Standards, security and data handling in a cloud environment
Joaquin Gamboa and Marc Lindsey
Here are some important issues to consider when selecting a cloud vendor or services provider:
Whether you’re running your own cloud or depending on someone else’s, you’ll want to ensure that your early investments in virtualization are good for the long haul. To the extent possible, get assurances from your vendors and cloud providers that the systems you’re buying are standards-based, will operate with other systems you intend to adopt as part of your technology strategy, and are able to grow with your business — both in terms of capacity and complexity.
If you’re using someone else’s cloud, make sure that you’re not creating an extensive set of APIs or function calls that are proprietary to that cloud provider. The greater your investment in your virtualized environment, the more you will be locked into that specific cloud provider.
Security vulnerabilities may occur in a virtualized environment for various reasons (e.g., design defects, poor patch/update management, ineffectual authentication controls, storage and transmission of sensitive data without encryption, and inadequate procedures for security incident monitoring, reporting and mitigation). To increase the likelihood that your virtualized environment will be sufficiently secure, make security one of the determining factors in the evaluation and selection of both software and services vendors.
In your evaluation of software vendors, consider the following factors:
- The relative importance that the vendor has placed on security in its design of the software.
- The processes the vendor has in place, and the commitment it’s willing to make, to update the software’s security throughout the term of the license.
- The compatibility of the software’s security design and mechanisms with the other components of your virtual environment.
In your evaluation of a cloud manager or provider, consider the vendor’s physical and logical security practices, processes and management approaches, and its willingness to comply with your security policies and procedures. Your negotiated agreement with a cloud manager or provider should do the following:
- Enable you to conduct periodic security assessments.
- Assign responsibility for security incident detection, reporting, response and mitigation.
- Include a process for management escalation of unresolved security problems.
Protecting sensitive corporate and customer data should be a priority if you’re considering a virtualized environment that enables a vendor to manage or store that data. Before you put your data in the hands of a vendor, demand that the vendor demonstrate its data protection and business continuity capabilities. And when you decide to move forward, make sure that your negotiated agreement is explicit about the vendor’s ongoing obligations to protect your data and holds the vendor liable for failure to satisfy those obligations.
If your company operates internationally or in certain industries in the U.S. (e.g., financial services or health care), your negotiated agreement should require the vendor to comply with applicable data-protection and privacy laws.
The negotiated agreement should also do the following:
- Incorporate the relevant portions of your privacy policies and obligate the vendor to conform to them.
- State that your company owns its data, has access to that data at its discretion, and will receive the data upon the expiration or termination of the agreement.
- Describe the parties’ responsibilities when it comes to recovering lost data.