5. Research Potential Providers Processes
With this preparatory work behind you, its time to start assessing whats available in the cloud services market.
You can begin by studying their marketing literature, but to find out in detail how the service works -- where and how data moves and where it resides, what security controls are in place by default and the extent to which the provider is willing to tailor a security solution for you -- you will have to talk to them.
You will need to know what types and levels of encryption the provider can offer to ensure that even if data is leaked it cannot be read. Encryption is the key protection against security breaches that can result in loss of sensitive data.
You also need to know about the providers business continuity provisions. What happens if its main data center burns down? Does it only have one data center? In how many places does it store your data and how? Ask about security monitoring and auditing processes, and what kind of reporting the provider does. If there is a breach, will the company tell you?
Samani admitted that small businesses may be daunted by the complexity and rigor of the due diligence around cloud security his organization recommends. And for many, he said, hiring a consultant to help them with it will defeat the cost-saving purpose of considering cloud services in the first place.
But all this work will make life a lot easier later, Samani said. After the implementation, it will be much more complicated and expensive to make changes. So you need to map everything out in advance.
6. Ask About Security and Reliability Certifications
One way small businesses can short-circuit due diligence on providers security controls is to ask about various certifications they may have, or look for mention of them at the providers website. By considering only those providers with documented, verifiably sound security practices may eliminate some of the need to delve deeper.
The CSA itself has developed a certification program under its Trusted Cloud Initiative, which some providers are beginning to use, Samani said. There are also more general certifications that any organization can get, not just cloud providers, such as ISO27001 Information Security Standards and ISACA IT Audit, Security, Governance and Risk Certification.
7. Build Security Controls into the Contract
This is where the rubber hits the road. With any cloud service, you will be entering into a contract. The provider may not be willing to negotiate anything, or may not be willing to extend much flexibility to smaller customers. At the very least, you need to carefully study the contract language as it relates to security controls.
And if the provider is willing to negotiate, you need to establish in the contract the type and level of encryption to be used, where and when -- all determined by the analysis in earlier steps -- and the safeguards against data loss to be used, such as redundant storage.
You may also be able to negotiate the right to audit the companys facilities or security practices (although the cost of doing so may be out of the price range of many small businesses.)
Many cloud providers will never give the right to audit, Samani acknowledged. And the more security you ask for in general, the more the cost is going to go up. But we suggest asking for the right to audit.
8. Negotiate Service Levels and Exit Strategies
Security in the cloud is not just about protecting data. Its also about ensuring your own business continuity. Your ongoing operations may now utterly depend on being able to access a cloud service. What happens if the providers service is unavailable for a short or a long period?
Some providers will negotiate a service level agreement (SLA) specifying uptime percentages and the time to respond to trouble calls. SLAs may include financial penalties, often a discounting of service fees, if the provider fails to meet the terms. The stricter the terms, though, typically, the more you will pay for the service.
Its also important to ensure that youre not locked in to the providers service so that its difficult, expensive or virtually impossible to disengage and take your business and data to a different provider in the event you become dissatisfied or find a better deal.
And try to pre-negotiate the terms for changing contracted services in response to changes in your business to guard against prohibitively expensive fees for doing this.
9. Pursue Offline Security Measures
As Quin pointed out, one of the problems with moving to the cloud is the loss of control over your security profile. But in some cases, it may be possible to preserve some control -- by using offline backup of data stored in the cloud, for example, or preserving the right to control encryption keys so that in the event a providers system is compromised, there is no possibility of keys falling into the wrong hands.
10. Read the Cloud Security Alliance Guidance Document
The CSA has prepared a detailed document outlining the due diligence it recommends companies undertake when considering moving applications and data into the cloud. Read it, and follow it to the best of your ability.
Gerry Blackwell is a freelance technology writer based in London, Canada. Read his blog, AfterByte
Small Business Computing is on Facebook. Join us on Facebook and interact with the site's editors, post messages, share your small business challenges and successes, discuss technology and suggest topics you'd like covered on Small Business Computing.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|