The primary concern for anyone considering a cloud computing service is “will my data be safe?”
Despite the universality of this concern, there is nothing new about trusting third parties with important data, nor is there anything intrinsically insecure about cloud computing.
Nevertheless, there are some important questions that any organisation should ask potential cloud suppliers to make sure they know what risk they are exposing themselves to when choosing a particular provider.
Here are five questions that will help you get a better understanding of the security and availability profile of any cloud service you are considering. If there any more questions that you feel should be added to the list, please add them in the comments section below this article.
"Where precisely will my data reside?"
Knowing where in the world your organisation’s data resides is a must for any CIO. So when interrogating a potential cloud supplier, it is essential to determine the location of the data centre in which they propose to host your information.
One source of concern when it comes to US-based cloud service providers is the USA Patriot Act, which grants US intelligence agencies the right to inspect any data related to non-US citizens that is hosted on US soil. That conflicts with the EU’s Data Protection Directive, which prevents organisations from allowing a third party to access their customers’ data without express permission.
According to Darren Ratcliffe, chief architect for Infrastructure as a Service at Fujitsu UK and Ireland, the US Patriot Act applies to all US owned infrastructure, wherever it might be located. “If an American organisation puts a cloud platform in the UK, for example, the Partiot Act still applies because it’s an American organisation,” he says.
Another consideration is how risky an environment the cloud provider’s data centre is in. Any natural disaster or other phenomenon that may interrupt the power supply to their data centre facility may render hosted applications or data unavailable.
"What back-up and recovery measures do you have in place?"
Of course, any cloud provider worth their salt will have back-up and recovery precautions in place to protect their customers’ data in such an eventuality. However, not all business continuity plans are created equal.
Important considerations include the speed of recovery in the event of an outage, and the degree of redundancy built into the provider’s cloud infrastructure.
And again, it is worth asking where your data is replicated to – in other words, where it might end up if the providers’ primary data centre suffers an outage and systems need to be redirected through its other facilities.
Ratcliffe warns, however, the technical components of a disaster recovery are simple enough to put in place – what really matters is the provider’s ability to deploy, manage and execute that plan effectively.
“At the end of the day, anybody can implement a cloud infrastructure with high levels of availability,” he says. “But the confidence comes from the quality of the organisation that has built that infrastructure.”
"How do you vet your customers?"
The security and reliability of any cloud environment is not simply a function of the provider, but is also related to the other organisations that use it.
A team of scientists at Germany’s Fraunhofer Institute for Secure Information Technology recently found that three out of ten virtual machines hosted on one popular cloud service were insecure, simply because they had been improperly configured by the user.
This insecurity could expose other customers using that shared infrastructure in a number of ways. For example, if insecure virtual servers are compromised and exploited by criminals, law enforcement authorities might confiscate the physical machine that supported those virtual servers – and other customers’ data along with it.
Another reason for organisations to find out how a cloud provider vets its customers is to make sure they are not linked by association to anything untoward. “From a CSR perspective, most organisations operate to certain ethical principles that they expect their suppliers to adhere to as well,” explains Fujitsu’s Ratcliffe.
“How will you deliver your agreed service levels?”
A cloud provider will typically guarantee a level of service availability, often measured as a percentage of time (e.g. the service will be available for 99.999% of the time). And while it is of course essential to have that guarantee in place, it is prudent to find out what lies behind the numerical figure.
For example, what classification does the provider’s data centre hold, according to the Uptime Institute’s tiering system (Tier 4 being the highest)? How does the provider guarantee the availability of its own power supply?
It is worth digging a bit deeper into a cloud provider’s service level agreements, as the service credits they typically offers as compensation for missed SLAs rarely compensate for the lost customer satisfaction or missed business opportunities that IT outages might cause.
“CIOs should ask themselves whether they are satisfied with a service credit promise, or do they want to do their due diligence and look under the bonnet,” says Declan Monaghan, Fujitsu UK & Ireland’s business manager for cloud computing.
"What happens if something goes wrong?"
No cloud provider can promise 100% availability, and there is always a risk of an outage, however small. It is therefore important to know what procedures a provider has in place to help its customers recover their data and to get back up and running when such an outage occurs.
Organisations would do well to find out the degree of support they will receive from their cloud provider when something goes wrong, and whose responsibility it would be to make sure systems are returned to an operational state as quickly as possible.
This question may have a technical answer – whose responsibility it is fix an issue will depend on what exactly the issue is – but it is one the CIO must know if they are entrust their data to the cloud.
“If you are trying to run a business critical service in the cloud, these are questions that that you should need to answer from day one,” says Darren Ratcliffe.
Fujitsu comment
For EU companies, protecting data from seizure or inspection by US authorities under the Patriot Act has become a major factor in selecting a cloud services provider.
At present, European data protection law cannot prevent data hosted by a US-owned cloud service provider from leaving the EU. Via the Patriot Act, the US authorities can request any information without customers being informed.
Downtime also becomes a significant issue for customers if access to cloud services is disrupted by US authorities forcing the provider to hand over physical servers for scrutiny.
Several ‘work-arounds’ have been proposed, including putting the brakes on US law, US companies spinning-off their European subsidiaries and halting the flow of information from the EU to the US. If introduced, these measures will take time to be implemented. They do not offer the ‘silver bullet’ of immediate data security to those companies thinking about, or already, hosting data with US-based companies.
The issues surrounding the Patriot Act can be avoided by using a non-US cloud provider. The UK Fujitsu Global Cloud Platform, is housed in a UK Tier III data centre (certified Gold by the Uptime Institute), meaning data residency will never become an issue and all your data is protected from inspection under the Patriot Act.
See also: Questions to ask cloud providers – Portability and transparency