Cloud computing is the latest fashion in computing and, like it or not, it will be the future. One day computers will barely store anything and you will connect to a remote hosted desktop meaning your desktop computer is no longer in your home but in a data centre somewhere. This of course will reduce costs, make backup easier and mean more flexibility but it opens a whole can of worms around security, continuity and privacy. Before picking a cloud service you really need to investigate and ask a bunch of questions like these:
Whose responsibility is it?
Some cloud provider pass responsibility of security over to you; this is often the case with cloud hosting or servers. If it's your responsibility you need to know what you are doing.
No we are not talking about in-flight entertainment. Data and passwords move across various networks in milliseconds and you need to know that they cannot be intercepted. Even the most basic website or cloud server should be operating SSL/TLS encryption.
Is data encrypted at rest?
Once the data has hit the server and been decrypted it's good to know it is stored in a encrypted form. This provides extra security from physical and virtual threats. One thing to remember is how are the keys stored. Are they on the same server, a separate server or stored on your desktop / laptop?
May I handle the passwords or keys?
For extreme security you can set a client programme to encrypt data client side, meaning data on the server cannot be opened. Very few back-up services offer this and you may need to use third-party software to achieve this.
Where is my data?
The problem with larger providers like Amazon, Yahoo, Hotmail and Google is they have so many data centres that you have no clue where your data is. If you’re UK-based it's better to have it based in the UK or EU. Compliance rules may also state this, like FSA data security rules.
How is it backed up?
A backup of a backup. What happens if the data centre blows up, are there tapes offsite? If it's a smaller company then they should have a offsite backup.
Is it replicated?
Servers should be replicated within the data centre or outside so if one dies there is another copy. RAID config is something else to look at.
Are you staff vetted?
Staff vetting is not going to catch everything but it's something. Ask for details like CRB, certificates, qualifications, past jobs and references. Company financials may also help.
What tier is the data centre?
Data centres come in tiers 1, 2, 3 and 4 – 1 being the lowest and 4 being the highest. The tiers offer better or worst levels of redundancy like network connections, generators, UPS, fire-fighting equipment and so on. Aim for tier 3 since tier 4 is quite rare.
Does the data centre have 24 / 7 security?
A good data centre should have a 24 / 7 security team with multiple CCTV, swipe cards, biometrics and trained to check ID and question visitors.
Can I move my data out?
One day you may want to move back to an in-house set-up; the question is how easy will it be to do this? Some cloud accounting systems restrict the number of fields they let you extract.
Is your company or data centre certified?
SAS 70, PCI-DSS or 27001 are certifications relating to the company and data centre. ISO 27001 is a tough certification to get and should suggest they take security seriously.
Can their staff view my data?
Many companies will tell you that even their staff cannot view your data. The fact is server administrators using the system have full root access to servers so, in theory, they can access data unless its encrypted somehow.
What are your SLAs?
Ask about Service Level Agreements on response times and fixes. The lower the better during office hours.
Eggs in one basket?
We have all heard the expression ‘don’t put all of your eggs in one basket’. Put your website, backup, email and document storage at one data centre or company and you could lose everything. It's a good idea to use several companies so, should one be breached and go under, you have only lost a part of your data.