To cloud, or not to cloud. That is the question.

by Stephen Voorhees, CISSP | Mar 21, 2017

If you are thinking about storing sensitive information in the cloud, you need to be as sure of the security of that data as you would be storing it on your own infrastructure. In effect, you are outsourcing data storage. And there are good, valid reasons to do so. Most of them stem from a lower costs (or the perception of lower costs) and management overhead.

Here is a list of questions you need to have answers to before committing to a cloud based service.



Physical Security


  • What access controls are in place at the data center?
  • Is the data center SAS70 certified?
  • What are the processes and procedures around physical access to the servers where your data is stored?
  • Who is allowed access?
  • How are they vetted from a security perspective?
  • What background checks were performed?
  • How is the staff that has access monitored?

If the provider you are thinking about trusting with your data is serious about security, they will be able to produce a document that speaks to this without hesitation.



Architecture


  • What happens if another customer in the shared environment overuses their capacity?
  • What are the impacts to you?
  • What guarantees are you offered that your performance will not be impacted?
  • What logical security exists to ensure that no one else besides you (and the people at your outsourced provider) can access your data?
  • What encryption is used when the data is in motion?
  • What encryption is used when the data is stored in their data center?
  • What auditing exists to you can look and see how your data is being accessed, and in the worst case, how a breach occurred?
  • What disaster recovery options are offered?
  • What is their Recovery Time Objective (RTO) to restore your data in event of a hardware failure?
  • What is their Recovery Point Objective (RPO) that measures their tolerance for data loss, and is it an acceptable level for your company?
  • Who has access to the backups?


A quality provider will be able to provide detailed documentation that addresses these questions without hesitation.

Veriato supports private cloud deployments, and encourages our customers to be certain they have addressed the above should they consider deploying our technology into a shared cloud infrastructure. While many of our customers elect to deploy using a private cloud, routine surveying of our customers – particularly those in financial services, healthcare, pharmaceuticals, and manufacturing (area where compliance mandates require greater control and where the value of corporate data is fully understood) tell us that an on premise deployment remains their preferred approach.