9 Cloud Security Questions you need to ask Service Providers

Companies in Ireland and the UK who are considering cloud adoption might already have a general idea of the security risks inherent in cloud computing. However, since different providers may not offer the same levels of risk mitigation, it is important to know which providers can give sufficient assurance on cloud security.

Here are 10 cloud security questions to ask service providers vying for your attention.

1. Where will my data be located?

There are a variety of reasons why you will want to ask this question. One big reason is that there are certain countries that don’t have strict legislation (or any legislation at all) pertaining to cloud computing. In that case, the provider won’t be as motivated to apply high levels of risk mitigation.

So if your data is hosted off shore, then you might want to reconsider or at least conduct a deeper study regarding the security conditions there.

2. Do you have provisions for regulatory compliance?

Certain standards and regulations (e.g. PCI DSS and possibly the EU Data Protection Directive) have specific guidelines pertaining to data stored in the cloud. If your organisation is covered by any of these legislation, then you need to know whether your provider can help you meet requirements for compliance.

3. Who will have access to my data?

In a cloud environment, where your data is going to be managed by people who aren’t under your direct supervision, you’ll have to worry as much about internal threats as you would with external threats.

Therefore, you need to know how many individuals will have access to your data. You also need to know relevant information such as how admins and technicians with data access rights are screened prior to getting hired. You also need to determine what access controls are being implemented.

4. How is data segregated?

Since there will be other clients, you will want to know how your data is going to be segregated from theirs. Is there any possibility of an accidental or intentional data breach due to poor data segregation? Find out if your data is going to be encrypted and how strong the encryption algorithm is.

5. How will you support investigative activities?

Sometimes, even if strong cloud security measures are in place, a data breach can still happen. If it does happen, the provider should have ways to track each user/administrator’s activity that can sufficiently support a detailed data forensics investigation.

Find out whether logs are being kept and how detailed they are.

6. Are we protected by a Disaster Recovery/Business Continuity plan? How?

Don’t be fooled by sales talk of 100% up-time. Even the most robust cloud infrastructures can suffer outages too. But the important thing is that, when they do fail, they should be able to get up and running in the soonest time possible.

Don’t just ask about their guaranteed RPOs and RTOs. Find out whether your data and applications will be replicated across multiple sites. Unless the provider says they will be, you need to find a provider with a better infrastructure.

7. Can I get copies of my VMs?

In a cloud infrastructure, your servers are actually in the form of files known as virtual machines (VMs). Because VMs are just files, they should be easily copied. There may be issues though, like the VMs might be stored in a not-so-popular proprietary format. Another possible issue is that the provider may simply not allow copying.

Having copies of your VMs can be useful should you later on decide to transfer to another provider or even duplicate your cloud infrastructure on your own.

8. What will happen to my data when I scale down?

One outstanding benefit of cloud computing is that when your business demands drop, you can easily scale down computing resources and reduce your cloud spending. ?But what will happen to your data when you decommission virtual servers? Will they be discarded?

You might want your data to be retained up to a certain period. On the other hand, you might also want them to be deleted immediately. Ask about the provider’s data deletion/data retention policies and see if they are in line with yours.

9. What will happen to my data if I decide to close my account?

There might come a time when you’ll want to terminate your contract with your cloud provider. Just like in issue #8, you’ll want to find out more about data deletion/data retention policies.

Although some providers can give you detailed answers, many of these answers can include a lot of technical jargon that can leave you totally confused. If you want someone you can trust to:

  • simplify those answers;
  • help you pick the right cloud service provider, and
  • even make sure cloud security is really upheld once your cloud engagement is ?under way

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Check our similar posts

Outsourcing

Are you ready to outsource? Do you even need to outsource? We’ll help you answer those and other questions regarding outsourcing and your company.

Once we’ve determined that outsourcing will render your organisation more focused on your core competencies, more cost-effective, and more flexible, we’ll offer you the full spectrum of our services. Our specialists can assist you in every stage of the entire outsourcing life-cycle.

Starting from evaluating what can be outsourced, through finding the right outsourcing service provider, building the contract and agreements, getting everything in place, and managing the outsourcing relationship – we’ll be with you every step of the way.

Learn more about some of the outsourcing services we offer:

Outsourcing Contracts and Agreements

When an outsourcing project fails, both customer and service provider are quick to put the blame on the other party. But in most cases, the actual culprit was really just sitting there since day one – a poorly planned and implemented agreement.

