9 Cloud Security Questions you need to ask Service Providers

Companies in Ireland and the UK who are considering cloud adoption might already have a general idea of the security risks inherent in cloud computing. However, since different providers may not offer the same levels of risk mitigation, it is important to know which providers can give sufficient assurance on cloud security.

Here are 10 cloud security questions to ask service providers vying for your attention.

1. Where will my data be located?

There are a variety of reasons why you will want to ask this question. One big reason is that there are certain countries that don’t have strict legislation (or any legislation at all) pertaining to cloud computing. In that case, the provider won’t be as motivated to apply high levels of risk mitigation.

So if your data is hosted off shore, then you might want to reconsider or at least conduct a deeper study regarding the security conditions there.

2. Do you have provisions for regulatory compliance?

Certain standards and regulations (e.g. PCI DSS and possibly the EU Data Protection Directive) have specific guidelines pertaining to data stored in the cloud. If your organisation is covered by any of these legislation, then you need to know whether your provider can help you meet requirements for compliance.

3. Who will have access to my data?

In a cloud environment, where your data is going to be managed by people who aren’t under your direct supervision, you’ll have to worry as much about internal threats as you would with external threats.

Therefore, you need to know how many individuals will have access to your data. You also need to know relevant information such as how admins and technicians with data access rights are screened prior to getting hired. You also need to determine what access controls are being implemented.

4. How is data segregated?

Since there will be other clients, you will want to know how your data is going to be segregated from theirs. Is there any possibility of an accidental or intentional data breach due to poor data segregation? Find out if your data is going to be encrypted and how strong the encryption algorithm is.

5. How will you support investigative activities?

Sometimes, even if strong cloud security measures are in place, a data breach can still happen. If it does happen, the provider should have ways to track each user/administrator’s activity that can sufficiently support a detailed data forensics investigation.

Find out whether logs are being kept and how detailed they are.

6. Are we protected by a Disaster Recovery/Business Continuity plan? How?

Don’t be fooled by sales talk of 100% up-time. Even the most robust cloud infrastructures can suffer outages too. But the important thing is that, when they do fail, they should be able to get up and running in the soonest time possible.

Don’t just ask about their guaranteed RPOs and RTOs. Find out whether your data and applications will be replicated across multiple sites. Unless the provider says they will be, you need to find a provider with a better infrastructure.

7. Can I get copies of my VMs?

In a cloud infrastructure, your servers are actually in the form of files known as virtual machines (VMs). Because VMs are just files, they should be easily copied. There may be issues though, like the VMs might be stored in a not-so-popular proprietary format. Another possible issue is that the provider may simply not allow copying.

Having copies of your VMs can be useful should you later on decide to transfer to another provider or even duplicate your cloud infrastructure on your own.

8. What will happen to my data when I scale down?

One outstanding benefit of cloud computing is that when your business demands drop, you can easily scale down computing resources and reduce your cloud spending. ?But what will happen to your data when you decommission virtual servers? Will they be discarded?

You might want your data to be retained up to a certain period. On the other hand, you might also want them to be deleted immediately. Ask about the provider’s data deletion/data retention policies and see if they are in line with yours.

9. What will happen to my data if I decide to close my account?

There might come a time when you’ll want to terminate your contract with your cloud provider. Just like in issue #8, you’ll want to find out more about data deletion/data retention policies.

Although some providers can give you detailed answers, many of these answers can include a lot of technical jargon that can leave you totally confused. If you want someone you can trust to:

  • simplify those answers;
  • help you pick the right cloud service provider, and
  • even make sure cloud security is really upheld once your cloud engagement is ?under way

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Check our similar posts

How the Dodd-Frank Act affects Investment Banking

The regulatory reform known as the Dodd-Frank Act has been hailed as the most revolutionary, comprehensive financial policy implemented in the United States since the years of the Great Depression. Created to protect consumers and investors, the Dodd-Frank Act is made up of a set of regulations and restrictions overseen by a number of specific government departments. As a result of this continuous scrutiny, banks and financial institutions are now subject to more-stringent accountability and full-disclosure transparency in all transactions.

