Along with other due diligence and business questions you should ask prospective cloud service providers (or current ones, if you forgot to ask these questions earlier), here are five that address crucial and easily overlooked security issues.
Where is my data stored? The cloud is a metaphor, of course — your data will be stored physically somewhere, and you need to know where that somewhere is. Is the data center (and support facilities) located in an area with a higher than normal risk of natural disasters (hurricanes, wildfires, etc.)? How reliable is the facility's power supply, and what level of backup power does the facility have in place? Where are the cloud service provider's backup storage locations, and do those facilities meet the same standards that the main data center does?
What's the level of physical security in your facilities? Your cloud provider may have the best digital security tools and practices possible, but those offer little protection against physical intrusion. Is your cloud provider's data center (and support facilities) hardened against intruders? Is the facility equipped with surveillance equipment, and is that equipment itself secure? What are the provider's policies regarding paper records and their disposal? Are there human guards in place at every entrance and exit 24/7?
What's the nature of the provider's understanding of any compliance regulations you and your data may be subject to? If your business and its data are subject to regulatory compliance standards and rules, your cloud service provider had better understand those regulations as thoroughly as you do, and adhere to them with equal thoroughness and discipline. Identifying of which party — you or the provider — is liable in the event of a violation is, of course, an essential part of this process. But because of the constantly shifting nature of the compliance landscape, your provider should be held to strict compliance levels under the appropriate regulations, even if liability isn't an issue. This one really is a case of “better safe than sorry.”
How strict are the firm's employee IT resource usage policies? While even a cursory investigation of a prospective cloud service provider should address the company's rules governing access to who gets to see your information, and who does not, it's worthwhile to press a little further. What are the company's usage policies as far as non-business Internet and other access goes? Are employees allowed to access personal email, social networks, non-business Web sites over company equipment? Are there different levels of usage policies for employees working with your data than for others?
What's the nature of your cloud service provider's Disaster Recovery and Business Continuity (DR/BC) plan? Even the safest and most secure businesses can experience disasters. How prepared is your cloud provider to bounce back from a disaster? How thorough — and thoroughly tested — is the company’s DR plan? How frequently is the plan tested? How closely has the company reviewed DR/BC in the event of a disaster that affects key personnel involved in the recovery?
| 
|