We understand how costly and disruptive a failed outsourcing project can be for your business. That is why we put utmost attention to each contract and SLA (Service Level Agreement) that our customers enter into. This always reduces the likelihood of having unmet expectations, one of the major reasons why some outsourcing relationships fail.

We make sure that each agreement is fair, not only for our customers but also for the service providers themselves. Why? Because a disadvantaged provider will most likely end up delivering poor service as an offshoot of efforts to improve its profitability and ROI.

To accomplish this, we’ll thoroughly assess the infrastructure, resources, and expertise of your potential service provider to ensure they have the capability to meet your expectations. We’ll also make sure that their expectations are realistic and clear to you as well.

Here’s what you can expect from us when we start managing your outsourcing contracts and agreements:

  • A thorough assessment of your specific needs and the service provider’s profile to determine whether you have the right match before proceeding with any agreement.
  • Professional assistance when the time comes for you to discuss the scope of work, expected service levels, and when negotiating for appropriate pricing. We’ll also help you set up provisions for possible changes in the scope later on.
  • Expert counsel during drafting and finalisation of the contract and Service Level Agreements. Whenever applicable, we’ll help you propose penalties whenever service levels are not met and rewards when they are exceeded.
  • Regular reviews to determine whether everything agreed upon in the past, like pricing and service levels, are still realistic or competitive enough in view of current technological advancements and the prevailing social and economic environment.
  • Mediation expertise whenever the outsourcing project appears to be falling apart. We’ll work with you and the service provider to resolve conflicts and avoid the expensive exercise of having to terminate the contract. But if the best solution is to part ways, we’ll make sure you make an exit with the least disruption, missed opportunities and financial loss.

Application Outsourcing

I’m sure you’ve come to realise that to gain competitive advantage these days, you really need to invest in IT applications.

There are applications for enhancing your customer relationships, speeding up production, streamlining processes, advancing collaboration, protecting your systems from malware and many more. Selecting the right application, testing it, implementing it into your system, and then managing it can deviate resources which would have otherwise been used in other areas to build business value, increase profits, and enhance innovation.

Wouldn’t it be nice to unload yourself of the management processes which usually accompany IT applications? Actually, you can – through application outsourcing. Application outsourcing providers possess the expertise to either partially or fully assume responsibility of your IT applications.

Our job is to see to it that you link up with the provider who can best answer your needs. The overall proficiency of these providers spans both proprietary and opensource solutions, allowing them to cater to a wide range of preferences and budgetary limits. At the very least, they can provide professional support for well established applications.

If needed, they can develop applications for your organisation, taking charge of every step in the system development life-cycle: starting from system initiation, requirements analysis, through design, construction, acceptance and eventually to implementation.

Here are some of the benefits you can enjoy once we start managing your application outsourcing initiatives:

  • Freedom from time-consuming tasks such as installations, upgrades, configurations and repairs.
  • Reduced total cost of ownership (TCO).
  • 24/7 support from well-trained personnel. This can substantially cut downtimes caused by inexperienced troubleshooting.
  • The option to have your applications housed in more secure and reliable environments with much higher availability and much lower planned/unplanned downtimes.
  • Dedicated specialists who can focus on providing better regulatory compliance and risk mitigation initiatives.

Infrastructure Outsourcing

Keeping up with the competition nowadays usually requires technological advancements as well as the capability to manage and maintain the infrastructure that has to support them. These undertakings can suck your resources dry.

If you’re looking to reduce costs even while improving the performance of your networks, servers, databases, firewalls, desktops and mobile devices, you might want to consider IT infrastructure outsourcing among your top options. Infrastructure outsourcing service providers have the resources dedicated to a stable, secure, scalable and always available IT infrastructure.

Typical service provider facilities include data centrers equipped with high-speed networks, reliable power, dependable security, as well as provisions for upgrades, consolidation, disaster recovery, or even business continuity.

These providers employ specialists and staff who can manage and maintain all of these for you. While your provider juggles your core IT-related tasks, you can keep your eye on the ball and refocus on your company’s business goals.

