Last year, when I was meeting potential customers for our cloud service, most questions I had to deal with were about cloud security – there was a clear concern about whether moving to cloud was a safe option.
Since then, there’s been a shift; security is no longer an issue and there are new concerns. Now the main questions centre on data and what happens once it’s in the cloud.
Security and compliance issues take up the bulk of the questions, showing a maturing thought process around cloud.
Why is this important? For me cloud is all about the data and how it’s accessed. In most cases this relates to the application sets that clients deploy and whether that’s within the infrastructure, platform or software as a service layer. How data is handled should be the critical aspect of any decision as organisations start along the road to the adoption of cloud-based services.
So, what happens to your data or, better still, what should happen to your data and how should it be viewed?
How data is handled should be the critical aspect of any decision as organisations start along the road to the adoption of cloud
Once the decision to transition to cloud has been taken, organisations should adopt a “data comes first” approach to all their thought processes, including their selection criteria, which should cover everything from the service/product choice to the provider’s attention to data importance.
This should include the following areas:
- How is data transitioned into the cloud
- Who has access to it during the service life
- How is data protected and handled
- Client privacy
- Data protection
- 256 bit Data Encryption
- Data residency
- Data movement
- Data governance
- Data retention
- Data ownership and accountability
- How is true deletion of data handled
- Financial & structural stability of the service provider
- Escrow-like data access
As you can see, there is a multitude of areas that need to reviewed and considered, I’ll take them individually to give a little bit more detail and guidance.
How data is transitioned to the cloud isn’t so much a technology question but a risk management and mitigation one. You should be considering how your service provider handles this area; is there a risk profiling process completed and risk mitigation plan constructed prior to any migration?
What are the on-going processes and policies around data access within the service provider? What auditing is in place and what access do you, as the client, have to this information and is there a requirement within your compliance processes to review this information?
How data protection is handled, as mentioned there should be policies and processes around general data protection (ISO27001 should be a must), client privacy along with data residency should always be included within any contractual arrangements. Is your data encrypted?
At Calligo this is something we have now rolled out as default ie everything within our cloud platform is encrypted whether it’s within our infrastructure, platform or software as a service layers. Lastly, within this area, what has the service provider put in place to cover data movement? This should include off-boarding at the end of a contract, as well as when an agreement has been breached and lastly, but very importantly, what provision is there in case of administration and/or liquidation, in this situation how do you get your data back?
All organisations, in my view, should take data governance very seriously, it’s covered by various laws but data is the single most important Intellectual Property a company possesses, lose all or part of your data and you will seriously affect your businesses long term future and in some cases it will have a instant impact on the viability of the organisation. Cloud increases the need for good data governance.
What are the data retention polices not only of your backups but of the service providers – will they have copies of your data after you have moved to another provider? Do they have the ability to perform a true deletion of data (that leaves no trace of your data)? Does the contract clearly state you retain ownership of your data as well as accountability? Just because your data is in the cloud it doesn’t change your responsibilities to your clients – you’re still responsible for the data you have on them.
Finally, do the due-diligence on the provider from a technology, financial and general stability perspective. As mentioned earlier, ensure you have a fail safe position in regard to having access to your data in the event of a total and sudden collapse of your provider, akin to an escrow-like function that covers your data.
By Julian Box, Posted 16th May 2013.