ICT Management. > Strategy & Planning
Software > Buying & Owning Software, Internet Based Software
Hardware > Buying & Owning Hardware
Top questions to ask your prospective Cloud Provider
Intermediate
By Peter Tomusange
Cloud computing offers many benefits and there is a growing number of vendors out there - but how do you tell if the cloud provider (CP) you are considering using is actually ‘fit for purpose’?
This article provides a non-technical overview of the leading issues a Third Sector organisation must consider when choosing a Cloud Computing services provider.
Before committing to a particular Cloud Provider you’ll want to have answers to questions about issues including:
- The Service Level Agreement (SLA)
- Data security
- Data centre location
- Data integrity and segregation
- Data portability
- Data deletion, retention, and sanitisation
- Service Availability
- Data backup and disaster recovery
- Total Cost of Ownership
- Financial security
- References, References, References
We’ll now look at each of these areas in a bit more detail…
The Contract: Service Level Agreements (SLAs)
It is now common practice for CPs to have SLAs. For you however, the concern is the detail of the SLA. The majority of these are so standardised, that they may not be suitable for your particular line of business;
- If the standard SLA is inadequate, will the provider accept a negotiated SLA (aka modular) that suits your needs? (More information on contracts and SLAs is available on the Open Computing Alliance website).
Data Security:
Perhaps the biggest deterrent to cloud computing adoption is the fear of data loss whilst it is in the control of the CP. Key questions regarding data security should include:
- Is the data centre penetration (pen test) tested (to ensure there are no security holes), and how often is the pen test done? (To learn more about this visit the British Computer Society (BCS) website)
- How is the data secured as it is transferred between their data centres and your organisation’s users?
- What security assurances are in place, when data is within their data centres? – e.g. Is it encrypted, how is the data centre physically secured etc?
- Is there third-party access to your data? For example, often there will be systems administrators, and possibly other third parties, – who are they and how are they vetted? Are they explicitly stated in the SLA? Also, is there complete visibility (e.g. access logs) of all times when your data is accessed?
- What are the reporting and notification procedures in case there has been a breach? – The faster you know about it the better
Fortunately, internationally recognised Standards and certifications (e.g. Services Organisations Controls – SOC), have been developed to help regulate in these areas (and others e.g. ISO 270001 and ISAE 3402).
Always ask the CP for these industry certifications – a lack of them speaks volumes
Data centre location
Where are the data centres that store your data geographically located?
Reasons why you should know the physical location of these data centres:
- Statutory requirements – there are strict regulations on the processing of personal data outside of the EU. For more on this, please see the knowledgebase article Cloud Computing - Data Protection And Other Legal Issues and Computanews issue 158 (1 Mb PDF)
- Jurisdictional requirements –the physical location of your data helps understand which country’s laws apply should a court dispute arise
- Environmental risks – are there any significant natural risks e.g. earthquakes, floods etc. Would you prefer not to be associated with a particular political environment? Locating a data centre in a cheaper energy source might have further implications on the local environment e.g. what is the impact of the data centre location to the local environment?
Data Integrity and segregation
CPs store your data in shared databases, and often the same database tables (multi-tenancy), only differentiated by user permissions (See the MSDN website for a detailed technical discussion on multi-tenancy).
The key risk with this is “data contamination” - a software or administrative mistake might expose your data to other users with whom you share the database tables and its integrity might be compromised.
Therefore, ask the CP how data will be stored, e.g. will it be in
- A shared database, but within different tables?
- Different databases altogether?
- Shared databases and in shared tables?
If you are storing very sensitive data, you may consider a deeper level of data isolation but it will involve higher costs.
Ask what the different costs are, and balance these out with your data isolation needs.
Data portability
What procedures are in place for moving your data between CPs should you need to?
The risk is “Vendor Lock-in” – that is, inability to move your data from one provider to another thereby being locked into that provider’s service and that cannot be acceptable. Ask:
- Who is responsible and what procedures are there for migrating your data should you wish to?
- Are there additional costs?
Data deletion, retention, and sanitisation
The CP must provide guarantees about the deletion, and sanitisation of any sensitive data that resides anywhere in the CP’s environment including, in backup copies and any other storage devices.
- Can the CP trace where all your data is stored for sanitisation purposes?
There is however legal requirement for the retention of some types of data.
Copyright © 2011 Peter Tomusange
