9 Cloud Security Questions you need to ask Service Providers

Companies in Ireland and the UK who are considering cloud adoption might already have a general idea of the security risks inherent in cloud computing. However, since different providers may not offer the same levels of risk mitigation, it is important to know which providers can give sufficient assurance on cloud security.

Here are 10 cloud security questions to ask service providers vying for your attention.

1. Where will my data be located?

There are a variety of reasons why you will want to ask this question. One big reason is that there are certain countries that don’t have strict legislation (or any legislation at all) pertaining to cloud computing. In that case, the provider won’t be as motivated to apply high levels of risk mitigation.

So if your data is hosted off shore, then you might want to reconsider or at least conduct a deeper study regarding the security conditions there.

2. Do you have provisions for regulatory compliance?

Certain standards and regulations (e.g. PCI DSS and possibly the EU Data Protection Directive) have specific guidelines pertaining to data stored in the cloud. If your organisation is covered by any of these legislation, then you need to know whether your provider can help you meet requirements for compliance.

3. Who will have access to my data?

In a cloud environment, where your data is going to be managed by people who aren’t under your direct supervision, you’ll have to worry as much about internal threats as you would with external threats.

Therefore, you need to know how many individuals will have access to your data. You also need to know relevant information such as how admins and technicians with data access rights are screened prior to getting hired. You also need to determine what access controls are being implemented.

4. How is data segregated?

Since there will be other clients, you will want to know how your data is going to be segregated from theirs. Is there any possibility of an accidental or intentional data breach due to poor data segregation? Find out if your data is going to be encrypted and how strong the encryption algorithm is.

5. How will you support investigative activities?

Sometimes, even if strong cloud security measures are in place, a data breach can still happen. If it does happen, the provider should have ways to track each user/administrator’s activity that can sufficiently support a detailed data forensics investigation.

Find out whether logs are being kept and how detailed they are.

6. Are we protected by a Disaster Recovery/Business Continuity plan? How?

Don’t be fooled by sales talk of 100% up-time. Even the most robust cloud infrastructures can suffer outages too. But the important thing is that, when they do fail, they should be able to get up and running in the soonest time possible.

Don’t just ask about their guaranteed RPOs and RTOs. Find out whether your data and applications will be replicated across multiple sites. Unless the provider says they will be, you need to find a provider with a better infrastructure.

7. Can I get copies of my VMs?

In a cloud infrastructure, your servers are actually in the form of files known as virtual machines (VMs). Because VMs are just files, they should be easily copied. There may be issues though, like the VMs might be stored in a not-so-popular proprietary format. Another possible issue is that the provider may simply not allow copying.

Having copies of your VMs can be useful should you later on decide to transfer to another provider or even duplicate your cloud infrastructure on your own.

8. What will happen to my data when I scale down?

One outstanding benefit of cloud computing is that when your business demands drop, you can easily scale down computing resources and reduce your cloud spending. ?But what will happen to your data when you decommission virtual servers? Will they be discarded?

You might want your data to be retained up to a certain period. On the other hand, you might also want them to be deleted immediately. Ask about the provider’s data deletion/data retention policies and see if they are in line with yours.

9. What will happen to my data if I decide to close my account?

There might come a time when you’ll want to terminate your contract with your cloud provider. Just like in issue #8, you’ll want to find out more about data deletion/data retention policies.

Although some providers can give you detailed answers, many of these answers can include a lot of technical jargon that can leave you totally confused. If you want someone you can trust to:

  • simplify those answers;
  • help you pick the right cloud service provider, and
  • even make sure cloud security is really upheld once your cloud engagement is ?under way

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Check our similar posts

How to Reduce Costs when Complying with SOX 404

Section 404 contains the most onerous and most costly requirements you’ll ever encounter in the Sarbanes-Oxley Act (SOX). In this article, we?ll take a closer look at the salient points of this contentious piece of legislation as it relates to IT. We?ll also explain why companies are encountering difficulties in complying with it.

Then as soon as we’ve tackled the main issues of this section and identify the pitfalls of compliance, we can then proceed with a discussion of what successful CIOs have done to eliminate those difficulties and consequently bring down their organisation’s IT compliance costs. From this post, you can glean insights that can help you plan a cost-effective way of achieving IT compliance with SOX.

SOX 404 in a nutshell

Section 404 of the Sarbanes-Oxley Act, entitled Management Assessment of Internal Controls, requires public companies covered by the Act to submit an annual report featuring an assessment of their company?s internal controls.

This ?internal control report? should state management’s responsibility in establishing/maintaining an adequate structure and a set of procedures for internal control over your company?s financial reporting processes. It should also contain an assessment of the effectiveness of those controls as of the end of your most recent fiscal year.

