Office 365, Amazon Web Services, Google Apps for Work, Salesforce, Rackspace…if you are considering any of these or other cloud services for your business, you’re not alone. Whether it’s IaaS, SaaS, or PaaS, cloud computing is becoming the norm, with more than half of US businesses already consuming some cloud services from at least one vendor. If you aren’t yet in the cloud in some fashion, odds are good you soon will be. But before you make the jump to the cloud, make sure you ask your prospective service provider these ten questions, and dig deep on the answers to make certain you’re comfortable with the answers.
1. Where is your data?
The Internet is global, but laws are still local, and while cloud services make a big deal about being “in the cloud” and cloud computing is not supposed to have a physical location (think cloud!) local laws and jurisdiction still come into play. Find out where your data is going to be stored, and ensure you are comfortable with that.
2. Who owns your data?
You’d think that “your data” means data that is, well, yours, but read the fine print and ask directly what, if any, rights you are surrendering to your data when you place it “in the cloud.” A cloud service provider should be a custodian of your data, not an owner of it. Read, closely, what your chosen service provider can do with your data, and make sure that you are not giving up any rights to your data, conveying any rights to your data, and that you remain fully in control of your data and only you can grant access to your data. If the built-in controls for your data in the cloud are not sufficient for your needs, investigate encryption options that ensure your data remains solely within your control.
3. Who has access to your data?
As the custodian, the cloud service provider must by definition have some degree of access to your data, but find out exactly what standing access exists, what access the provider can provide to themselves as a normal part of providing the service, and what controls you have over who has access to that data. Don’t expect the name and address of every person who works for or on behalf of the service provider, but make sure they perform the necessary due diligence in hiring, including background checks and clearances as appropriate, and what processes they follow when granting/revoking access and what approvals are tied to that.
4. How do you tell who has accessed your data?
I have one word for you…auditing. Get examples of audit logs. Look at what is audited and how long those logs are kept. Make sure you have access to them or can request them as desired. It’s your data, and you deserve to be able to determine who has accessed your data.
5. How are charges determined?
Cloud computing services have various charge models, but are supposed to be based on some form of consumption. Make sure you understand how those charges are calculated and what metric(s) are used. The last thing you want to do is go into this expecting a $1,000 a month bill, only to find some configuration mistake or run-away process ran up a $10,000 charge this month. Make sure you can either set limits, get warnings, or otherwise prevent overruns from occurring without your express consent.
6. How is the SLA determined?
Each cloud service provider seems to have their own SLAs for uptime, availability, response time, recovery time, etc. etc. etc. Make sure you understand what your SLAs are, if anything is not covered by an SLA, how SLA metrics are measured, and what your recourse is if your service provider fails to meet an SLA.
7. What are the RPO, RTO, and data availability goals?
How your service provider performs backups, restores, disaster recovery, and business continuity are all almost definitely going to be different from how you do it. You don’t want to move to the cloud this month, only to find out in six months when an executive wants you to restore a deleted message from three months prior that your service provider doesn’t keep backups around for that long. You don’t have to find a service provider that will do exactly as you have done…in fact you may not be able to…but you do need to understand what they do and do not do, and you might have to adjust either your processes or your users’ expectations accordingly. That same executive who will want a deleted message recovered from 90 days ago might be okay with losing that option if you’re saving the business 40% by moving to the cloud, as long as he knew about it ahead of time.
8. What compliance standards are met and who determines them?
If you are in a regulated industry, publicly traded, accept credit cards, store customer data, work with medical records, or pretty much do anything other than sell vegetables off the back of your pick-up truck, you are probably required to meet some compliance standard or another. Moving your services to the cloud doesn’t exempt you from those standards…it mean you are now responsible for ensuring your provider meets the same standards. Make a complete list of all standards you must comply with, confirm that your provider does as well, and validate how your provider confirms and proves compliance. Odds are really good you won’t be able to audit a cloud service provider’s facilities and operations yourself, so find out who does and make sure those audit findings are available to you, and acceptable for your needs.
9. How do you cancel?
Many cloud service providers offer services to their customers on a subscription model, which implies that you can cancel at any time. Find out how you do that, what the process is, and how you move your data from them to wherever you want to move it to, be that back to on-premises or to a competing provider. Most service providers should want to ensure you are satisfied with their services and don’t want to cancel, but you don’t want to find out if you are not happy, that while you could cancel, the move would either be too time consuming or too costly to perform and you are, in essence, captive.
10. What happens to your data if you do?
Again, it’s your data, so it should be yours and if you decide to cancel and move elsewhere, you take your data with you. But, it’s digital data, not physical, so what does the service provider do to ensure your data is gone? Don’t expect a cloud service provider to destroy disk drives, or even overwrite them using NIST 800-88 compliant procedures, but you do want to make sure your data is scrubbed off their systems and not mined for nuggets or otherwise left available for future access.
Businesses can save money, time, and effort by moving to the cloud. Cloud service providers offer a myriad of services from IaaS, to SaaS, and PaaS, and can provide your business with options and capacities that rival anything you could do even with unlimited funds. Moving to the cloud can be a great business decision for you, but make sure you go past all the hype and marketing, and look very closely at all the technical issues, and ramifications of essentially ceding some control of your data to a service provider. The cloud can be a great thing for your business, as long as you pay attention to the details and go in with your eyes wide open. Consider this checklist of top ten questions carefully before you make the move, and your experience should be a good one!
Photo credit: George Thomas