At this point in time, I would guess that every organization
has at least some experience using the cloud.
But often, as IT leaders, we are often either bypassed or an
afterthought, when other departments and leaders can purchase and turn up a
cloud service, quicker than you can say purchase order. Yet not having IT involved in cloud decisions
can certainly negatively impact an organization. Cloud purchasers often forget to ask about
user and data management, and integration with existing systems. An adopted cloud system which does not play well with
other systems, which has its own separate user repository, or for which
security is an afterthought, can quickly turn into an nightmare for IT or for
the adopters who did not know what questions to ask the provider.
Just the other day I was speaking with a small cloud
provider, who had pretty good answers for most of my questions, but what was
unsaid was the fact that this was the equivalent of a mom and pop cloud
provider, which was most likely one car accident away from dissolution of the
cloud company. That could pose a big
risk for our organization, especially if this was a critical cloud service.
An IT director in Schertz, Texas, Myles
Clauser, recently shared a list of questions to ask cloud providers, before deciding
if their service is right for your organization. This is a pretty tough set of questions and
you may be willing to accept a variety of answers, depending on what the particular
service is, nonetheless this is a great set of questions to help vet the
rapidly expanding list of cloud services:
Questions and considerations for using
cloud providers:
1.
Ownership of all data must be spelled out. Many
cloud providers specify that using their services means relinquishing ownership
of the data.
2. What
format is the data stored in at the host site?
3. Where
is the live data actually stored? Where are the backups stored? (Are all sites
within the continental US?)
4. Is
it encrypted – either in transport or in storage. This includes backups.
5. Is
there any possibility for vendor staff to review / copy / duplicate the data
(with the exception of routine backups) without our knowledge?
6. Is
the data / information we contemplate storing in the “cloud” subject to any
relevant Federal, State or other privacy requirements or agreements already in
place? (i.e.: PCI compliance, HPPA, FIPS, CJIS, etc.) If so what documentation
can the vendor supply that ensures that their storage and delivery systems
comply with those requirements?
7. Are
there any limitations regarding access to the data – i.e.: are we notified in
advance of planned downtimes, etc.
8. Are
there any QOS provisions in the agreement – i.e.: the data will be available
24/7, 7 days / week with a guaranteed minimum response time from their system
based on agreed-upon criteria.
9. If
we delete data from a system what proof do we get that the data has been
removed from backup systems, disaster recovery sites, etc.?
10. What
formats can we use to retrieve any and all data – i.e.: what utilities exist
that will allow us to archive data in industry-standard formats for later
retrieval by City staff without having to work through or with the vendor’s
proprietary format.
11. Since
this is a web-based system can the vendor provide certification that their
systems are updated regularly? This includes patches, antivirus systems,
backend databases, web interfaces, etc.
12. How
often does the vendor perform security audits on their systems and when was the
last one done? Can we see the results?
13. What
is their policy regarding informing us if a data breach occurs? Are they liable
to us for any damages, remediation costs, etc.?
14. If
the vendor is contacted by an outside party (i.e.: subpoenas, open records
requests, etc.) to provide information contained in one of our documents, how
do they respond? If we are required to hold data for litigation purposes do
they have a mechanism / system in place to do so or are we on our own?
15.
What provisions have been made to protect our
data if the vendor closes its doors or is sold
This blog entry is cross posted with the great folks at SchoolCIO
No comments:
Post a Comment
I welcome productive thoughts, comments, and questions.