The Dodd-Frank Act was also created to keep checks and balances on mega-giant financial firms that were considered too big to crash or default. This was especially deemed crucial after the collapse of the powerhouse financial institution Lehman Brothers in 2008. The intended result is to bring an end to the recent rash of bailouts that have plagued the U.S. financial system.

Additionally, the Dodd-Frank Act was created to protect consumers from unethical, abusive practices in the financial services industry. In recent years, reports of many of these abuses have centered around unethical lending practices and astronomically-high interest rates from mortgage lenders and banks.

Originally created by Representative Barney Frank, Senator Chris Dodd and Senator Dick Durbin, the Dodd-Frank Wall Street Reform and Consumer Protection Act, as it is officially called, originated as a response to the problems and financial abuses that had been exposed during the nation’s economic recession, which began to worsen in 2008. The bill was signed into law and enacted by President Obama on July 21, 2010.

Although it may seem complicated, the Dodd-Frank Act can be more easily comprehended if broken down to its most essential points, especially the points that most affect investment banking. Here are some of the component acts within the Dodd-Frank Act that directly involve regulation for investment banks and lending institutions:

* Financial Stability Oversight Council (FSOC): The FSOC is a committee of nine member departments, including the Securities and Exchange Commission, the Federal Reserve and the Consumer Financial Protection Bureau. With the Treasury Secretary as chairman, the FSOC determines whether or not a bank is getting too big. If it is, the Federal Reserve can request that a bank increase its reserve requirement, which is made up of funds in reserve that aren’t being used for business or lending costs. The FSOC also has contingencies for banks in case they become insolvent in any way.

? The Volcker Rule: The Volcker Rule bans banks from investing, owning or trading any funds for their own profit. This includes sponsoring hedge funds, maintaining private equity funds, and any other sort of similar trading or investing. As an exception, banks will still be allowed to do trading under certain conditions, such as currency trading to circulate and offset their own foreign currency holdings. The primary purpose of the Volcker Rule is to prohibit banks from trading for their own financial gain, rather than trading for the benefit of their clients. The Volcker Rule also serves to prohibit banks from putting their own capital in high-risk investments, particularly since the government is guaranteeing all of their deposits. For the next two years, the government has given banks a grace period to restructure their own funding system so as to comply with this rule.

? Commodity Futures Trading Commission (CFTC): The CFTC regulates derivative trades and requires them to be made in public. Derivative trades, such as credit default swaps, are regularly transacted among financial institutions, but the new regulation insures that all such trades must now be done under full disclosure.

? Consumer Financial Protection Bureau (CFPB): The CFPB was created to protect customers and consumers from unscrupulous, unethical business practices by banks and other financial institutions. One way the CFPB works is by providing a toll-free hotline for consumers with questions about mortgage loans and other credit and lending issues. The 24- hour hotline also allows consumers to report any problems they have with specific financial services and institutions.

? Whistle-Blowing Provision: As part of its plan to eradicate corrupt insider trading practices, the Dodd-Frank Act has a proviso allowing anyone with information about these types of violations to come forward. Consumers can report these irregularities directly to the government, and may be eligible to receive a financial reward for doing so.

Critics of the Dodd-Frank Act feel that these regulations are too harsh, and speculate that the enactment of these restrictions will only serve to send more business to European investment banks. Nevertheless, there is general agreement that the Dodd-Frank Act became necessary because of the unscrupulous behaviour of the financial institutions themselves. Although these irregular and ultimately unethical practices resulted in the downfall of some institutions, others survived or were bailed out at the government’s expense.

Because of these factors, there was more than the usual bi-partisan support for the Dodd-Frank Act. As a means of checks and balances, the hope is that the new regulations will make the world of investment banking a safer place for the consumer.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Keys to Successful Matrix Management

Matrix management, in itself, is a breakthrough concept. In fact, there are a lot of organizations today that became successful when they implemented this management technique. However, there are also organizations that started it but failed. And eventually abandoned it in the end.

Looking at these scenarios, we can say that when you implement matrix management in your organisation, two things can happen – you either succeed or fail. And there?s nothing in between. The truth is, the effectiveness of matrix management lies in your hands and in your implementation. To ensure that you achieve your desired results, recognise these essential keys to successful matrix management.

