#1 – Make sure you retain ownership, use and control of one’s own data.
Understand the Termination Clause! Read your contract and understand how to properly terminate any cloud computing services. Receive a copy of ALL of your data in a usable form.
#2 – The right to Service Level Agreements (SLAs) that address liabilities, remediation and business outcomes.
All computing services – including cloud services suffer slowdowns and failures. Cloud providers should commit to recovery times, specify the forms of remediation and/or spell out the procedures they will follow.
#3 – The right to notification and choice about changes that affect the service consumers’ business processes.
All cloud computing providers will need to take down systems, interrupt services or make changes in order to increase capacity. Ensure that their policies protect you from these business processes by providing advanced notification of major upgrades or system changes and grant you some control over the schedule.
#4 – The right to understand the technical limitations or requirements of the service up front.
Cloud providers should fully explain their systems, technical requirements and limitations from the beginning. This is crucial so that after you have committed to a cloud service, you do not run the risk of needing to invest in major changes.
#5 – The right to understand the legal requirements of jurisdictions in which the provider operates.
If the cloud computing provider stores or transports the consumer’s data in or through a foreign country, the service consumer becomes subject to the laws and regulations of these jurisdictions.
#6 – The right to know what security processes the provider follows.
Security breaches can happen at multiple levels of technology. Service consumers must understand the processes a provider uses, so that security at one level (such as the server) does not subvert security at another level (such as the network).
#7 – The responsibility to understand and adhere to software license requirements.
Providers and consumers must come to an understanding about how the proper use of software licenses will be assured.
Cloud Security – I think I am afraid?
The following 5 security points are critical in the choice of a cloud provider for your organization.
#1 – Privileged user access
Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the “physical, logical and personnel controls“. Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access.
#2 – Regulatory compliance
Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud providers who refuse to undergo this scrutiny are signaling that customers can only use them for the most trivial functions.
#3 – Data segregation
Data in the cloud is typically stored in a shared environment alongside data from other customers. Encryption is effective but isn’t a cure-all. Find out what is done to segregate data at rest. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. Encryption accidents can make data totally unusable, and even normal encryption can complicate availability.
#4 – Investigative support
Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then the only safe assumption is that investigation and discovery requests will be impossible.
#5 – Long-term viability
Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. Be sure your data will remain available to you, should such an event occur. Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application.
If you know your rights and clear the basic security review, you will greatly enhance your chance of success with your cloud provider and the cloud computing services you have selected.