9 Cloud Security Questions you need to ask Service Providers

Companies in Ireland and the UK who are considering cloud adoption might already have a general idea of the security risks inherent in cloud computing. However, since different providers may not offer the same levels of risk mitigation, it is important to know which providers can give sufficient assurance on cloud security.

Here are 10 cloud security questions to ask service providers vying for your attention.

1. Where will my data be located?

There are a variety of reasons why you will want to ask this question. One big reason is that there are certain countries that don’t have strict legislation (or any legislation at all) pertaining to cloud computing. In that case, the provider won’t be as motivated to apply high levels of risk mitigation.

So if your data is hosted off shore, then you might want to reconsider or at least conduct a deeper study regarding the security conditions there.

2. Do you have provisions for regulatory compliance?

Certain standards and regulations (e.g. PCI DSS and possibly the EU Data Protection Directive) have specific guidelines pertaining to data stored in the cloud. If your organisation is covered by any of these legislation, then you need to know whether your provider can help you meet requirements for compliance.

3. Who will have access to my data?

In a cloud environment, where your data is going to be managed by people who aren’t under your direct supervision, you’ll have to worry as much about internal threats as you would with external threats.

Therefore, you need to know how many individuals will have access to your data. You also need to know relevant information such as how admins and technicians with data access rights are screened prior to getting hired. You also need to determine what access controls are being implemented.

4. How is data segregated?

Since there will be other clients, you will want to know how your data is going to be segregated from theirs. Is there any possibility of an accidental or intentional data breach due to poor data segregation? Find out if your data is going to be encrypted and how strong the encryption algorithm is.

5. How will you support investigative activities?

Sometimes, even if strong cloud security measures are in place, a data breach can still happen. If it does happen, the provider should have ways to track each user/administrator’s activity that can sufficiently support a detailed data forensics investigation.

Find out whether logs are being kept and how detailed they are.

6. Are we protected by a Disaster Recovery/Business Continuity plan? How?

Don’t be fooled by sales talk of 100% up-time. Even the most robust cloud infrastructures can suffer outages too. But the important thing is that, when they do fail, they should be able to get up and running in the soonest time possible.

Don’t just ask about their guaranteed RPOs and RTOs. Find out whether your data and applications will be replicated across multiple sites. Unless the provider says they will be, you need to find a provider with a better infrastructure.

7. Can I get copies of my VMs?

In a cloud infrastructure, your servers are actually in the form of files known as virtual machines (VMs). Because VMs are just files, they should be easily copied. There may be issues though, like the VMs might be stored in a not-so-popular proprietary format. Another possible issue is that the provider may simply not allow copying.

Having copies of your VMs can be useful should you later on decide to transfer to another provider or even duplicate your cloud infrastructure on your own.

8. What will happen to my data when I scale down?

One outstanding benefit of cloud computing is that when your business demands drop, you can easily scale down computing resources and reduce your cloud spending. ?But what will happen to your data when you decommission virtual servers? Will they be discarded?

You might want your data to be retained up to a certain period. On the other hand, you might also want them to be deleted immediately. Ask about the provider’s data deletion/data retention policies and see if they are in line with yours.

9. What will happen to my data if I decide to close my account?

There might come a time when you’ll want to terminate your contract with your cloud provider. Just like in issue #8, you’ll want to find out more about data deletion/data retention policies.

Although some providers can give you detailed answers, many of these answers can include a lot of technical jargon that can leave you totally confused. If you want someone you can trust to:

  • simplify those answers;
  • help you pick the right cloud service provider, and
  • even make sure cloud security is really upheld once your cloud engagement is ?under way

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Check our similar posts

Is Change Management a Myth or a Possibility

The theory that it is possible to manage organisational change (Change Management) in a particular direction has done the rounds for quite some time, but is it true about Change Management. Was Barrack Obama correct when he said, ?Change will not come if we wait for some other person or some other time. We are the ones we have been waiting for. We are the change that we seek.?
Or, was business coach Kelly A Morgan more on the button when she commented, ?Changes are inevitable and not always controllable. What can be controlled is how you manage, react to, and work through the change process.? Let us consult the evidence and see what statisticians say.

What the Melcrum Report Tells Us

Melcrum are ?internal communication specialists who work alongside leaders and teams around the globe to build skills and best practice in internal communication.? They published a report after researching over 1,000 companies that attempted change management and advised:

? More than 50% report improved customer satisfaction

? 33% report higher productivity

? 28% report improvements in employee advocacy

? 27% improved status as a great place to work

? 27% report increased profitability

? 25% report improved absenteeism

Sounds great until we flip the mirror around and consider what the majority apparently said:

? 50% had no improvement in customer service

? 67% did not report increased productivity

? 72% did not note improvements in employee advocacy

? 73% had no improved status among job seekers

? 73% did not report increased profitability

? 75% did not report any reduction of employee absenteeism

This shows it is still a great idea to hear what all parties have to say before reaching a conclusion. You may be interested to know the Melcrum report gave rise to the legend that 70% of organisation change initiatives fail. This finding has repeated numerous times. Let’s hear what the psychologists have to say next.

There is a certain amount of truth in the old adage that says, ?You can lead a horse to water but you cannot make him drink.? Which of us has not said, ?Another flavour of the week ? better keep heads down until it passes? during a spell in the corporate world. You cannot change an organisation, but you can change an individual.

At the height of the Nazi occupation of 1942, French philosopher-writer Antoine de Saint-Exup?ry said, ?A rock pile ceases to be a rock pile the moment a single man contemplates it, bearing within him the image of a cathedral?. Psychology Today suggests five false assumptions change management rests upon, THAT ARE SIMPLY NOT TRUE.

