9 Cloud Security Questions you need to ask Service Providers

Companies in Ireland and the UK who are considering cloud adoption might already have a general idea of the security risks inherent in cloud computing. However, since different providers may not offer the same levels of risk mitigation, it is important to know which providers can give sufficient assurance on cloud security.

Here are 10 cloud security questions to ask service providers vying for your attention.

1. Where will my data be located?

There are a variety of reasons why you will want to ask this question. One big reason is that there are certain countries that don’t have strict legislation (or any legislation at all) pertaining to cloud computing. In that case, the provider won’t be as motivated to apply high levels of risk mitigation.

So if your data is hosted off shore, then you might want to reconsider or at least conduct a deeper study regarding the security conditions there.

2. Do you have provisions for regulatory compliance?

Certain standards and regulations (e.g. PCI DSS and possibly the EU Data Protection Directive) have specific guidelines pertaining to data stored in the cloud. If your organisation is covered by any of these legislation, then you need to know whether your provider can help you meet requirements for compliance.

3. Who will have access to my data?

In a cloud environment, where your data is going to be managed by people who aren’t under your direct supervision, you’ll have to worry as much about internal threats as you would with external threats.

Therefore, you need to know how many individuals will have access to your data. You also need to know relevant information such as how admins and technicians with data access rights are screened prior to getting hired. You also need to determine what access controls are being implemented.

4. How is data segregated?

Since there will be other clients, you will want to know how your data is going to be segregated from theirs. Is there any possibility of an accidental or intentional data breach due to poor data segregation? Find out if your data is going to be encrypted and how strong the encryption algorithm is.

5. How will you support investigative activities?

Sometimes, even if strong cloud security measures are in place, a data breach can still happen. If it does happen, the provider should have ways to track each user/administrator’s activity that can sufficiently support a detailed data forensics investigation.

Find out whether logs are being kept and how detailed they are.

6. Are we protected by a Disaster Recovery/Business Continuity plan? How?

Don’t be fooled by sales talk of 100% up-time. Even the most robust cloud infrastructures can suffer outages too. But the important thing is that, when they do fail, they should be able to get up and running in the soonest time possible.

Don’t just ask about their guaranteed RPOs and RTOs. Find out whether your data and applications will be replicated across multiple sites. Unless the provider says they will be, you need to find a provider with a better infrastructure.

7. Can I get copies of my VMs?

In a cloud infrastructure, your servers are actually in the form of files known as virtual machines (VMs). Because VMs are just files, they should be easily copied. There may be issues though, like the VMs might be stored in a not-so-popular proprietary format. Another possible issue is that the provider may simply not allow copying.

Having copies of your VMs can be useful should you later on decide to transfer to another provider or even duplicate your cloud infrastructure on your own.

8. What will happen to my data when I scale down?

One outstanding benefit of cloud computing is that when your business demands drop, you can easily scale down computing resources and reduce your cloud spending. ?But what will happen to your data when you decommission virtual servers? Will they be discarded?

You might want your data to be retained up to a certain period. On the other hand, you might also want them to be deleted immediately. Ask about the provider’s data deletion/data retention policies and see if they are in line with yours.

9. What will happen to my data if I decide to close my account?

There might come a time when you’ll want to terminate your contract with your cloud provider. Just like in issue #8, you’ll want to find out more about data deletion/data retention policies.

Although some providers can give you detailed answers, many of these answers can include a lot of technical jargon that can leave you totally confused. If you want someone you can trust to:

  • simplify those answers;
  • help you pick the right cloud service provider, and
  • even make sure cloud security is really upheld once your cloud engagement is ?under way

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Check our similar posts

How Ventura Bus Lines cleaned up its Act

Melbourne?s Ventura Bus Lines grew from a single bus in 1924 to a mega 308-vehicle fleet by the start of 2014. The family-owned provider has always been community centric; when climate-change became an issue it took quick and urgent action. As a result it now stands head and shoulders above many others. Let’s take a closer look at some of its decisions that made the difference.

The Important Things to Focus On

Ethanol Buses ? Ventura is the only Australian company that uses ethanol power produced from sugar cane for experimental public transport. It compares emissions within its fleet, and knows that these produce significantly less CO2 while also creating jobs for locals.

Electric Buses ? The company has been operating electric buses since 2009. These carry 42 seated among a total 68 passengers. The ride is smooth thanks to twin battery banks kept charged by braking and forward momentum. When required, a two-litre VW engine kicks in automatically.

