5 Questions to Ask a Potential Cloud Computing Outsource
Many businesses have evaluated their current IT infrastructure and determined that outsourcing data to the cloud is more efficient and cost-effective, since the cloud allows data to be accessed from anywhere in the world. Third-party cloud servers provide businesses efficiency and flexibility since companies use as much or as little storage capacity as they need.
Before you outsource important company data to a third-party cloud provider, here are 5 questions to ask:
1) What is your data encryption policy?
Your vendor should have a policy of encryption for all data–in transit, at rest, or in mobile devices. Pay particular attention to the vendor’s data decryption process. By failing to encrypt all data, you risk information compromise or serious regulatory compliance issues.
The highest standards for encryption are 256-bit Advanced Encryption Standard (AES) SSL for transit, and 256-bit AES for data at rest—approved by the National Security Agency and used by global companies.
A note about decryption: This is the process of decoding data that have been encrypted into a secret format. Decryption requires a secret key or password. Pay particular attention to the vendor’s data decryption process. It needs to be easy to use but also totally secure. It’s just as important as the vendor’s encryption policy. If you can encode messages (or information) in such a way that hackers cannot read it, but others who are allowed to decode it cannot read it, there could be a problem.
2) How do you manage encryption keys?
Many security breaches occur because of lax management regarding the encryption keys. When evaluating third-party vendors, make sure the company provides separation between the encryption data and the encryption keys. You should expect candidates to have separate data sets centers; this provides enhanced security by eliminating a single point of failure.
Examine the vendor’s business process to determine the extent of access to data systems by its employees, which should be strictly limited. The process should have safeguards to ensure that encrypted file data and the correct file version encryption key are brought together only as needed.
3) What data protection certifications do you have?
Vendors earn certifications for a broad range of tasks, ranging from information handling at a particular data center to business practices for protecting information. If you want the very best in data security, select a company whose data centers passed a SOC 1 audit under SSAE-16 guidelines (formerly called SAS70 Type II) and were tested by outside auditors.
Data centers that pass the SSAE-16 audit have completed meticulous requirements related to physical security, physical access, and internal business controls.
Also question the provider about the process for destroying data. The company should answer that it follows and complies with Department of Defense 5220.22-M or NIST 800-88—the standard for disk erasure.
4) What is your standard for data durability?
It is mission-critical to have your data available 24/7, 365 days a year, and without corruption. For this service to be considered excellent was 99.999% (“five nines”); however, some vendors today now offer 10 or 11 “nines.” Your cloud storage provider should back up all data in triplicate at various data centers. This protects against connectivity issues or if a data center goes down unexpectedly.
The backup data should synchronize automatically and immediately.
5) How much control do I have over data stored in the cloud?
You may want to maintain control over data for its entire lifecycle. This includes when and how your data streams, how it is physically stored, and how you manage creating data or capturing files, documents, or messages. Make sure the vendor has policies that complement your need to upload content and manage users’ accounts or devices that have the ability to access or make changes to the system.
Evaluate the vendor’s plan for unexpected incidents, such as sending data to the wrong location because of errors, configuration problems, or malicious intent.
These 5 questions to ask a potential cloud computing outsource are by no means comprehensive, but should help in your search to find the right partner.