1. The external world is orderly, stable, predictable and can be managed

2. Change managers are objective, and do not import their personal bias

3. The world is static and orderly and can be changed in linear steps

4. There is a neutral starting point where we can gather all participants

5. Change is worthy in itself, because all change is an improvement

Leo Tolstoy wrote, ?Everyone thinks of changing the world, but no one thinks of changing himself.? A prophet can work no miracles unless the people believe. From the foregoing, it is evident that change management of an organisation is a 70% impossibility, but encouraging an individual to grow is another matter.

A McKinsey Report titled Change Leader, Change Thyself fingers unbelieving managers as the most effective stumbling stones to change management. To change as individuals ? and perhaps collectively change as organisations ? we need to ?come to our own full richness?, and as shepherds lead our flock to their ?promised land?, whatever that may be. Conversely, herding our flock with a pack of sheepdogs extinguishes that most precious thing of all, human inspiration.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Renewable energy – Is it a common man’s cup of tea?
I came across an article on a young graduate in renewable energy engineering. The fellow was doing technical sales and marketing jobs for renewable energy products though he felt that as a graduate, he ought to be doing more than just sales. His, sentiments, I can relate with but again thinking about the field of renewable energy, how many people understand what it is, its importance/ benefits, how to acquire it, its installation, costs etc.? Renewable energy is energy generated from natural resources. The renewable energy sources include sunlight, wind, rain, tides, geothermal heat and various forms of biomass. These sources are renewable naturally and continuously replenished, therefore this energy cannot be exhausted. Renewable energy technologies range from solar power, wind power, hydroelectricity/micro hydro, biomass and bio-fuels for transportation. Back to the aspiring young professional who felt that his place in the renewable energy sector lies in doing strategies and coming up with new products-the advice fronted to him was that doing technical sales is the best job for engineers, as it helps them impact on users of their products. Sales entail interacting with customers and knowing their needs so that the product features can be enhanced to suit the customer?s needs. Now, that is brilliant and accurate advice. It is however important to take into consideration that renewable energy is not a common man?s cup of tea and right now the focus all over the world is to build green economies. To me the need for more and more people to understand the benefits, savings and cost of renewable energy cannot be overemphasised. Effort should be made to keep marketing of renewable energy products/ services simple and conversational by avoiding use of acronyms or jargon explaining about operational details. More impact can be made if a marketing rather than technical sales approach is used. Technical sales have been described as boring (can be used as a sleeping aid), tends to use extensive vocabulary, jargon and acronyms that product users cannot relate with and tends to discuss the products technical aspects as opposed to the benefits to the customer. Fun should be created out of all this by making things simple and demonstrating cost savings and benefits of renewable energy.
The Rights of Individuals Under The General Data Protection Regulation

The General Data Protection Regulation or GDPR is a European Union law reinforcing the rights of citizens concerning the confidentiality of their information, and confirming that they own it. We thought it would be interesting to examine the GDPR effective 25 May 2018 from an Irish citizen?s perspective. This article is a summary of information on the Data Protection Commissioner?s website, but as viewed through a businessperson?s lens.

How the Office Defines Data Protection

The Office believes that organisations receiving personal details have a duty to keep them private and safe. This applies inter alia to information that individuals supply to government, financial institutions, insurance companies, medical providers, telecoms services, and lenders. It also applies to information provided when they open accounts.

This information may be on paper, on computers, or in video, voice, or photographic records. The true owners of this information, the individuals have a right:

  • To make sure that it is factually correct
  • To the assurance that it is shared responsibly
  • That all with access only use it for stated purposes

Any organisation requesting personal information must state who they are, what the information is for, why they need to have it, and to whom else they may provide it.

Consumer Rights to Access Their Personal Information

Private persons have a right under the GDPR to a copy of all their information held or processed by a business. The regulation refers to such businesses as ?data controllers? as opposed to owners, which is interesting. They have to provide both paper and digital data, and ‘related information?.

Data controller fees for this are discretionary within limits. The request may be denied under certain circumstances. The data controller may release information about children to parents and guardians, only if it considers a minor too young to understand its significance. Other third parties such as attorneys must prove they have consent.

Consumer Rights to Port Their Data to Different Services

Since the personal information belongs to the individual, they have a right not only to access it, but also to copy or move it from one digital environment to another. The GDPR requires this be ?in a safe way, without hindrance to usability?. An application could be a banking client that wants to upload their transaction history to a third party price comparison website.

However, the right to data portability only applies to data originally provided by the consumer. Moreover, an automated method must be available for porting. Data controllers must release the information in an open format, and may not charge for the porting service.

Consumer Rights to Complain About Personal Data Abuse

Individuals have a right under the General Data Protection Regulation to have their information rectified if they discover errors. This right extends to an assurance that third parties know about the changes – and who these third party entities are. Data controllers must respond within one month. If they decline the request, they must inform the complainant of their right to further remedial action.

If a data controller refuses to release personal information to the owner, or to correct errors, then the Data Protection Office has legal power to enforce the consumer?s rights. The complainant must make full disclosure of the history of their complaint, and the steps they have taken themselves to attempt to set things right.

Further Advice on Getting Things Ready for 25 May 2018

The General Data Protection Regulation has the full force of law from 25 May 2018 onward, and supersedes all applicable Irish laws, regulations, and policies from that date. We recommend incorporating rights of data owners who are also your customers into your immediate plans. We doubt that forgetting to do so will cut much sway with the Data Commissioner. Remember, you have one month to respond to consumer requests, and only one more month to close things out subject to the matter being complex.

Ready to work with Denizon?

Contact Us Today