1 CONSIDERATIONS BEFORE MOVING TO THE CLOUD What Management Needs to Know Part I By Debbie C. Sasso Principal When talking technology today, it s very rare that the word Cloud doesn t come up. The benefits touted with the cloud include ease of use, easy to deploy, scalability, reduced capital expenditures, and the list goes on. Cloud services include virtualization, storage, backup solutions, software-as-a-service, business continuity and more. And, whether your business is considering one solution or five, there are multiple factors that management needs to consider before going to the Cloud. In part one of this two-part paper; we will discuss the following areas: Organizational Compliance Data Center Location Service Levels Provider Shutdown
2 Organizational Compliance Related to Information Technology Many state and federal regulations apply to your business whether you are privately or publicly held. Regulations are always changing and you don t want to be caught off-guard. Making sure you meet regulatory requirements can be quite complicated and often times frustrating. Now, let s throw cloud computing into the mix. A lot of concern has been expressed around cloud computing, the security measures employed and meeting compliance requirements such as: Sarbanes-Oxley (SOX) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI DSS) essential for ecommerce Protection of Personal Information for Massachusetts Residents (201 CMR 17.00) Gramm-Leach-Bliley Act (GLBA) Compliance Audits In your review of cloud services providers, you ll want to inquire about where your data will be hosted to ensure they meet the specific compliance requirements for your business. For data centers to be compliant they need to pass a variety of audits based on what data will be hosted in the facility. For example, to be HIPAA compliant they need to pass an audit to guarantee the facility follows the Code of Federal Regulation (CFR) set by HIPAA inspectors. The inspectors will take a comprehensive look at the facility to make sure that all data stored is protected and only available to authorized users. Once complete, a report is generated documenting that the provider has the proper procedure and policies in place to provide HIPAA hosting solutions. According to a Symantec Study State of Cloud global Results January 2013, more than half of survey participants said they were concerned about being able to prove they have met cloud compliance requirements. And, 23% revealed they had been fined for cloud privacy violations. Other compliance audits include SSAE 16 (Statements on Standards for Attestation Engagements No. 16) formerly known as SAS 70, SOC 1, SOC 2, and SOC 3, and PCI DSS. For the Protection of Personal Information there are certain security measures that you need to ensure your third party vendor is adhering to such as encryption of data and access control measures. The following websites provide more detailed information on each of these compliance audits: https://www.pcisecuritystandards.org/security_standards/
3 Security Measures Data centers must provide ample security measures to protect the data of their clients to meet certain compliances. These security measures include: HTTPS and SSL Certificates For web-based access to information which is encrypted and secured to prevent unauthorized connections Encryption of data stored on servers A Secure Firewall - A secure firewall will prevent any unauthorized access to protected files. Remote VPN Access For authorized users to access the network using a remote computer. Disaster Recovery - A documented backup recovery plan in case of lost data or server malfunction Hosting Facility, Data Backup, and Infrastructure Backup Location(s) Hosting Facility Location Make sure the hosting facility location is not too close to your headquarters. Chances are if the two are close and a natural disaster damages or shuts down your corporate location, it could happen to the data center as well. You want to be close to your data, but not too close. Choose a facility away from flood zones and areas subject to hurricanes, tornadoes, earthquakes, as well as airports and power plants. This may seem easier said than done these days, but a reputable data center will have a well thought out location plan. During Superstorm Sandy, many data centers in New York City were down due to flood and power outages. These locations were in low lying areas in Manhattan and were susceptible to flooding. In many instances, the water flooded the generators preventing them from working. Airports and power plants typically have high electromagnetic interference or radio frequency interference. Because they are such large sources of interference they have the potential to impede the performance of the data center s servers and networking services.
4 Backup Locations When assessing a provider for cloud services, ask about backup locations. Are they located close enough that if the data center were to go down, the backup would be able to be accessed in a reasonable amount of time. If business operations needed to be switched from one data center to another, are the locations close enough that your business wouldn t experience a significant of downtime. And, as in choosing the hosting facility, make sure backup locations are far enough away that they are unlikely to be affected by the same disaster. Service Levels Service levels are defined in a Service Level Agreement also referred to as a SLA. Service levels include uptime, security, availability and much more depending on the nature of your business. How Much Downtime can Your Business Afford? Before discussing service levels, consider what is important to your business. Identify what your business requires in terms of your technology and processes. Do you have an e-commerce site? If so, it s important that your uptime is as close to 100% as possible since you want your customers to have access at any time to order your products. You will see a lot of providers offering 99.9%. Think about what would happen to your business if the hosting facility had a security breach or Internet access outage. What business processes would be interrupted? Operations, Customer Service, and Employee productivity could all come to a halt. Data is a crucial element of your business and its security needs to be a priority when considering a cloud service provider. Not all data is created equal. Financial information, employee information, and competitive data could all be considered data that needs a high service level in terms of security. How data will be protected should be laid out in your SLA*. If you find you need higher levels of service in terms of data protection, disaster recovery or any of the services above, these should be clearly identified in the SLA as well as what the consequences are if the agreed upon levels are not met. Once you identify the business requirements, you can decide what type of services you need. The result can also determine whether to consider a public, private, or hybrid cloud model. *In part II of this whitepaper we will address data security in the cloud.