Because SOX also requires the public accounting firm that conducts your audit reports to attest to and report on your assessments, you can’t just make baseless claims regarding the effectiveness of your internal controls. As a matter of fact, you are mandated by both SEC and PCAOB to follow widely accepted control frameworks like COSO and COBIT. This framework will serve as a uniform guide for the internal controls you set up, the assessments you arrive at, and the attestation your external auditor reports on.

Why compliance of Section 404 is costly

Regardless which of the widely acceptable control frameworks you end up using, you will always be asked to document and test your controls. These activities can consume a considerable amount of man-hours and bring about additional expenses. Even the mere act of studying the control framework and figuring out how to align your current practices with it can be very tricky and can consume precious time; time that can be used for more productive endeavours.

Of course, there are exceptions. An organisation with highly centralised operations can experience relative ease and low costs while implementing SOX 404. But if your organisation follows a largely decentralised operation model, e.g. if you still make extensive use of spreadsheets in all your offices, then you’ll surely encounter many obstacles.

According to one survey conducted by FEI (Financial Executives International), an organisation that carried out a series of SOX-compliance-related surveys since the first year of SOX adoption, respondents with centralised operations enjoyed lower costs of compliance compared to those with decentralised operations. For example, in 2007, those with decentralised operations spent 30.1 % more for compliance than those with centralised operations.

The main reason for this disparity lies in the disorganised and complicated nature of spreadsheet systems.

Read why spreadsheets post a burden when complying with SOX and other regulations.

Unfortunately, a large number of companies still rely heavily on spreadsheets. Even those with expensive BI (Business Intelligence) systems still use spreadsheets as an ad-hoc tool for data processing and reporting.

Because compliance with Section 404 involves a significant amount of fixed costs, smaller companies tend to feel the impact more. This has been highlighted in the ?Final Report of the Advisory Committee on Smaller Public Companies? published on April 23, 2006. In that report, which can be downloaded from the official website of the US Securities and Exchange Commission, it was shown that:

  • Companies with over $5 Billion revenues spent only about 0.06% of revenues on Section 404 implementation
  • Companies with revenues between $1B – $4.9B spent about 0.16%
  • Companies with revenues between $500M – $999M spent about 0.27%
  • Companies with revenues between $100M – $499M spent about 0.53%
  • Companies with revenues less than $100M spent a whopping 2.55% on Section 404

Therefore, not only can you discern a relationship between the size of a company and the amount that the company ends up spending for SOX 404 relative to its revenues, but you can also clearly see that the unfavourable impact of Section 404 spending is considerably more pronounced in the smallest companies. Hence, the smaller the company is, the more crucial it is for that company to find ways that can bring down the costs of Section 404 implementation.

How to alleviate costs of section 404

If you recall the FEI survey mentioned earlier, it was shown that organisations with decentralised operations usually ended up spending more for SOX 404 implementation than those that had a more centralized model. Then in the ?Final Report of the Advisory Committee on Smaller Public Companies?, it was also shown that public companies with the smallest revenues suffered a similar fate.

Can we draw a line connecting those two? Does it simply mean that large spending on SOX affects two sets of companies, i.e., those that have decentralised operations and those that are small? Or can there be an even deeper implication? Might it not be possible that these two sets are actually one and the same?

From our experience, small companies are less inclined to spend on server based solutions compared to the big ones. As a result, it is within this group of small companies where you can find a proliferation of spreadsheet systems. In other words, small companies are more likely to follow a decentralised model. Spreadsheets were not designed to implement strict control features, so if you want to apply a control framework on a spreadsheet-based system, it won’t be easy.

For example, how are you going to conduct testing on every single spreadsheet cell that plays a role in financial reporting when the spreadsheets involved in the financial reporting process are distributed across different workstations in different offices in an organisation with a countrywide operation?

It’s really not a trivial problem.

Based on the FEI survey however, the big companies have already found a solution – employing a server-based system.

Typical server based systems, which of course espouse a centralised model, already come with built-in controls. If you need to modify or add more controls, then you can do so with relative ease because practically everything you need to do can be carried out in just one place.

For instance, if you need to implement high availability or perform backups, you can easily apply redundancy in a cost-effective way – e.g. through virtualisation – if you already have a server-based system. Aside from cost-savings in SOX 404 implementation, server-based systems also offer a host of other benefits. Click that link to learn more.

Not sure how to get started on a cost-effective IT compliance initiative for SOX? You might want to read our post How To Get Started With Your IT Compliance Efforts for SOX.?

