9 Cloud Security Questions you need to ask Service Providers

Companies in Ireland and the UK who are considering cloud adoption might already have a general idea of the security risks inherent in cloud computing. However, since different providers may not offer the same levels of risk mitigation, it is important to know which providers can give sufficient assurance on cloud security.

Here are 10 cloud security questions to ask service providers vying for your attention.

1. Where will my data be located?

There are a variety of reasons why you will want to ask this question. One big reason is that there are certain countries that don’t have strict legislation (or any legislation at all) pertaining to cloud computing. In that case, the provider won’t be as motivated to apply high levels of risk mitigation.

So if your data is hosted off shore, then you might want to reconsider or at least conduct a deeper study regarding the security conditions there.

2. Do you have provisions for regulatory compliance?

Certain standards and regulations (e.g. PCI DSS and possibly the EU Data Protection Directive) have specific guidelines pertaining to data stored in the cloud. If your organisation is covered by any of these legislation, then you need to know whether your provider can help you meet requirements for compliance.

3. Who will have access to my data?

In a cloud environment, where your data is going to be managed by people who aren’t under your direct supervision, you’ll have to worry as much about internal threats as you would with external threats.

Therefore, you need to know how many individuals will have access to your data. You also need to know relevant information such as how admins and technicians with data access rights are screened prior to getting hired. You also need to determine what access controls are being implemented.

4. How is data segregated?

Since there will be other clients, you will want to know how your data is going to be segregated from theirs. Is there any possibility of an accidental or intentional data breach due to poor data segregation? Find out if your data is going to be encrypted and how strong the encryption algorithm is.

5. How will you support investigative activities?

Sometimes, even if strong cloud security measures are in place, a data breach can still happen. If it does happen, the provider should have ways to track each user/administrator’s activity that can sufficiently support a detailed data forensics investigation.

Find out whether logs are being kept and how detailed they are.

6. Are we protected by a Disaster Recovery/Business Continuity plan? How?

Don’t be fooled by sales talk of 100% up-time. Even the most robust cloud infrastructures can suffer outages too. But the important thing is that, when they do fail, they should be able to get up and running in the soonest time possible.

Don’t just ask about their guaranteed RPOs and RTOs. Find out whether your data and applications will be replicated across multiple sites. Unless the provider says they will be, you need to find a provider with a better infrastructure.

7. Can I get copies of my VMs?

In a cloud infrastructure, your servers are actually in the form of files known as virtual machines (VMs). Because VMs are just files, they should be easily copied. There may be issues though, like the VMs might be stored in a not-so-popular proprietary format. Another possible issue is that the provider may simply not allow copying.

Having copies of your VMs can be useful should you later on decide to transfer to another provider or even duplicate your cloud infrastructure on your own.

8. What will happen to my data when I scale down?

One outstanding benefit of cloud computing is that when your business demands drop, you can easily scale down computing resources and reduce your cloud spending. ?But what will happen to your data when you decommission virtual servers? Will they be discarded?

You might want your data to be retained up to a certain period. On the other hand, you might also want them to be deleted immediately. Ask about the provider’s data deletion/data retention policies and see if they are in line with yours.

9. What will happen to my data if I decide to close my account?

There might come a time when you’ll want to terminate your contract with your cloud provider. Just like in issue #8, you’ll want to find out more about data deletion/data retention policies.

Although some providers can give you detailed answers, many of these answers can include a lot of technical jargon that can leave you totally confused. If you want someone you can trust to:

simplify those answers;
help you pick the right cloud service provider, and
even make sure cloud security is really upheld once your cloud engagement is ?under way

Contact Us

(+353)(0)1-443-3807 – IRL
(+44)(0)20-7193-9751 – UK

Check our similar posts

Shared Services ? Are They A Good Idea

Things happen fast in business and we need to stay on top. It does not seem long ago that some enterprises were still hands-on traders or artisans with a few youngsters to help out. People like that did not do admin and their accounting was a matter of making sure there was enough money in the jar.

When Wal-Mart’s Sam Walton took over his first shop in 1945 things had moved on from there, although he did still deal directly with his customers. When he died his legacy was 380,000 jobs, and a business larger than most economies. So there?s plenty we can learn from how he grew his business.

One of Sam?s secrets was his capacity to centralise what needed gathering together, while empowering store managers to think independently when it came to local conditions. His regional warehouses had individual outlets clustered around them within one day?s drive each. This shared service eliminated 90% of safety stock and released capital for expansion.

Wal-Mart took sharing services a step further in February 2006, when it centralised accounts payable, accounts receivable, general accounting and human resources administration at Wal-Mart Stores and Sam?s Clubs in the U.S. and Puerto Rico. The objective was to bring costs down, while allowing local managers more time to focus on their business plans and other initiatives. As a further spin-off, Wal-Mart was able to integrate its data on a single SAP platform and eliminate significant roadblocks.

This is an excellent example of sharing services by creating own centres of excellence.? Of course, this is not the only business possibility. Other corporates have successfully completely outsourced their support activities, and Wal-Mart has no doubt had a variety of similar offers too. But, is the Wal-Mart picture entirely rosy, or is there a catch?

The Association of Chartered Certified Accountants has indicated that top talent may be the loser globally. This is because the Wal-Mart model removes many challenges through standardisation, and offers less scope for internal promotion as a result. Language and cultural differences may also have a long-term detrimental effect on the way the departments work well together.

Local outsourcing ? this is the business model where several firms engage a shared service provider independently- may hence prove to be a more malleable option for smaller companies. It often makes more sense to hunt down made-to-order services. Offerings such as the professional support we offer on this site.