5 Cloud Provider Shuts Down A cloud provider could shut down for a variety of reasons such as bankruptcy, an unrecoverable power outage, contract disputes, vendor issues, etc. Although it s rare for a provider to shut down immediately without warning, it can happen. Therefore, it s important to have a contingency plan in place that addresses how you will get your data back. If you are working directly with the data center, the data must be given back to the customer since they do not have the capability to transfer data to another provider. However, if you use an IT Managed Services provider for cloud services, they can take care of giving your data back to you or transferring it to another supplier. To avoid complications due to a shutdown or interruption in cloud services: Make sure the provider has a documented plan to give your data back including method of transportation and formatting in case of closure. In the SLA, clearly identify the ownership and control rights of all company data Assess the financial strength and check references of the provider The move to the cloud is a big decision. For more information on cloud services or any of the material covered in this whitepaper: Contact Us (508) Have a backup plan in place to protect your business and your data in case your cloud services provider goes out of business. Part II of this whitepaper will focus on data security, transmission of data, data breaches, and encryption. If you would like notification when Part II of this whitepaper is available, please
Before You Buy! Ten Questions to Ask Your Cloud Vendor Abstract Cloud Computing is a hot topic these days, engendering widespread interest from CEOs,CFOs and CIOs who are curious about this new paradigm
Frequently Asked Questions about Cloud and Online Backup With more companies realizing the importance of protecting their mission-critical data, we know that businesses are also evaluating the resiliency
WHITE PAPER: CHOOSING A CLOUD HOSTING PROVIDER WITH CONFIDENCE White Paper Choosing a Cloud Hosting Provider with Confidence Thawte SSL Certificates Provide a Secure Bridge to Trusted Cloud Hosting Providers
Private vs. Public Cloud Solutions Selecting the right cloud technology to fit your organization Introduction As cloud storage evolves, different cloud solutions have emerged. Our first cloud whitepaper
CLOUD COMPUTING READINESS VOLKER RATH VOLKER RATH 1 CONTENTS HOW SHOULD THIS GUIDE BE USED? 2 WILL MY COMPANY BENEFIT FROM 2 TRANSITIONING SERVICES TO THE CLOUD? CLOUD READINESS OVERVIEW 3 SECURITY CONCERNS
15 questions to ask before signing an electronic medical record or electronic health record agreement Many definitions exist for electronic medical record (EMR) and electronic health record (EHR). Although
white paper Public or Private Cloud: The Choice is Yours Current Cloudy Situation Facing Businesses There is no debate that most businesses are adopting cloud services at a rapid pace. In fact, a recent
Cloud HOW TO CHOOSE A P ROVIDER A White Paper presented by Introduction THE COMING OF AGE OF THE CLOUD More and more organizations are turning to cloud computing to augment or replace their in-house IT
EXECUTIVE REPORT Seven Critical Success Factors for Choosing A Reliable Data Center Provider Introduction Today, more and more forward-thinking companies across all industries are seeking reliable data
Your Guide to Cost, Security, and Flexibility What You Need to Know About Cloud Backup: Your Guide to Cost, Security, and Flexibility 10 common questions answered Over the last decade, cloud backup, recovery
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
THE BENEFITS OF CLOUD NETWORKING 1 White Paper The Benefits of Cloud Networking Enable cloud networking to lower IT costs & boost IT productivity 2 THE BENEFITS OF CLOUD NETWORKING Table of Contents Introduction
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
Checklist for a Watertight Cloud Computing Contract Companies of all industries are recognizing the need and benefit of moving some if not all of their IT infrastructure to a Cloud whether public or private.
This article was originally published in the November 2010 issue of the Intellectual Property & Technology Law Journal. ARTICLE Insights into Cloud Computing The basic point of cloud computing is to avoid
CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill Toby Merrill, Thomas Kang April 2014 Cloud computing
Cloud Based Software! 10 Reasons It s The Best Approach Abstract The adoption of cloud-based business applications - tools and software delivered over the web with an on-demand, subscription-based model
Security Issues: Public vs Private vs Hybrid Cloud Computing R.Balasubramanian ME in Computer Science M S University,Tamilnadu,India. M.Aramudhan, PhD. ME in Computer Networks P K I of Engg& Tech. Karaikal,
The One Essential Guide to Disaster Recovery: How to Ensure IT and Business Continuity Start Here: Basic DR Only 6 percent of companies suffering from a catastrophic data loss survive, while 43 percent
Moving from Legacy Systems to Cloud Computing A Tata Communications White Paper October, 2010 White Paper 2010 Tata Communications Table of Contents 1 Executive Summary... 4 2 Introduction... 5 2.1 Definition
Moving your Infrastructure to the Cloud How to Maximize Benefits and Avoid Pitfalls Table of Contents Executive Summary 1 Introduction 2 Definitions 3 IaaS 4 Cost Savings of the Cloud 4 Marginal cost -
Investigation of IT Auditing and Checklist Generation Approach to Assure a Secure Cloud Computing Framework Rajni Maheshwari M.Tech (Computer) College of Engineering, Bharati Vidyapeeth Deemed University
THE NEED FOR HIGH AVAILABILITY AND UPTIME 1 THE NEED FOR HIGH AVAILABILITY AND UPTIME All Clouds Are Not Created Equal INTRODUCTION Companies increasingly are looking to the cloud to help deliver IT services.