• No results found

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

N/A
N/A
Protected

Academic year: 2021

Share "CONSIDERATIONS BEFORE MOVING TO THE CLOUD"

Copied!
6
0
0

Loading.... (view fulltext now)

Full text

(1)

1400 Computer Drive, Suite 220 • Westborough, MA 01581• ceservices.com • 508-983-1990 • info@ceservices.com

CONSIDERATIONS

BEFORE MOVING

TO THE CLOUD

What Management Needs to Know – Part II

By Debbie C. Sasso

Principal

In part I, we discussed organizational compliance related to information technology and what audits data centers need to pass to be compliant, what to look for in a data center location, identifying service level requirements for your business, and how to avoid complications in case of provider shutdown.

Part II is focused on data which is the number one concern we hear from business owners about the cloud. “How safe is my data in the cloud, do I have control over my data, can I easily restore my data in the event of loss, how do I protect my data on mobile devices?” are questions we consistently hear from owners.

Here we discuss the following areas:

Data Security Transmission of Data Encryption

Data Breach Notification .

(2)

1400 Computer Drive, Suite 220 • Westborough, MA 01581• ceservices.com • 508-983-1990 • info@ceservices.com

Data Security

The security and integrity of data in the cloud causes a lot of hesitation for business owners and decision makers when it comes to considering cloud services. Before looking for a cloud services provider, inventory your data. Identify the different types of data whether it’s highly sensitive or not, how it’s managed, and how it’s stored. Consider whether or not it would be best for your business to store your data in the cloud. You may have to comply with industry or state regulations and going to the cloud may complicate processes.

Once the decision is made to move to the cloud, many factors regarding data security come into play when selecting a provider. Here’s a high level checklist of what to ask of a Cloud Services Provider:

Data Center Facility Security – Find out what the physical security

measures are to prevent unauthorized access to servers such as surveillance, key card access, security guards, etc.

Infrastructure Security - Make sure controls are in place to prevent hackers from stealing your data. A reputable provider will have anti-intrusion measures such as secure firewalls, SSL (Security Sockets Layer), encryption, antivirus software, and a password policy.

Accessibility of Data– Unless you have a dedicated server, chances are

highly likely that you will be sharing a server with other cloud service provider clients. This is referred to as multi-tenancy. Ask how they separate information and systems and make sure that unauthorized users are not allowed to get their hands on your data.

Data Loss – Find out what provisions are in the contract if the provider

loses or corrupts your data. There should be a clearly defined plan in your contract, if not; you may want to consider going elsewhere.  Data Backup - Make sure daily backups are performed and that the

backups are tested. Performing regular backup routines is critical but verifying these routines actually work is just as vital.

(3)

1400 Computer Drive, Suite 220 • Westborough, MA 01581• ceservices.com • 508-983-1990 • info@ceservices.com

Transmission of Data

Initial Setup

You are going to need to move your data and files which are stored on hard drives, servers, or tapes into the cloud. This means you will need to upload your data to the cloud server of the hosting provider. There are many ways to do this so make sure you ask your provider how they will make the switch.

Some providers will have you upload all of your existing files, while others will just start with new data. Existing data will remain on the systems, or will have to be uploaded separately. As uploading of files demands a lot of resources, you should understand when it will be done. If your files are transferred during business hours, this will result in sluggish Internet speeds. It’s best to work with a provider who is flexible as to when you want the data uploaded.

Also, ask the cloud provider what file and document formats are supported. While most of the larger cloud providers support almost every type of

file/document, there are some providers that may have limitations as to the type of file that can be uploaded, stored, and how you can use it.

The takeaway here is to determine if you will need to convert files and data to a format the provider supports. If you need data conversion, ask if they provide conversion tools and support. This will make conversion a lot smoother. Keep in mind, data conversion can be a very time consuming process

Switching Cloud Providers – Exporting and Removing Data

Businesses may think that the cloud service provider they initially contract with will be the one they always use. This can be risky thinking when it comes to technology. There will come a time when you need to remove your files from the service. Be sure to ask the provider about their exit process. Some have been known to charge incredibly high rates to remove files.

A good cloud services provider will assist you in removing files and will have a clear solution. As your files are saved on hard drives on servers, your data once removed, could remain on these drives. This is obviously something you wouldn’t want, so ask what the provider does with the files once you remove them.

(4)

1400 Computer Drive, Suite 220 • Westborough, MA 01581• ceservices.com • 508-983-1990 • info@ceservices.com

Encryption

To give sensitive data the highest level of security, it should be stored in encrypted form. The goal of encryption is to make data unintelligible to unauthorized readers and difficult to decipher when attacked. Encryption operations are performed by using random encryption keys. The randomness of keys makes encrypted data harder to attack. Keys are used to encrypt the data, but also perform decryption. Keys are often stored to allow encrypted data to be decrypted at a later date.