Article 8 of the EU Energy Efficiency Directive ? Orientation

Following in-depth discussion of the UK?s ESOS response, we decided to backtrack to the source, especially since every EU member is facing similar challenges. The core purpose of the directive is to place a pair of obligations on member states. These are

  1. To promote the availability of energy audits among final customers in all sectors, and;
  2. To ensure that enterprises that are not SMEs carry out energy audits at least every four years.

Given the ability for business to look twice at every piece of legislation it considers unproductive, the Brussels legislators took care to define what constitutes an enterprise larger than an SME.

Definition of a Large Undertaking

A large undertaking meets one or both of the following conditions:

  1. It employs 250 or more people
  2. Its annual turnover is more than ?50 million and its balance sheet total exceeds ?43 million

Rules for Energy Audits

If accredited / qualified in-house specialists are unavailable then independent experts should supervise audits. The talent shortage seems common to many EU businesses. In hindsight, the Union could have ramped up slower, especially since the first compliance date of 5 December 2015 does not leave much swing room.

ecoVaro doubts there was a viable alternative, given the urgent imperative to beat back the scourge of carbon that is threatening the viability of our planet. The legislators must have been of a similar mind when laying down the guidelines. Witness for example the requirement that penalties be ?effective, proportionate and dissuasive?.

In order to be compliant, an energy audit must

  1. Be based on twelve months of verifiable data that is
    • over a continuous period beginning no more than 24 months before the beginning of the energy audit, and;
    • identifies energy saving opportunities including paths to their achievement
  2. Analyse the participant’s energy consumption and energy efficiency
  3. Have not been used as the basis for an energy audit in a previous compliance period

Measurement of current status and progress tracing are at the core of energy saving and good governance generally. EcoVaro has a powerhouse of software tools available on the cloud to help project teams save time and money.

What are Operational Reviews

Faced with growing competition, businesses continually need to find new innovative solutions and ideas to improved organizational performance, especially in various cut-throat industries where innovation and good management can make or break the company.

This is the reason why, businesses place greater emphasis on the evaluation of efficiency, effectiveness, and economics of its operations.

Conducting regular Operational Reviews are key to keeping your company at peak performance.

What is an Operational Review

An operational review is an in-depth and objective review of an entire organization or a specific segment of that organization. It can be used to identify and address existing concerns within your company such as communication issues between departments, problems with customer relations, operating procedures, lack of profitability issues, and other factors that affect the stability of the business.

Operational reviews allow the organization members to evaluate how well they are performing, given that they perform appropriately according to the procedures set by them, allocating their resources properly, and performing such tasks within time frame set and using cost-effective measures. More importantly, it also shows your company how well it is prepared to meet future challenges.

What are the objectives of an Operational Review

The goals of an operational review are to increase revenue, improve market share, and reduce cost.

An operational review allows the management to see their company in a different light i.e a larger perspective. That is, it gives the management the opportunity to evaluate if the entrusted resources were used wisely to achieve the desired results of operations.

Operational reviews provide a comprehensive assessment of authority in that they help define expectations, and empower people within an organization to enact? up on it. This is due feedback provided will help them to better gauge the value of tasks performed and whether the job is being done the right or wrong way, and on what areas the company can excel and improve on.

The whole is greater than the sum of its parts

Questions worth considering in an Operational Review

Are you able to view your own organization as a whole from an objective angle?

Do the different departments complement each other so that they form a cohesive unit that boosts your business in the right direction?

With our comprehensive assessment of your organization?s current systems, operations, processes, and strategies, our operational review programs aim to help you in achieving these lofty goals: to improve business profitability and identify incompetence in both operations and organizational systems.

Benefits of an Operational Review

The main objective of an operational review is to help organizations like yours to learn how to deal with and address issues, instead of simply reacting to the challenges brought about by growth and change.

Information and data gathered in an Operational Review is practical from both a financial and operational perspective. Using? data, management can then formulate recommendations, which are not only realistic, but more importantly, can help the organization achieve its goals.

The Operational Review recognizes the extent to which your internal controls actually work, and enables you to identify and understand your strengths, weaknesses, opportunities and threats.

What should be included in an operational review

  • Assess compliance within your own organizational objectives, policies and procedures
  • Evaluate specific company operations independently and objectively
  • Impartial assessment regarding the effectiveness of an organization’s control systems
  • Identify the appropriate standards for quantifying achievement of organizational objectives
  • Evaluate the reliability and value of the company’s management data and reports
  • Pinpoint problem areas and their underlying causes
  • Identify opportunities to increase profit, augment revenue, and reduce costs without sacrificing the quality of the product or service.

More Operational Review Blogs

 

Carrying out an Operational Review

 

Operational Reviews

 

Operational Efficiency Initiatives

 

Operational Review Defined

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today