Cloud service provider due-diligence

By
Tim Bullock
September 5, 2010Posted in: backups, CIO, CIO & COO, cloud computing, due-diligence, outsource, technical

Before signing-up to use a Cloud hosting or backup services provider, it is really important to determine who is the best supplier for your needs. Here are some suggested questions to ask to help you decide if they are the best supplier for your needs.

Please note that this is not an exhaustive list – it is to help get you started – make sure you tailor it to your organisation’s requirements.

.

Data location

  1. Where will my data be located?
  2. Do you distribute your systems or load balance in such a way that my data could reside in a different jurisdiction? If so, where are these jurisdictions?
  3. If you perform backups, where is the location of the backup storage site?

For more information about data jurisdiction and why it matters, click here.

.

Security of your data

You must ensure that the service provider will protect your data. The security of your backups needs to at least match the security you place around your client data. Imagine you want to steal a company’s data – targeting the backup media would be so much easier that trying to hack into individual systems and copy data from them.

As a real-life reminder of this, In August 2010, the UK’s Financial Services Authority (FSA) hit the UK arm of Zurich Insurance with a record £2.275 million fine for the loss of a backup data tape containing the details of 46,000 clients.

  1. Describe the physical security of your data centres.
  2. Is my data encrypted on your systems?
  3. What level of encryption is used?
  4. Who can decrypt it and who has access to the decryption keys?
  5. Who has access to my data?
  6. Are your backups encrypted when stored on media?
  7. What level of encryption is used for the backup media?
  8. For the backup media, who can decrypt it and who has access to the decryption keys?
  9. Is the backup media securely stored in a site other than the live hosting site?
  10. Where is the location of the backup media storage?
  11. Does the site used for backup media storage have the same physical and logical security as the live hosting sites?
  12. If the backups are transported from one site to another (such as a courier), what physical security is used?
  13. If my backups are transmitted to another site, are they encrypted during transmission?
  14. What level of transport encryption is used?

.

Service continuity

  1. What is your business continuity and disaster recobery strategies?
  2. How many different power sources supply your hosting site?
  3. Do you have UPS protection with automatic cut-in in the event of a power failure?
  4. Do you have generator protection with automatic cut-in in the event of a power failure?
  5. How often do you test the UPS and generator?
  6. When was the last time your hosting site suffered a complete loss of power?
  7. When was the last time that one of your clients suffered an outage due to the loss of power?
  8. Do you have an alternative hosting site that you can automatically switch to in the event of an issue?
  9. How many different and diversely routed Internet connections do you have?
  10. In the event of an Internet service providers connection failing, can all your services be provided on the other Internet connection(s)?
  11. When was the last time your hosting site suffered a complete loss of Internet connectivity?
  12. When was the last time that one of your clients suffered an outage due to the loss of Internet connectivity?
  13. Is your Internet connectivity protected from DOS or DDOS type attacks?
  14. Have you experienced a DOS or DDOS type attack and how were your clients impacted?
  15. If your service (including your hosted clients and applications) is attacked/hacked in any way, how quickly do you inform me and how is it reported?

.

Backup related questions

  1. Are yours systems backed-up?
  2. Is my data backed-up? (This may seem like a bizarre question, but if your provider suffers a major systems failure, you could lose your backups that you need for legal of regulatory purposes).
  3. How often is my data backed-up?
  4. What is the backup retention policy?
  5. Can I determine the backup retention policy of my data?
  6. What media is it backed-up to? (Remember this could be disk-to-disk).
  7. If backup is to disk, is this storage on completely separate infrastructure and in a different location to the hosting service? (This question is if you are looking at using a backup service from the same hosting provider).
  8. How often is testing performed of recovering your systems from backup media?
  9. How often is testing performed of restoring data from backup media?
  10. Can I copy my backups to an external source?
  11. Can I perform an ad-hoc backup when I need to? (For example, before a significant system change).
  12. Can I restore an individual object (such as a file) from a backup?
  13. Are ‘open file’ backups supported?
  14. Are my e-mail system(s) supported?
  15. Are the database(s) that I use supported?
  16. Do you support incremental backups?
  17. Can I select whether I perform a full or incremental backup?
  18. If a send/receive of data to/from yourselves should fail, is there a ‘transmit from failure point’ option or will it start at the beginning again?
  19. Who has access to my backed-up data?

.

Accessing data

  1. How do I send you my data in order to get started?
  2. What level of transport encryption is used?
  3. How do I access my backed-up data?
  4. How quickly can I get access to my backed-up data?
  5. Do you object to my company or an independent technical auditor from validating the backups on a regular basis?
  6. If necessary, is it possible to transport large backups on physical media to aid a fast recovery?
  7. Is it possible to perform data mining on my backup data (for example in legal data discovery), or do I need to restore it to my systems first?

.

Cost of service?

  1. How do you charge for the hosting service?
  2. How do you charge for the backup service? (Make sure you calculate the likely tariffed cost for the service, taking into account your data volumes, backup frequency and retention period).
  3. Is there a charge for each system I backup from (such as backup agent software).
  4. Is there a charge for accessing or restoring backed-up data?

.

General questions?

  1. Are your services and those of your sub-contractors/partners, SAS70 compliant?
  2. Do I retain exclusive ownership of my data at all times, including after the end of a contract?
  3. Do you own and run your own data centres? If not, please give details of the underlying service provider.
  4. What accreditations does your organisation have?
  5. Has your organisation won any awards relevant to the service to be provided?
  6. What type of employee/contractor/services provider screening do you perform before you hire or contract with them?

.

Also read this….

.

And finally….

A key indicator of a providers service will be how they respond to your questions. If you have an open dialogue with them, it’s a good sign.

Remember that a supplier’s pre-sales service is nearly always better than after-sales …. so if you’re not happy before you sign-up – don’t do it !

.

.


Resources for CIO and COO Professionals

CIOCOO - Resources for CIO and COO Professionals


Remember to bookmark the following ….


For more information, contact E-mail address











For copyright details, refer to http://ciocoo.com/legal/copyright/
For terms of use, refer to http://ciocoo.com/legal/terms-of-use/

© Copyright Tim Bullock 2010


PDF Download    Send article as PDF to   
Tags: , ,