5 Questions to ask a 3 rd Party Cloud Provider

Transcription

1 Effective Data, Inc. White Paper: 5 Questions to ask a 3 rd Party Cloud Provider By Timothy Wightman 1515 E. Woodfield Rd. Suite 200 Schaumburg, IL Tel (847) Fax (847)

2 TABLE OF CONTENTS Introduction What is Cloud Computing 5 Questions to ask a 3 rd Party Cloud Provider Conclusion About Us Page 2

3 Introduction Currently many businesses have evaluated their current IT infrastructure and determined that outsourcing data to the cloud is more efficient and cost-effective, since the cloud allows data to be accessed from anywhere in the world. Third-party cloud servers provide businesses efficiency and flexibility since companies use as much or as little storage capacity as they need. About Effective Data (ED), we specialize in EDI Consulting and Data Integration. Founded by EDI experts, ED has been a pioneer in the electronic commerce consulting arena for over 22 years. Effective Data's core competency is developing and managing technically robust EDI solutions. With each project, our EDI Specialists collaborate to identify key business objectives, define a solution and continually manage the project through implementation. This is all prepared with a thorough understanding of industry standards, best practices and technology. ED has supported companies of all sizes and in every industry. We are a vendor agnostic company that does not endorse any single product or service. We work with all EDI, EAI and B2B platforms. Headquartered in the Chicagoland area with satellite offices throughout the United States, we are prepared to provide all your EDI and Data Integration needs nationwide. Page 3

4 What is Cloud Computing? In computer networking, cloud computing is a phrase used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication network such as the Internet. It is very similar to the concept of utility computing. In science, cloud computing is a synonym for distributed computing over a network, and means the ability to run a program or application on many connected computers at the same time. The phrase is often used in reference to network-based services, which appear to be provided by real server hardware, and are in fact served up by virtual hardware, simulated by software running on one or more real machines. Such virtual servers do not physically exist and can therefore be moved around and scaled up or down on the fly without affecting the end user, somewhat like a cloud becoming larger or smaller without being a physical object. In common usage, the term "the cloud" is essentially a metaphor for the Internet. Marketers have further popularized the phrase "in the cloud" to refer to software, platforms and infrastructure that are sold "as a service", i.e. remotely through the Internet. Typically, the seller has actual energy-consuming servers which host products and services from a remote location, so end-users don't have to; they can simply log on to the network without installing anything. The major models of cloud computing service are known as software as a service, platform as a service, and infrastructure as a service. These cloud services may be offered in a public, private or hybrid network. Source: Wikipedia Page 4

5 5 Questions to ask a 3 rd Party Cloud Provider 1) What is your data encryption policy? Your vendor should have a policy of encryption for all data in transit, at rest, or in mobile devices. Pay particular attention to the vendor s data decryption process. By failing to encrypt all data, you risk information compromise or serious regulatory compliance issues. The highest standards for encryption are 256-bit Advanced Encryption Standard (AES) SSL for transit, and 256-bit AES for data at rest approved by the National Security Agency and used globally. A note about decryption: This is the process of decoding data that have been encrypted into a secret format. Decryption requires a secret key or password. Pay particular attention to the vendor s data decryption process. It needs to be easy to use but also totally secure. It s just as important as the vendor s encryption policy. If you can encode messages (or information) in such a way that hackers cannot read it, but others who are allowed to decode it cannot read it, there could be a problem. 2) How do you manage encryption keys? Many security breaches occur because of lax management regarding the encryption keys. When evaluating third-party vendors, make sure the company provides separation between the encryption data and the encryption keys. You should expect candidates to have separate data sets centers; this provides enhanced security by eliminating a single point of failure. Examine the vendor s business process to determine the extent of access to data systems by its employees, which should be strictly limited. The process should have safeguards to ensure that encrypted file data and the correct file version encryption key are brought together only as needed. 3) What data protection certifications do you have? Vendors earn certifications for a broad range of tasks, ranging from information handling at a particular data center to business practices for protecting information. If you want the very best in data security, select a company whose data centers passed asoc 1 audit under SSAE-16 guidelines (formerly called SAS70 Type II) and were tested by outside auditors. Data centers that pass the SSAE-16 audit have completed meticulous requirements related to physical security, physical access, and internal business controls. Also question the provider about the process for destroying data. The company should answer that it follows and complies with Department of Defense M or NIST the standard for disk erasure. Page 5

6 4) What is your standard for data durability? It is mission-critical to have your data available 24/7, 365 days a year, and without corruption. For this service to be considered excellent was % ( five nines ); however, some vendors today now offer 10 or 11 nines. Your cloud storage provider should back up all data in triplicate at various data centers. This protects against connectivity issues or if a data center goes down unexpectedly. The backup data should synchronize automatically and immediately. 5) How much control do I have over data stored in the cloud? You may want to maintain control over data for its entire lifecycle. This includes when and how your data streams, how it is physically stored, and how you manage creating data or capturing files, documents, or messages. Make sure the vendor has policies that complement your need to upload content and manage users accounts or devices that have the ability to access or make changes to the system. Evaluate the vendor s plan for unexpected incidents, such as sending data to the wrong location because of errors, configuration problems, or malicious intent. These 5 questions to ask a potential cloud computing outsource are by no means comprehensive, but should help in your search to find the right partner. Page 6

7 Conclusion Take Action Visit us on the web at Call us at (847) Schedule a business case assessment Page 7

8 Business Partnerships Page 8

9 Implementers of Page 9