Here are some of the benefits you can enjoy out of infrastructure outsourcing:

  • Freedom from time-consuming tasks such as installations, upgrades, configurations and repairs.
  • Since service providers, who are expected to have better horizontal and vertical scalability, will deal with the technological intricacies, your company’s strategic development initiatives can proceed unhampered.
  • Greatly reduced electricity expenses as a result of consolidation.
  • Easier, faster, cheaper, and more reliable disaster-recovery solutions through virtualisation.
  • Lesser risks of disruptions caused by power outages, cyber attacks, or Internet connection downtimes.

Business Process Outsourcing

With the sheer number of business processes your company has to attend to, it wouldn’t be surprising if you rarely have room to innovate.

Through business process outsourcing, we can free a considerable part of your financial and manpower resources which are currently focused on routine activities. With more resources to drive innovative initiatives, you’ll be able to accelerate production, improve customer service, enhance overall business value, and arrive at a stronger bottom line.

Some of the business processes that may be outsourced include data entry, finance and accounting, form processing, procurement, and HR, among others. If you’re interested in finding answers to the what, how, who, and where of BPO, specific to your organisation, we’ll be happy to enlighten you.

Here are some of the benefits you can enjoy once we start managing your BPO initiatives:

  • Professional guidance to ensure that your BPO undertakings will really result in substantial savings and significant improvements to your organisation’s business value.
  • Careful monitoring of service levels to ensure faster turnaround, accurate data, and high quality outputs.
  • Expert evaluation of information handling processes to guarantee full confidentiality.
  • Professional and unbiased management dedicated to establishing a strong, reliable, and fruitful relationship between you and your provider.
Network Security

The easiest way for an external threat to get to your private data is through your network. The easiest way to eliminate that threat? Get your data out of the network. Of course, we know you wouldn’t want to do that. We also know that while you may want to sniff every packet for anything suspicious, you wouldn’t want your network to crawl either.

That’s why we’re offering to put up the most efficient checkpoints on every route that leads into and out of your system.

So what can you expect from our brand of network security?

  • Review of your policies and processes for weaknesses – If we see a loophole, we’ll recommend modifications wherever necessary.
  • Protection for your applications and infrastructure – Since we’re familiar with both software and hardware-based protection systems, we can recommend which type is best suited for your setup.
  • Automated identification of business and mission critical applications – They’ll be given priority in your network to ensure bandwidth allocation is optimised.
  • Automated network audits and vulnerability management – Tired of getting prompted by pesky vulnerability notices and don’t know what to do with them? Well, that’s why we’re here.
  • Customisable security reports that contain only relevant and accurate data.

We can also help you with the following:

Can you do away with the Project Initiation Meeting?

Project initiation meetings are often skipped to fast-track projects. Once a sponsor is found, organisations go straight to project planning and execution. But based on our own experience, holding a project initiation meeting can actually eliminate many issues that may crop up in the future and hence may speed things up instead in the long run.

It is in the project initiation meeting where your project objectives and scope are clarified and all stakeholders are brought to the same page. Project sponsors and stakeholders will have to know in a nutshell what is needed from them, what the possible risks are, what different resources are required, and so on. So that, when it’s time to proceed to the next phase, everyone is already in-sync.

So what are taken up in such a meeting? Perhaps an actual example can help. Sometime in the past, we set out to work on an eCommerce website project. After conducting the project initiation meeting, these were some of the things we were able to accomplish:

  • Identified deliverables e.g. site design, interface to payment system, etc.
  • Come up with the project phases
  • Agreed what should be in and out of scope
  • Defined the acceptance test criteria
  • Identified possible risks
  • Identified the possible training and documentation work needed
  • Established whether any analysis was required, e.g. as with regards to payment interfaces
  • Formulated disaster recovery plans
  • Defined roles and responsibilities
  • Drafted timelines and due dates

Aren’t these covered in project planning? If the project is a big one, the answer is no. In a large project, project planning is a much more exhaustive activity. In a project initiation meeting, only the basic framework is defined.

Some questions may still remain unanswered after a project initiation meeting, but at least you already know what answers you need to look for. In the example we gave earlier, we left the meeting knowing that we needed:

  • a list of all necessary hardware to estimate the costs
  • to identify possible dependencies we might have with third parties
  • to identify what software had to be bought and what skills we needed to hire

When it was time to proceed to project planning, everyone involved already knew what direction we were taking. In effect, by not skipping the project initiation meeting, we were able to avoid many potential obstacles.

Ready to work with Denizon?

Contact Us Today