9 Cloud Security Questions you need to ask Service Providers

Companies in Ireland and the UK who are considering cloud adoption might already have a general idea of the security risks inherent in cloud computing. However, since different providers may not offer the same levels of risk mitigation, it is important to know which providers can give sufficient assurance on cloud security.

Here are 10 cloud security questions to ask service providers vying for your attention.

1. Where will my data be located?

There are a variety of reasons why you will want to ask this question. One big reason is that there are certain countries that don’t have strict legislation (or any legislation at all) pertaining to cloud computing. In that case, the provider won’t be as motivated to apply high levels of risk mitigation.

So if your data is hosted off shore, then you might want to reconsider or at least conduct a deeper study regarding the security conditions there.

2. Do you have provisions for regulatory compliance?

Certain standards and regulations (e.g. PCI DSS and possibly the EU Data Protection Directive) have specific guidelines pertaining to data stored in the cloud. If your organisation is covered by any of these legislation, then you need to know whether your provider can help you meet requirements for compliance.

3. Who will have access to my data?

In a cloud environment, where your data is going to be managed by people who aren’t under your direct supervision, you’ll have to worry as much about internal threats as you would with external threats.

Therefore, you need to know how many individuals will have access to your data. You also need to know relevant information such as how admins and technicians with data access rights are screened prior to getting hired. You also need to determine what access controls are being implemented.

4. How is data segregated?

Since there will be other clients, you will want to know how your data is going to be segregated from theirs. Is there any possibility of an accidental or intentional data breach due to poor data segregation? Find out if your data is going to be encrypted and how strong the encryption algorithm is.

5. How will you support investigative activities?

Sometimes, even if strong cloud security measures are in place, a data breach can still happen. If it does happen, the provider should have ways to track each user/administrator’s activity that can sufficiently support a detailed data forensics investigation.

Find out whether logs are being kept and how detailed they are.

6. Are we protected by a Disaster Recovery/Business Continuity plan? How?

Don’t be fooled by sales talk of 100% up-time. Even the most robust cloud infrastructures can suffer outages too. But the important thing is that, when they do fail, they should be able to get up and running in the soonest time possible.

Don’t just ask about their guaranteed RPOs and RTOs. Find out whether your data and applications will be replicated across multiple sites. Unless the provider says they will be, you need to find a provider with a better infrastructure.

7. Can I get copies of my VMs?

In a cloud infrastructure, your servers are actually in the form of files known as virtual machines (VMs). Because VMs are just files, they should be easily copied. There may be issues though, like the VMs might be stored in a not-so-popular proprietary format. Another possible issue is that the provider may simply not allow copying.

Having copies of your VMs can be useful should you later on decide to transfer to another provider or even duplicate your cloud infrastructure on your own.

8. What will happen to my data when I scale down?

One outstanding benefit of cloud computing is that when your business demands drop, you can easily scale down computing resources and reduce your cloud spending. ?But what will happen to your data when you decommission virtual servers? Will they be discarded?

You might want your data to be retained up to a certain period. On the other hand, you might also want them to be deleted immediately. Ask about the provider’s data deletion/data retention policies and see if they are in line with yours.

9. What will happen to my data if I decide to close my account?

There might come a time when you’ll want to terminate your contract with your cloud provider. Just like in issue #8, you’ll want to find out more about data deletion/data retention policies.

Although some providers can give you detailed answers, many of these answers can include a lot of technical jargon that can leave you totally confused. If you want someone you can trust to:

  • simplify those answers;
  • help you pick the right cloud service provider, and
  • even make sure cloud security is really upheld once your cloud engagement is ?under way

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Check our similar posts

How Energy Management Software Benefits Your Business

We’re in an era of price volatility in gas and electricity prices, coupled with greater scrutiny on the environmental impact of businesses in their day-to-day operations. According to the Department of Energy & Climate Change, the average SME can slash its energy bill by 18-25% simply by installing energy efficiency solutions in their facility. 

Are you looking to improve energy use in your business? Prevent wastage, track consumption, identify opportunities to save on energy and reduce your carbon footprint while at it? It can be a daunting process to do it all manually. Taking those meter readings, preparing spreadsheets and combing through quotes and energy bills to validate them – this is not something you should be enduring in this day and age. Not when there are dedicated systems built for the task. That’s where Energy Management Software (EMS) comes in. 

Importance Of Energy Management Software

Wasted energy = Wasted money

Failing to improve energy efficiency is costing SMEs loads of funds, with it coming to between £5,801 and £12,109 of missed annual savings for individual businesses. These are 18% – 24% of their energy costs. Where do you stand?