Ongoing Driver Training ? Ventura provides regular retraining sessions emphasising safe, environmentally-friending operations. Drivers are able to see their fuel consumption and carbon emissions online and experiment with ways to improve these.

Bus U-Turns ? The capacity to measure throughput convinced the company to abandon the principle that buses don’t do U-Turns for safety?s sake. Road re-engineering made this possible in a busy downtown street. This reduced emissions equivalent to 4,000 cars and reduced vehicle downtime for servicing.

Increased Business – These initiatives allowed Ventura Bus Lines to improve its service as customers experience it. This led to an uptake in patronage and a corresponding downturn in the number of passenger car hours. The pleasure of travelling green no doubt contributed to this.

How Measuring Made the Difference

Ventura Bus Lines is big business. Its 308 buses operate out of 5 depots, cover 31% of the metropole, and transport close to 70,000 passengers on average daily which is no minor task. The ability to track, measure and analyse carbon emissions throughout the area has earned it compliance with National Greenhouse Energy Reporting Threshold 1 legislation.

It also uses the data to re-engineer bus routes to further reduce fuel consumption, energy consumption and operating costs. It’s amazing how measuring is affecting its bottom line, and the health of the Melbourne community at large.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
A Business Case for Sharing

We blogged about sharing services in a decentralised business context recently, and explained why we think why these should be IT-Based for speedy delivery. This is not to say that all shared services projects worldwide have been resounding successes. This is often down to the lack of a solid business case up front. We decided to lay out the logic behind this process.

Management Overview ? The overview includes a clear definition of why the current situation is unacceptable, the anticipated benefits of sharing, and an implementation plan were it to go ahead. The project should not proceed until the stakeholders have considered and agreed on this.

Alternatives Considered ? The next stage is to get closer to the other options in order to determine whether an alternative might perhaps be preferable. Substitutes for shared services are often doing nothing, improving the current method, and outsourcing the service to a third party.

The Bottom Line in Business ? Sharing services comes at an initial cost of infrastructure changes, and the impact on human capital (the latter deserves its own blog). The following need careful consideration from the financial angle:

Numbers to Work Through

  • Manpower to design and roll the project out in parallel with the existing organisation.
  • Capital for creating facilities at the central point including civil works, furniture and equipment and IT infrastructure.
  • The costs of travel, feeding and accommodation. These can be significant depending on the time that implementation takes.
  • The opportunity loss of diverting key staff – and the cost of temporary replacements – if appointing line staff to the project team.
  • Crystal-clear project metrics including (a) the direct, realisable savings (b) the medium and long-term effects on profit and (c) where to deploy the savings

Risk Management

Shared services projects don’t go equally smoothly, although planning should reduce the risk to manageable levels. Nonetheless it is important to imagine potential snags, decide how to mitigate them and what the cost might be.

We believe in implementing shared services on a pilot basis in the business unit that eventually provides them. We recommend building these out to other branches only when new processes are working smoothly.

Moving On From a Decision

We recommend you revisit your management overview, the logic behind it, the assumptions you made, and the costs and benefits you envisage before deciding to go ahead

The final step in proving a business case is doable should be fleshing out your roadmap into a detailed operations plan with dependencies on a spreadsheet.

2015 ESOS Guidelines Chapter 2 – Deadlines and Status Changes

The ESOS process is deadline driven and meeting key dates is a non-negotiable. The penalties for not complying / providing false or misleading information are ?50,000 each. Simply not maintaining adequate records could cost you ?5,000. The carrot on the end of the stick is the financial benefits you stand to gain.

Qualifying for inclusion under the ESOS umbrella depends on the status of your company in terms of employee numbers, turnover and balance sheet on 31 December 2014. Regardless of whether you meet the 2014 threshold or not, you must reconsider your situation on 31 December 2018, 2022 and 2026.

Compliance Period Qualification Date Compliance Period Compliance Date
1 31 December 2014 From 17 July 2014* to 5 December 2015 5 December 2015
2 31 December 2018 From 6 December 2015 to 5 December 2019 5 December 2019
3 31 December 2022 From 6 December 2019 to 5 December 2023 5 December 2023
4 31 December 2026 From 6 December 2023 to 5 December 2027 5 December 2027

Notes:

1. The first compliance period begins on the date the regulations became effective

2. Energy audits from 6 December 2011 onward may go towards the first compliance report

Changes in Organisation Status

If your organisation status changes after a qualification date when you met compliance thresholds, you are still bound to complete your ESOS assessment for that compliance period. This is regardless of any change in size or structure. Your qualification status then remains in force until the next qualification date when you must reconsider it.

Ready to work with Denizon?

Contact Us Today