Marketing has succeeded in spreading the word about cloud computing, but very few people can explain what the cloud actually represents or what it means to them. Here’s the questions you should be asking your service provider, to ward off any grey clouds on the horizon.
Ask the average computer user to describe cloud computing and chances are you will get a blank look or a chat about the weather. Marketing has succeeded with informing internet users of the existence of cloud computing, yet few users can explain what the cloud represents or what it means to them. Virtually all internet users have been introduced to cloud technologies without being aware of it.
The cloud computing industry has entered the formative years and is now able to provide solutions for organisations looking to keep new technology investments and costs low. Adherence to compliance, security and accountability governance policies are expected of cloud providers. Unfortunately, certificates and audit assessments don’t reveal how a cloud service provider will respond to a business disruption.
Service Level Agreements and contractual obligations may not provide cloud users complete protection in the event of a business disruption. Equally risky is not having a data recovery clause included in a cloud provider contract. Overconfidence that storage equipment will be self-healing or 100 percent redundant is naive and cost-prohibitive. Synchronous data replication is expensive and does not prevent the results of human error or malicious data destruction.
Have an Umbrella for the Cloud
As cloud services are relatively new, a customer may not realise the limitations of an SLA contract until a business disruption occurs. For example, what compensation or credit does the SLA provide due to an outage, or how will the cloud provider’s recovery procedure restore the missing services?
Cloud customers may realise too late that they require more resiliencies from their cloud contracts. Cloud providers without in-house or third-party recovery specialists available to assist in resolving the business disruption don’t provide an expected level of trust to their clients. During an outage, all management hands are on deck, working feverishly to restore services, replace equipment, restore backups, and perform root cause analyses and other investigative tasks associated with management’s need to understand what triggered the event. Cloud providers that attempt to keep everything in-house quickly discover that an already burdened IT staff nears the breaking point during an outage.
A cloud outage can result from network failure, hardware replacement, a network attack from the outside, or a software bug, to cite common causes. Additionally, despite advances in data storage technology, data loss occurs in the cloud and can contribute to an outage. Data recovery service companies such as Kroll Ontrack can get data back from storage devices that have failed, have been mismanaged through human error, or have even been victimised by outright sabotage. However, data recovery service providers are not directly tied to the storage-to-consumer supply chain. Recovery services are used by storage consumers only after they have lost access to their data. No one really believes that a storage failure or data loss will happen to them.
Yet, when it does, a cloud provider (or client) that did not fully backup their data immediately before the disaster can work with a data recovery service company to get that original data back. However, data recovery is only one aspect of the cloud computing discussion. Data destruction is equally important.
Understanding what happens to your data when the cloud contract ends is part of researching cloud providers. Large data centres will have OEM service contracts to maintain the storage equipment and have failed drives destroyed or degaussed before leaving the secure environment. It is easy to assume that deleted data will be quickly overwritten by the endless write operations of subsequent storage. However, complete data destruction requires that specific client files go through an erasure process. This is where sensitive files are overwritten with pseudo random data and then deleted from the volume.
Marketing has succeeded in spreading the word about cloud computing, but very few people can explain what the cloud actually represents or what it means to them. Here’s the questions you should be asking your service provider, to ward off any grey clouds on the horizon.
Nothing but Blue Skies in the Cloud
Having a clear forecast for your cloud strategies requires seeing all of the obstacles. Some of those obstacles will be from the service provider and others will be from the project strategy and budget. Knowing where the service provider’s provisions end and where your data protection arrangements start is vital keeping your infrastructure or applications available for your customers.
Kroll Ontrack recommends that businesses consider the following questions to keep their organisation’s skies blue:
- Do the backup systems and protocols meet your own in-house back-up standards?
- Does your cloud provider have a record of technical reliability to cope with your needs?
- Is your data stored on reliable storage systems?
- Are the different types of data and applications managed appropriately?
- Does your cloud vendor have a data recovery provider identified in its business continuity/disaster recovery plan?
- How does the vendor prove they comply with data retention laws?
- What are the service level agreements with regard to data recovery, liability for loss, remediation and business outcomes?
- How secure is your data? What measures does the provider take to reduce the risk of a data breach? For example, is the data encrypted?
- Do you know who within your company and the cloud service provider can access your data?
- Do you still own your data once it goes into the cloud?
- Do you own it once it leaves your possession?
- Is end-of-life data erased and degaussed from all hardware, who certifies that it has been deleted, and has it been erased to your country’s specific erase standards?
- Does the cloud vendor retain data in line with your company’s corporate document retention policy?
- Will the cloud provider offer assurances that it will comply with data protection regulations?
- In case of litigation or an investigation, will you or your external e-discovery provider be able to access and either extract or preserve all electronically stored information?
- In the case of e-crime, or a data breach, forensic investigators will secure all of the storage and that may include your data?
- If data is shared between cloud services, this may complicate the investigation and leave you and your customers without any Where exactly is your data stored?
- Is it virtualised with data from other companies?
- Where is the data centre geographically?
- Will the data be stored in jurisdictions that subject it to subpoena by third parties?
- If you terminate a cloud relationship can you get your data back? What format will it be in?
- How can you be sure all copies of your data are destroyed when the contract ends?