the integrity of the backed up data is in good health.
But you aren’t going to a cloud vendor just for security and data integrity, no matter how important these are. You want to be sure that the vendor can provide the services you need under any circumstances. Next, I explain what these issues are and how to find out if your vendor can deliver.