Take timers and thermostats for instance. When not properly set and controlled, or even simply forgetting to turn them down when not in the room, it can easily lead to unnecessary costs. How often do your staff forget to turn off the air conditioning when they leave the meeting rooms? Do you account for weekends or bank holidays when setting the controls of the AC? Mistakes like turning the temperature high on the thermostat to “quickly warm the room” are common, yet heating costs go up by about 8% with every 1°C rise.

There are installations that you can make to minimize wastage. For example, the Chinese Contemporary Arts Centre in Manchester is able to save £4,363 annually just by having a £100 timer installed to its heating system. 

Some energy saving measures won’t even cost you a penny. For instance, did you know that you can save up to 30% of your heating costs simply by preventing cold air from entering the building? This means not keeping the doors just open for convenience. So how can you find points of weakness and areas of improvements in your facility? Install an EMS. 

While businesses vary from one industry to the next, energy management basically boils down to:

  • Metering systems where the consumption is recorded
  • Determining how much energy can be saved by identifying opportunities for this
  • Implementing policies and changing existing systems to take advantage of these opportunities
  • Tracking progress after the improvements have been made

 

Benefits Of EMS For Your Business

Data Acquisition – Where accuracy and reliability matters

Energy data comes from different angles and formats. From the building automation systems and IoT devices that have been set up, bills sent in by the utility company to the spreadsheets needed to analyse them – what if you had it all from one point of reference? The EMS gives you a “bird’s eye view” of all your energy data from one interface. It collects the data from any system – and being cloud-based, is accessible from anywhere in the world. 

The ecoVaro data loggers can be connected with the Wi-Fi network of the facility or function independently, depending on your specific requirements. They monitor readings 24/7, retaining the data even when they have been powered off. The end-to-end encryption assures you of the security of the information that is being obtained. 

Integrating the EMS into the existing systems will simplify the data collection process, and even for the cases where there isn’t a direct method transferring the data into the system, the setup wizards that come with the EMS allow you to prepare the required data and import it. 

Data Analysis: From consumption, energy leaks to areas of improvement

The first step is accurately collecting the data. The next step is making sense of it. The analysis modules with the EMS allow you to monitor the energy consumption of the facility in real-time. 

The energy data is displayed in engaging graphics that are easy to understand at a glance. The dashboard setup, with its customised layout, enables you to monitor the performance of the specific information you want, toggling through usage and savings data, to the meters and sites that are being tracked. With the ecoVaro Energy Management Software, you get Consumption Charts, Regression Charts, Cusum Charts and Heatmaps right to the submeter level. This information can be broken down into 15-minute durations, with the daily, weekly and monthly consumption reports. 

Getting everyone on board

Making changes to company-wide energy policies needs to have the different parties on board – from the energy manager in charge of crunching the numbers and presenting the information, the CFO of the business, the staff running day-to-day operations, all through to plant operators for those in industries. An easy mode of communication is needed, that will be understood and availed in reports that can be shared with the relevant parties in the organization. The graphical displays that come with the EMS enable actionable information to be displayed in a simplified manner – that way all members of the business or organization will be able to comprehend it. 

Meet your Energy Goals

The baseline that is created in the EMS is used as a standard when assessing the impact of future changes to the energy consumption. Using the information that has been obtained, the management can set up energy saving policies and implement changes, and track KPIs (key performance indicators) along the way. For instance, the market research company DJS Research installed a timer switch that turns off their two water coolers when they aren’t in use. This action saves them £144 annually, and had already paid for itself within 35 days.   

You will be in a position to assess the actions that provide your business with the best ROI over time, monitoring the progress and verifying the savings from one central dashboard. Cutting costs here will enable you to divert the funds to other areas of your business, including promotions, marketing, and product development.

For businesses in the energy sector- including electric, oil and gas plants, they specifically need carbon emission reports, to pinpoint areas where the building’s energy efficiency can be improved. ecoVaro EMS allows you to set alarms and KPIs in the facility for issues to be identified and resolved immediately they crop up. 

Turn to ecoVaro

EMS systems are used across the board – from optimising energy use in hotel rooms and hospitals, mapping out usage patterns for those in the agriculture and supply chain niches, running facilities for utility providers, all through to increasing the efficiency of equipment operation for business in the food and beverage sector. Want to learn how you can cut down your energy bills and make your business more eco-friendly? EcoVaro’s team is ready to get you started.

Can you do away with the Project Initiation Meeting?

Project initiation meetings are often skipped to fast-track projects. Once a sponsor is found, organisations go straight to project planning and execution. But based on our own experience, holding a project initiation meeting can actually eliminate many issues that may crop up in the future and hence may speed things up instead in the long run.

It is in the project initiation meeting where your project objectives and scope are clarified and all stakeholders are brought to the same page. Project sponsors and stakeholders will have to know in a nutshell what is needed from them, what the possible risks are, what different resources are required, and so on. So that, when it’s time to proceed to the next phase, everyone is already in-sync.

