One of the hardest parts of moving your business's IT to the cloud is choosing a cloud services provider. How can you decide who to trust with your business's data? Whether this decision is made by an in-house IT director, or a business owner or CFO, the cloud is still new to most businesses and it's hard to know what questions to ask.
These 7 questions go beyond the questions you're probably asking already: What kind of reliability can I expect? How quickly can I expect resolution if there's a problem?. Most cloud providers will be able to give good, truthful answers to those basic questions. Instead, these questions are designed to give you a clearer picture of your data's security. We've also included the red flags to look out for.
Here are the 7 key questions:
1. Privileged user access—inquire about who has access to your data and about the hiring and management of such administrators. What security policies does the cloud provider have in place to ensure their employees can't access your company's data? Red flag: If they don't have a policy in place to limit data access to an as-needed basis.
2. Regulatory compliance—make sure a vendor is willing to undergo external audits and/or security certifications. If you are subject to any compliance regulations (HIPAA, GLBA, PCI, etc.), your cloud services provider is ultimately responsible. Red flag: If they can't prove their infrastructure will pass an audit.
3. Data location—ask if a provider has complete control over the physical location of data. This will help you understand if the cloud provider has built their own infrastructure (this is much safer) or if they are renting space from one of the big cloud storage providers like Amazon or Microsoft. Red flag: If they don't own their own infrastructure, that means they don't have ultimate control.
4. Data segregation—if a provider is using virtualization to house multiple business’s data on the same physical servers, understand what they’re doing to ensure nobody else can access your data. Make sure that encryption is available at all stages and that these encryption schemes were designed and tested by experienced professionals. Red flag: If they can't explain (ideally with a network diagram) how they will ensure your data is inaccessbile by anybody but you.
5. Recovery—find out what will happen to data in the case of a disaster; do they offer complete restoration and, if so, how long that would it take. Red flag: If they only store backups in one location, instead of replicating backups to multiple physical locations.
6. Investigative support—inquire whether a vendor has the ability to investigate any inappropriate or illegal activity. Red flag: If they can't show they have the capacity to audit access or attempted access of systems or files.
7. Long-term viability—ask what will happen to data if the company goes out of business; how will data be returned and in what format. Red flag: If they're unwilling to provide a guarantee they'll return a fully restorable backup of your servers and/or data in a standard format.
When you're thinking about moving any aspect of your business to the cloud--anything from hosted email to a full hosted desktop service--asking potential providers these questions will give you a good understanding of how that provider operates. If you're still learning about what cloud computing can do for your business, check out our free whitepaper: