As the number of cloud computing vendors continues to grow, it’s more important than ever to ask questions above and beyond the standard terms and conditions when evaluating service providers.
Putting sensitive data in the Cloud shouldn’t be undertaken without careful consideration of the risks or a thorough vetting of the vendor.
Here’s a 21 point checklist to make sure you cover all the bases when choosing a cloud computing service provider, in no particular order:
- What are the policies and procedures in place to protect the physical data center, including the process for vetting employees who have access to clients’ data?
- What technology is used to keep one client’s data separate from others’ on multi-tenant servers?
- What encryption protocols does the vendor use to protect data in transit and at rest?
- What authentication protocols does the vendor use to prevent access by unauthorized users?
- Who owns the data once it’s transferred to the service provider’s infrastructure? When and how does the vendor delete clients’ data after a contract is terminated?
- How do clients get their data back if they decide to terminate the contract and move to another vendor?
- What are the additional costs? Does the vendor charge a fee for data transfers, data backups, early contract termination, etc.?
- Can the company provide references from actual customers whose businesses are similar to yours?
- What’s the service provider’s procedure for notifying customers of a data breach?
- Where are the vendor’s data centers located, inside or outside the U.S.? Note: It’s against the law to store some sensitive data outside the U.S. Familiarize yourself with any government regulations affecting your industry. If your data will be stored outside the U.S., find out what laws regulate foreign countries’ access to it.
- Does the vendor properly handle data to comply with government regulations concerning privacy and security that your company must follow?
- What are the vendor’s own audit procedures? Is it possible for you to audit them?
- For SaaS providers, how secure is the app? Can the vendor provide documentation?
- How does the vendor ensure the security of any third party apps it uses to deliver its service?
- What are the company’s backup procedures? How many copies do they make and in what geographical location are they stored? Do they perform incremental backups?
- How fast can customers access backup data?
- Can you make a backup copy of your data and if so, how?
- What technology does the vendor use to back up claims of “high availability” cloud computing?
- Who is responsible for data recovery in the event of a loss? The vendor or the customer?
- And finally, read the Service Level Agreement (SLA) line by line. What does the company offer in terms of guaranteed uptime and incident response times and solutions?
Verifying this basic information will help you make a more informed decision as to which vendor is right for your business. With regard to security policies and procedures, in June 2012 the United States Office of Management and Budget released a set of guidelines for government agencies to follow when adopting cloud computing. Businesses may also find them helpful. Find the guidelines here.