So what are taken up in such a meeting? Perhaps an actual example can help. Sometime in the past, we set out to work on an eCommerce website project. After conducting the project initiation meeting, these were some of the things we were able to accomplish:

  • Identified deliverables e.g. site design, interface to payment system, etc.
  • Come up with the project phases
  • Agreed what should be in and out of scope
  • Defined the acceptance test criteria
  • Identified possible risks
  • Identified the possible training and documentation work needed
  • Established whether any analysis was required, e.g. as with regards to payment interfaces
  • Formulated disaster recovery plans
  • Defined roles and responsibilities
  • Drafted timelines and due dates

Aren’t these covered in project planning? If the project is a big one, the answer is no. In a large project, project planning is a much more exhaustive activity. In a project initiation meeting, only the basic framework is defined.

Some questions may still remain unanswered after a project initiation meeting, but at least you already know what answers you need to look for. In the example we gave earlier, we left the meeting knowing that we needed:

  • a list of all necessary hardware to estimate the costs
  • to identify possible dependencies we might have with third parties
  • to identify what software had to be bought and what skills we needed to hire

When it was time to proceed to project planning, everyone involved already knew what direction we were taking. In effect, by not skipping the project initiation meeting, we were able to avoid many potential obstacles.

What GDPR Means in Practice for Irish Business

The General Data Protection Regulation (GDPR) is a European directive aimed at ring-fencing consumer data against illegal or unnecessary access. There is nothing to discuss or debate with local politicians, or the Irish Data Protection Commissioner for that matter. As a European directive, it has over-riding power. To obtain an English version, please visit this link, and select ?EN? from the table of languages.

As you reach for your tea, coffee or Guinness after sighting it, you will be glad to know the Irish Data Protection Commissioner has the lead in turning this into business English we understand. The following diagram should assist you to obtain a quick overview of the process we all have to go through. In this article, we briefly describe what is inside Boxes 1 to 12. The regulation comes into force on 25 May 2018 so we have less than a year to get ready.

The 12 Essential Steps to Implementing the General Data Protection Act

1. Create awareness among your people of what is coming their way. The GDPR has given our regulator discretion to dish out fines up to ?20,000,000 (or 4% of total annual global turnover, whichever is greater) so there is determination to make this happen.

2. Become accountable by understanding the consumer data you hold. Why are you retaining it, how did you obtain it, and why did you originally collect it. Now you know it is there, how much longer will you still need it? How secure is it in your hands, have you ever shared it?

3. Open a communication channel with your staff, your customers, and anyone else using the data. Share how you feel about how accountable you have been with the information in the past. Explain how you plan to comply with the GDPR in future, and what needs to change.

4. Understand the personal privacy entitlement of the subjects of the information. They have rights to access it, correct mistakes, remove information, restrict its use, decline direct marketing, and copy it to their own files. What needs to change in your systems to assure these rights?

5. Issue a policy for allowing consumers access to their information you hold. You must process requests within a month, and you may not charge for the service unless your cost is excessive. You may decline unfounded or excessive demands within your policy guidelines.

6. Adapt to the requirement that you must have a legal basis for everything you do with, and to consumer data. You need to be in a position to justify your actions to the Irish Data Protection Commissioner in the event of a complaint. Having a legitimate interest is no longer sufficient.

7. Ensure that consumer consent to collect, use, and distribute their data is ?freely given, specific, informed, and unambiguous.? From 25 May 2018 onward, this consent will be your only ground to do so. You cannot force consent. Your benchmark becomes what the GDPR says.

8. Issue rules for managing data of underage subjects. This is currently under review and we are awaiting results. Put systems in place to verify age. Set triggers for where guardians must give consent. Make sure age is verifiable. Use language young people understand.

9. Introduce a culture of openness and honesty, whereby breaches of the GDPR are detected, reported, investigated, and resolved. You will have a duty to file a GDPR report with the Data Protection Commissioner within 72 hours, thus it is important to fast track the process.

10. Introduce a policy of conducting a privacy assessment before taking new initiatives. The GDPR calls for ?privacy by deign?, and we need to engineer it in. This may be the right time to appoint a data controller in your company, and start implementing the GDPR while you have time.

11. You may also need to appoint a data protection officer depending on the size of your business. Alternatively, you need to add managing data protection compliance to an employee?s duties, or appoint an external data-protection compliance consultant.

12. Finally, and you will be glad to know this is the end of the list, the GDPR has an international flavour in that multinational organisations will report into the EU Lead Supervisory Authority. This will manage the process centrally while consulting national data authorities.

The GDPR is a project we all need to complete. If we are out of line, it is in our interests to get things straightened out. Once everything is in place, the task should not be too onerous. Getting there could be the pain.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today