CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Size: px

Start display at page:

Download "CONSIDERATIONS BEFORE MOVING TO THE CLOUD"

Laureen Nelson
8 years ago
Views:

1 CONSIDERATIONS BEFORE MOVING TO THE CLOUD What Management Needs to Know Part I By Debbie C. Sasso Principal When talking technology today, it s very rare that the word Cloud doesn t come up. The benefits touted with the cloud include ease of use, easy to deploy, scalability, reduced capital expenditures, and the list goes on. Cloud services include virtualization, storage, backup solutions, software-as-a-service, business continuity and more. And, whether your business is considering one solution or five, there are multiple factors that management needs to consider before going to the Cloud. In part one of this two-part paper; we will discuss the following areas: Organizational Compliance Data Center Location Service Levels Provider Shutdown

The benefits touted with the cloud include ease of use, easy to deploy, scalability, reduced capital expenditures, and the list goes on.

2 Organizational Compliance Related to Information Technology Many state and federal regulations apply to your business whether you are privately or publicly held. Regulations are always changing and you don t want to be caught off-guard. Making sure you meet regulatory requirements can be quite complicated and often times frustrating. Now, let s throw cloud computing into the mix. A lot of concern has been expressed around cloud computing, the security measures employed and meeting compliance requirements such as: Sarbanes-Oxley (SOX) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI DSS) essential for ecommerce Protection of Personal Information for Massachusetts Residents (201 CMR 17.00) Gramm-Leach-Bliley Act (GLBA) Compliance Audits In your review of cloud services providers, you ll want to inquire about where your data will be hosted to ensure they meet the specific compliance requirements for your business. For data centers to be compliant they need to pass a variety of audits based on what data will be hosted in the facility. For example, to be HIPAA compliant they need to pass an audit to guarantee the facility follows the Code of Federal Regulation (CFR) set by HIPAA inspectors. The inspectors will take a comprehensive look at the facility to make sure that all data stored is protected and only available to authorized users. Once complete, a report is generated documenting that the provider has the proper procedure and policies in place to provide HIPAA hosting solutions. According to a Symantec Study State of Cloud global Results January 2013, more than half of survey participants said they were concerned about being able to prove they have met cloud compliance requirements. And, 23% revealed they had been fined for cloud privacy violations. Other compliance audits include SSAE 16 (Statements on Standards for Attestation Engagements No. 16) formerly known as SAS 70, SOC 1, SOC 2, and SOC 3, and PCI DSS. For the Protection of Personal Information there are certain security measures that you need to ensure your third party vendor is adhering to such as encryption of data and access control measures. The following websites provide more detailed information on each of these compliance audits:

Now, let s throw cloud computing into the mix.

3 Security Measures Data centers must provide ample security measures to protect the data of their clients to meet certain compliances. These security measures include: HTTPS and SSL Certificates For web-based access to information which is encrypted and secured to prevent unauthorized connections Encryption of data stored on servers A Secure Firewall - A secure firewall will prevent any unauthorized access to protected files. Remote VPN Access For authorized users to access the network using a remote computer. Disaster Recovery - A documented backup recovery plan in case of lost data or server malfunction Hosting Facility, Data Backup, and Infrastructure Backup Location(s) Hosting Facility Location Make sure the hosting facility location is not too close to your headquarters. Chances are if the two are close and a natural disaster damages or shuts down your corporate location, it could happen to the data center as well. You want to be close to your data, but not too close. Choose a facility away from flood zones and areas subject to hurricanes, tornadoes, earthquakes, as well as airports and power plants. This may seem easier said than done these days, but a reputable data center will have a well thought out location plan. During Superstorm Sandy, many data centers in New York City were down due to flood and power outages. These locations were in low lying areas in Manhattan and were susceptible to flooding. In many instances, the water flooded the generators preventing them from working. Airports and power plants typically have high electromagnetic interference or radio frequency interference. Because they are such large sources of interference they have the potential to impede the performance of the data center s servers and networking services.

A Secure Firewall - A secure firewall will prevent any unauthorized access to protected files. Remote VPN Access For authorized users to access the network using a remote computer.

4 Backup Locations When assessing a provider for cloud services, ask about backup locations. Are they located close enough that if the data center were to go down, the backup would be able to be accessed in a reasonable amount of time. If business operations needed to be switched from one data center to another, are the locations close enough that your business wouldn t experience a significant of downtime. And, as in choosing the hosting facility, make sure backup locations are far enough away that they are unlikely to be affected by the same disaster. Service Levels Service levels are defined in a Service Level Agreement also referred to as a SLA. Service levels include uptime, security, availability and much more depending on the nature of your business. How Much Downtime can Your Business Afford? Before discussing service levels, consider what is important to your business. Identify what your business requires in terms of your technology and processes. Do you have an e-commerce site? If so, it s important that your uptime is as close to 100% as possible since you want your customers to have access at any time to order your products. You will see a lot of providers offering 99.9%. Think about what would happen to your business if the hosting facility had a security breach or Internet access outage. What business processes would be interrupted? Operations, Customer Service, and Employee productivity could all come to a halt. Data is a crucial element of your business and its security needs to be a priority when considering a cloud service provider. Not all data is created equal. Financial information, employee information, and competitive data could all be considered data that needs a high service level in terms of security. How data will be protected should be laid out in your SLA*. If you find you need higher levels of service in terms of data protection, disaster recovery or any of the services above, these should be clearly identified in the SLA as well as what the consequences are if the agreed upon levels are not met. Once you identify the business requirements, you can decide what type of services you need. The result can also determine whether to consider a public, private, or hybrid cloud model. *In part II of this whitepaper we will address data security in the cloud.

If business operations needed to be switched from one data center to another, are the locations close enough that your business wouldn t experience a significant of downtime.

5 Cloud Provider Shuts Down A cloud provider could shut down for a variety of reasons such as bankruptcy, an unrecoverable power outage, contract disputes, vendor issues, etc. Although it s rare for a provider to shut down immediately without warning, it can happen. Therefore, it s important to have a contingency plan in place that addresses how you will get your data back. If you are working directly with the data center, the data must be given back to the customer since they do not have the capability to transfer data to another provider. However, if you use an IT Managed Services provider for cloud services, they can take care of giving your data back to you or transferring it to another supplier. To avoid complications due to a shutdown or interruption in cloud services: Make sure the provider has a documented plan to give your data back including method of transportation and formatting in case of closure. In the SLA, clearly identify the ownership and control rights of all company data Assess the financial strength and check references of the provider The move to the cloud is a big decision. For more information on cloud services or any of the material covered in this whitepaper: Contact Us info@ceservices.com (508) Have a backup plan in place to protect your business and your data in case your cloud services provider goes out of business. Part II of this whitepaper will focus on data security, transmission of data, data breaches, and encryption. If you would like notification when Part II of this whitepaper is available, please ces@ceservices.com.

If you are working directly with the data center, the data must be given back to the customer since they do not have the capability to transfer data to another provider.

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2