Establish Performance Goals and Metrics

This should be done as soon as the team is formed, at the beginning of the year or during the process of setting organisational objectives. Whenever it is, the most important thing is that each team player understands the objectives and metrics to which their performances will be evaluated. This ensures that everyone is looking at the same set of objectives as they carry out their individual tasks.

Define Roles and Responsibilities

One pitfall of matrix management is its internal complexity. Awareness of this limitation teaches you to clearly define the roles and responsibilities of the team players up front. Basically, there are three principal sets of roles that should be explained vividly ? the matrix leader, matrix managers and the matrixed employees. It is important to discuss all the possible details on these roles, as well as their specific responsibilities, to keep track of each other?s participation in the projects of the organisation.

One effective tool to facilitate this discussion is through the RACI chart – Who is Responsible? Who is Accountable? Who should be Consulted? Who will Implement? With this, clarification of roles and responsibilities would be more efficient.

When roles are already clearly defined, each participant should review their job descriptions and key performance metrics. This is to make sure that the roles and responsibilities expected of you integrates consistently with your job in the organisation, as a whole.

Manage Deadlines

In matrix management, the employees report to several managers. They will likely have multiple deadlines to attend to and accomplish. There might even be conflicts from one deadline to another. Hence, each should learn how to schedule and prioritise their tasks. Time management and action programs should be incorporated to keep the grace under pressure.

Deliver Clear Communication

Another pitfall of matrix management is heightened conflict. To avoid unrealistic expectations, the matrix leaders and managers should communicate decisions and information clearly to their subordinates, vice versa. It would help if everyone will find time to meet regularly or send timely reports on progress.

Empower Diversity

Knowledge, working styles, opinions, skills and talents are diverse in a matrix organisation. Knowing this fact, each should understand, appreciate and empower the learning opportunities that this diversity presents. Trust is important. Respect to each other?s opinions is vital. And acknowledgement of differing viewpoints is crucial.

The impetus of matrix management is the same ? mobilise the organisation’s resources and skills to cope with the fast-paced changes in the environment. So, maximise the benefits of matrix management as you consider these essential keys to its successful implementation.

IT Transformation Defined

Businesses depend on IT to effectively manage business processes and to provide products and services to clients. As IT technologies advance, it is crucial that businesses update their hardware to remain competitive. But businesses should do more than simply upgrade their servers and should really strive to effect IT transformation.

What is IT Transformation?

IT transformation is the ongoing process of changing the way that a company uses IT to better align it with current business goals. Through the IT transformation process, businesses try to determine whether they are meeting mission-critical benchmarks through the incorporation of new IT technologies for corporate transformation.

For example, if one of the current business concerns is whether the company can improve customer service, the IT system will need to evolve in such a way that improves customer service in a measurable way.

Successfully Aligning the Technology to Business Goals

In order to successfully align the IT system with business goals, it is important to understand the newly integrated technologies to understand how they can change business processes. If a new feature is intended to make the server more secure, the management should know exactly how the feature will improve the security of the server and whether the new implementation is redundant.

Once the business objectives have been identified, IT transformation is carried out by changing both the software and hardware used by the company. An example would be the growing trend of server migration to the cloud. Cloud computing is the growing trend of making files and data accessible from anywhere. If an organisation believes that it can improve productivity through a server cloud migration, it will need a way to test this.

The IT Transformation Process

Given that IT transformation is directly related to the core business, the IT transformation process must begin by identifying which aspects of the company must be changed. Then, the company must determine?IT services that could potentially be integrated into the business in a way that will help the company achieve benchmarks. After the key decision-makers understand the IT network well enough to effectively implement it, the company must efficiently manage the transformation process. Then, after the IT has been integrated, the company must have a system in place to measure business transformation in a numerical way.

For example, when assessing customer satisfaction, one effective strategy would be to distribute customer satisfaction surveys that ask customers to rate their experiences on a scale of one to ten. The company can then measure the results of the customer satisfaction survey to determine whether the new IT implementations are accomplishing their intended goals.

If the expected benchmarks are not being met, the next step in the IT transformation process is to determine if there is a specific reason for that. Is there a way that the feature can be better integrated to achieve desired business objectives? Are there other features that can help the company better achieve its goals?

Upgrading a network can be an expensive process and it is important to identify early on which options are the most likely to benefit the company’s bottom line.

Ready to work with Denizon?

Contact Us Today