What You Should Ask Your Cloud Vendor THE Tech Scoop May 17, 2012 Cloud Keeping your data safe in the cloud is nothing mysterious and the same approaches that one takes when verifying any supplier’s integrity should be followed. Kate Craig-Wood, MD of IT hosting company, Memset explains. With cloud based applications you typically get more security than running systems on a desktop computer or internal network. Cloud vendors invest more heavily in network and physical security than a typical business. They also have background checks done and constantly monitor their own systems administration staff as well. When selecting a cloud vendor the same approaches that one takes when verifying any supplier’s integrity should be followed, so you should ask questions like: 1) Will the data remain within the EU (for data protection)? Cloud providers could be forced to hand over data to US authorities under the Patriot act, even if the data is physically located in the UK, provided that the cloud provider is headquartered in the US. This is obviously bad news for security-conscious IaaS consumers using the likes of Amazon or Rackspace, but good news for British providers like Memset since we are wholly owned and sited within the UK! 2) Who in the supplier organisation has access to my data and what control are placed upon them? The main threat to data security is rarely over the wire. If you are concerned about data theft then you should be concerned about “purchase key” attacks (ie. bribing someone), most probably from within your own organisation. When faced with such attacks it is often actually much better to have the data off-premise with a provider who has invested in tight security and monitoring of their own systems administration staff. 3) What checks does the supplier make on its staff? Businesses should do their due diligence to ensure their cloud vendors’ commitment to security controls for employees check out. Not only should the vendor be doing the requisite background checks on employees, including CRB checks before they sign on the dotted line, but the company should also educate its employees on security best practices and have a methodology for continuing education on that over time. 4) Does the supplier have a certified ISO27001 Information Security Management System? Cloud is nothing mysterious and you still know exactly where your data is (in our case our data centres are in Reading), and you can be assured of a supplier’s suitability by looking for certifications like ISO27001. 5) What other certifications or standards does the supplier adhere too? While there is no common standard for cloud computing certifications, its worth checking if your preferred supplier holds ISO9001 certification or adheres to Cloud Industry Forum Code of Practice. 6) What level of resilience am I guaranteed and how is this achieved? OpenStack cloud storage systems like Memstore keep 3 copies of every object giving a 99.999999% per year per object durability rate 7) What Are Your SLAs? As with any service provider contract, you should negotiate clear SLAs for your cloud provider. These should include, but not be limited to, clear metrics around performance (both networking and computing), provisioning, change management, patching and vulnerability remediation. To ensure your data is safe in the cloud at all times, make sure you think about the following: Who has your data Where that data is held What they are doing with it How they are protecting it In the case of cloud computing there are some additional questions to be asked but again nothing really outside the remit of normal IT operations. For example, we are going through the CESG assurance process for the hosting of restricted content in our public cloud. To that end we have had to undergo a range of 3rd party penetration tests which, it should be added, conclusively demonstrated that our Memstore and Miniserver VM products have no security vulnerabilities. In summary, when using cloud services: Apply common sense checks to validate the supplier’s security credentials. Don’t be afraid of using off-premise cloud, it may be much more secure than on-premise. Choose a good password! About The Author: Kate is an award winning technology entrepreneur, owner-manager of Memset, and a renowned advocate of green ICT and cloud computing. Memset, a nationally leading managed hosting and cloud computing provider, has pioneered virtual machine technology since 2002 and was Britain’s first Carbon Neutral ISP. Kate is also an officer of BCS’s influential Data Centre Specialist Group and sits on the main board of Intellect, Britain’s high-tech trade association. Last year she co-led the technical strand of phase two of the Cabinet Office’s G-Cloud project and Memset has been invited to be part of the G-Cloud IaaS/PaaS foundation delivery partner activities.