Cloud vendors may have a slick sales pitch, but it won't always match what's in their contracts — so it’s up to you to ask the hard questions. Here are some tough questions to ask cloud providers.
1. How do you encrypt data and how do you manage encryption keys?
Kelly Ferguson, mi9 CIO, says you might find a vendor only encrypts data in transit when you may need it encrypted at rest, or that it only encrypts passwords when there are other ways of getting unauthorised access.
“Encrypting data at rest is used to prevent an attacker external to the system from being able to use the data even if they get a copy of it,” says Ferguson.
“Mi9 has the benefit of not retaining a large amount of sensitive data that requires encryption at rest. However, if we did we would be looking to leverage either S3 server-side encryption, for example, or encrypted partitions/volumes for block devices.”
Ferguson says an area that often isn't addressed is how encryption keys are maintained, provisioned and revoked.
“Imagine a situation where you have a large block of encrypted data. Your provider suffers some catastrophic event and loses their key store. Suddenly you have a large block of useless bits — whoops!
“A finer point to be aware of with encryption methods is the cipher used. Some ciphers such as RC4 have been implemented incorrectly, making it much easier to break the encryption key.”
2. What are your security certifications?
Ferguson says it’s important to ask this question because you may need additional certification that goes beyond the standard ISO 27001. For example, a financial services organisation may need PCI compliance certification; a health organisation may need HIPAA.
David Harrison, Freelancer.com vice-president of engineering, agrees: Certification will give you an insight into the vendor’s business continuity process, ongoing risk auditing, ongoing access control management, and so on.
“It gives you a clear understanding of what level of responsibility they are directly taking,” he says.
In addition to knowing what kind of certifications the vendor has, Michael Warrilow, Gartner research director, says it’s important to understand who the certifier of the vendor is.
“A lot of the cloud providers will at best allow you to see their certification, but they won’t allow you to actually audit or get independent certification, so you have got to trust in either their certifier or in them, because not all audits are equal,” he says.
“If they are not going to allow you to use your auditor or certifier, then make sure you are confident in theirs.”
Ferguson adds that it’s important to understand how the vendor keeps up to date with their security changes and requirements throughout the life of your agreement.
3. If something goes wrong or there’s a change, are there proper notifications and protocols in place?
Harrison says you need to know how much downtime you can expect per week, month or overall per year from the cloud provider, as well as the mean time to response for an incident. Worse case scenarios should be played out here so that you know what to expect if that a major event was to ever occur. Some cloud providers might be able to provide compensation for an extended outage.
Warrilow says he has frequently heard complaints from IT managers and CIOs about vendors simply notifying their customers of a change on their websites, but not checking whether a customer has received and understood the change.
“The worst case is that the feature is being retired, and there have been examples where it almost defied the laws of physics in terms of the time frame available in which to get the key information out of that cloud environment and into another cloud environment,” he says.
“The trick is — and this is one of the big ones — often the case with cloud providers is their economies at scale come from having everything very vanilla. So the ability to tweak the contract is somewhat limited and the devil is always in the detail.”
Harrison says he uses a dashboard from Amazon that gives real time updates on a migration process taking place or an incident that might impact the network.
“On top of that, you want to understand who your contact person there is. When you are starting out really small obviously you might not have a dedicated account manager. But you want to understand — who is on point with this cloud provider? Is it a support desk, or is it an account manager? Who do I contact to ask questions about if something goes wrong?”
Next page: Do you comply with Australia’s privacy laws?
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.