The Rights of Individuals Under The General Data Protection Regulation

The General Data Protection Regulation or GDPR is a European Union law reinforcing the rights of citizens concerning the confidentiality of their information, and confirming that they own it. We thought it would be interesting to examine the GDPR effective 25 May 2018 from an Irish citizen?s perspective. This article is a summary of information on the Data Protection Commissioner?s website, but as viewed through a businessperson?s lens.

How the Office Defines Data Protection

The Office believes that organisations receiving personal details have a duty to keep them private and safe. This applies inter alia to information that individuals supply to government, financial institutions, insurance companies, medical providers, telecoms services, and lenders. It also applies to information provided when they open accounts.

This information may be on paper, on computers, or in video, voice, or photographic records. The true owners of this information, the individuals have a right:

To make sure that it is factually correct
To the assurance that it is shared responsibly
That all with access only use it for stated purposes

Any organisation requesting personal information must state who they are, what the information is for, why they need to have it, and to whom else they may provide it.

Consumer Rights to Access Their Personal Information

Private persons have a right under the GDPR to a copy of all their information held or processed by a business. The regulation refers to such businesses as ?data controllers? as opposed to owners, which is interesting. They have to provide both paper and digital data, and ‘related information?.

Data controller fees for this are discretionary within limits. The request may be denied under certain circumstances. The data controller may release information about children to parents and guardians, only if it considers a minor too young to understand its significance. Other third parties such as attorneys must prove they have consent.

Consumer Rights to Port Their Data to Different Services

Since the personal information belongs to the individual, they have a right not only to access it, but also to copy or move it from one digital environment to another. The GDPR requires this be ?in a safe way, without hindrance to usability?. An application could be a banking client that wants to upload their transaction history to a third party price comparison website.

However, the right to data portability only applies to data originally provided by the consumer. Moreover, an automated method must be available for porting. Data controllers must release the information in an open format, and may not charge for the porting service.

Consumer Rights to Complain About Personal Data Abuse

Individuals have a right under the General Data Protection Regulation to have their information rectified if they discover errors. This right extends to an assurance that third parties know about the changes – and who these third party entities are. Data controllers must respond within one month. If they decline the request, they must inform the complainant of their right to further remedial action.

If a data controller refuses to release personal information to the owner, or to correct errors, then the Data Protection Office has legal power to enforce the consumer?s rights. The complainant must make full disclosure of the history of their complaint, and the steps they have taken themselves to attempt to set things right.

Further Advice on Getting Things Ready for 25 May 2018

The General Data Protection Regulation has the full force of law from 25 May 2018 onward, and supersedes all applicable Irish laws, regulations, and policies from that date. We recommend incorporating rights of data owners who are also your customers into your immediate plans. We doubt that forgetting to do so will cut much sway with the Data Commissioner. Remember, you have one month to respond to consumer requests, and only one more month to close things out subject to the matter being complex.

Excel Spreadsheet Conversion to SQL Reports

Spreadsheets are flexible, inexpensive and easy to use. They are especially handy when it comes to beating report submission deadlines or making impromptu data computations.

Unfortunately, organisations heavy reliance on spreadsheets have made these User Developed Applications (UDA) into high-risk office tools. Simple spreadsheet errors like leaving out a negative sign or a cut-and-paste mistake have already caused million-dollar discrepancies. Also, when a fraudulent employee enters into the picture, the risks become unimaginable.
Think TransAlta’s spreadsheet cut-and-paste glitch (the company later called this a ‘simple clerical error’) which caused the energy firm a whopping $24 million loss or Fidelity’s overstatement of its earnings owing to the omission of the minus sign on the spreadsheet of a $1.3 billion net capital loss.

Denizon can convert your Excel Spreadsheets to a web based SQL Server Reporting Services (SSRS). It does not import Excel data, rather it allows the creation and deployment of reports in a more efficient manner by querying the data.

So what is the problem with Spreadsheets?

Plagued with risk issues and vulnerable to fraud
Lacking in control features especially when copied, edited and emailed between many users
A burden to regulation compliance e.g. SOX (Sarbanes-Oxley)

Moreover:

Accidental copy-paste/Omission of a negative sign/Erroneous range selection
Incorrect data input or unintentional deletion of a character, cell, range, column, or row
Possibility of the user working on the wrong version
Prone to inconsistent company-wide reporting
Often ‘defenceless’ against unauthorised access

See Top 10 Disadvantages of Spreadsheets

What makes SQL Server Reporting Services better than Spreadsheets?

Free from spreadsheet risks & equipped with built-in controls that substantially reduce risks to data
Less prone to fraud
More suitable for regulatory compliance e.g. SOX
Designed for an agile business environment

Automatic consolidation eliminates errors and wasted time caused by tedious copy-pasting of data and linking of cells
Better collaboration capabilities allows team members to bring their heads together for planning, budgeting, and reporting even while on the go
Mobility support enables users to input data or retrieve information through their wireless mobile device

Superior sharing features ensures that everyone is exactly on the same page and viewing real-time information
Dashboards provide insightful information at-a-glance through KPIs, graphs, and various metrics
Drill-downs enable users to investigate unusual figures and gain a better understanding of the details that contribute to the big picture
Easy to learn interfaces allow your organisation to cope with fast personnel turnaround or Mergers & Acquisitions

Don’t know how to shift from Spreadsheets to SQL Server Reporting Services?

We’ve got the knowledge and expertise to assist you in:

Making a smooth and cost-efficient transition from risky spreadsheets to reliable reports
Designing and implementing SOX-compliant report-generating methods and procedures
Putting exposure to high-risk reporting methods a thing of the past