When it comes to data encryption, you will typically hear two terms – data at rest and data in transit. Examples of data at rest include data stored on your computer’s hard drive or in a storage facility. Data in transit includes data transferred through email, mobile devices, a USB stick and can even include a backup tape if you are delivering it from point a to point b.

To make sure your data is protected ask your cloud provider about encryption methods. It is important to make sure your data is encrypted all the time — when it’s in transit and when it’s at rest. Learn about how the cloud provider would manage and protect your data’s encryption keys, especially when it comes to rules for access control.

Although firewalls can be excellent protection from external hackers and attackers, it’s important to protect against internal attacks as well. Encryption for data at rest can help prevent attacks by employees who have access to sensitive information. These types of attacks are often even more devastating and cannot be prevented by firewalls. While viruses and stolen banking and credit card information are the rage in the headlines, less publicized incidents such as data theft or destruction by disgruntled former employees can result in far more damage.

In addition to talking to your provider about encryption methods, ask these questions:

1. How many employees at the hosting facility have access to your databases?

2. How are they storing passwords?

3. Do you they security policies in place that include auditing database security and monitoring for suspicious activity?

4. What is the security plan if database security is breached?

While preventive security mechanisms like encryption are readily available, oftentimes they are not implemented to secure data from internal and external threats.

(5)

1400 Computer Drive, Suite 220 • Westborough, MA 01581• ceservices.com • 508-983-1990 • info@ceservices.com

Data Breach Notification

Businesses are required to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorized access, modification or disclosure. The same goes for data center and cloud services providers. When looking for a provider make sure they have a documented plan on handling data breaches.

Questions to ask a potential cloud services provider:

 What constitutes a data breach?

 What measures are in place to prevent and detect a security breach?

 How are breaches investigated?

 Under what criteria are more severe breaches escalated in order to be handled in a manner appropriate to the risk they pose?

 What’s your notification procedure? The notification procedure should document how you will be notified i.e. phone call, letter, or email in the event of a breach and what the timeline is from the time of the breach to the time of notification.

 What are your incident response procedures – You should attempt to require the cloud provider to keep to certain procedures. Particular data breach response obligations may include:

 Immediate investigation after a breach

 Providing prompt notice to the customer, within hours of the breach

 Written reports and status reports concerning the breach

 Keeping certain information that would be relevant to a data breach (including logs, planning documents, audit trails, records and reports)

 Documentation of corrective actions

Most states have set security breach notification laws. Be aware of what the laws are in your state and how your cloud services provider plans to meet the requirements.

A part of your strategy for security in the cloud is the need to have appropriate plans in place for breaches and loss of data. This is a critical component to your overall agreement with the cloud service provider.

Data Breaches

Target

110 million customers personal and

payment information exposed

Reason: Stolen Credentials allowed

Hackers to access Target Networks

Heartland Payment Systems

134 million credit cards exposed

Reason: SQL injection to install

spyware on Heartland's data

systems.

TJX

94 Million Credit Cards Exposed by

Hacker

Reason: Network Wasn’t Protected

with any Firewalls

Fidelity National Information

Services

3.2 million Customer Records

including Credit Card, Banking and

Personal Information.

Reason: Employee Theft

Resource: CSO Security and Risk csoonline.com 15 Worst Data Security Breaches

(6)

1400 Computer Drive, Suite 220 • Westborough, MA 01581• ceservices.com • 508-983-1990 • info@ceservices.com In part I, we discussed the following areas:

Organizational Compliance Data Center Location Service Levels Provider Shutdown

For a free download of Considerations Before Moving to the Cloud - What Management Needs to Consider Part I, please visit ceservices.com/cloud-whitepaper-part-one

References

Related documents

evaluated a managed portfolio against randomly generated unmanaged portfolios of the same risk, each of the other authors used the fact that combinations of any portfolio and

Foregut contents of 10 in- dividuals (five small and five large) collected in different periods (high water and low water periods, 10 insects each) and different habitats

At transport nagar Flyover Cast-in-place method of construction of diaphragm wall is used.Cast-in-place diaphragm walls are usually excavated under bentonite slurry. Various types

Lenders are now required to pull a Loan Review Report within three days of closing - which can often be after the buyer has received “clear to close”.. This report does not pull

Reconnex Niche player Network filtering – CMF to capture full forensic information of inbound and outbound traffic in a database. Integrate with e-mail systems and

There are three different types of RAC audits. 1) Automated reviews are conducted without the review of medical records. The RAC determines that claims have been improperly

Remote sites without an ISDN line would require a bridge to connect their IP line to the Senate/HoC committee room’s ISDN line.. Date October 20, 2015 Date October

(If Brackhaus trusted them enough to tell them in Seattle, they already know the mission. If they do not know, they must meet a local Johnson who will give them the details.)