By Steve Young, CIO Advisor
At this point in time, I would guess that every organization has at least some experience using the cloud. But often, IT leaders are bypassed or an afterthought when other departments and leaders purchase and turn up a cloud service quicker than you can say purchase order. Not having IT involved in cloud decisions can negatively impact an organization. Cloud purchasers often forget to ask about user and data management and integration with existing systems. An adopted cloud system that does not play well with other systems, that has its own separate user repository, or for which security is an afterthought can quickly turn into an nightmare for IT or for the adopters who did not know what questions to ask the provider.
Just the other day I was speaking with a small cloud provider who had pretty good answers for most of my questions, but what was unsaid was the fact that this was the equivalent of a "mom and pop" cloud provider, which was most likely one car accident away from dissolution of the cloud company. That could pose a big risk for our organization, especially if this was a critical cloud service.
Myles Clauser, an IT director in Schertz, Texas, recently shared a list of questions to ask cloud providers before deciding if their service is right for your organization. This is a pretty tough set of questions and you may be willing to accept a variety of answers, depending on what the particular service is; nonetheless this is a great set of questions to help vet the rapidly expanding list of cloud services.
Questions and considerations for using cloud providers:
- Ownership of all data must be spelled out. Many cloud providers specify that using their services means relinquishing ownership of the data.
- What format is the data stored in at the host site?
- Where is the live data actually stored? Where are the backups stored? (Are all sites within the continental US?)
- Is it encrypted—either in transport or in storage? This includes backups.
- Is there any possibility for vendor staff to review/copy/duplicate the data (with the exception of routine backups) without our knowledge?
- Is the data/information we contemplate storing in the cloud subject to any relevant federal, state, or other privacy requirements or agreements already in place? (e.g.: PCI compliance, HIPAA, FIPS, CJIS, etc.) If so what documentation can the vendor supply that ensures that their storage and delivery systems comply with those requirements?
- Are there any limitations regarding access to the data—i.e., are we notified in advance of planned down times?
- Are there any QoS (quality of service) provisions in the agreement—e.g,. will the data will be available 24/7, 7, 365 with a guaranteed minimum response time from their system based on agreed-upon criteria?
- If we delete data from a system what proof do we get that the data has been removed from backup systems, disaster recovery sites, etc.?
- What formats can we use to retrieve any and all data—i.e., what utilities exist that will allow us to archive data in industry-standard formats for later retrieval by city staff without having to work through or with the vendor’s proprietary format?
- Since this is a web-based system, can the vendor provide certification that their systems are updated regularly? This includes patches, antivirus systems, backend databases, web interfaces, etc.
- How often does the vendor perform security audits on their systems and when was the last one done? Can we see the results?
- What is their policy regarding informing us if a data breach occurs? Are they liable to us for any damages, remediation costs, etc.?
- If the vendor is contacted by an outside party (e.g., subpoenas, open records requests, etc.) to provide information contained in one of our documents, how do they respond? If we are required to hold data for litigation purposes do they have a mechanism/system in place to do so or are we on our own?
- What provisions have been made to protect our data if the vendor closes its doors or is sold?