Questions for your cloud provider

Woman confused and worried

Using cloud systems can occasionally appear as a business panacea to the unwary, but failing to do proper research and due diligence before taking the plunge with any given provider can store up problems for the future. Organisations must be sure that the services they think they pay for and what they're actually getting match up, before any money changes hands.

Organisations going 'cloudy' for the first time, in particular, run the risk of assuming certain things aren't in the contract because they "go without saying": there will be backup, there will be industrial-strength security, there will be a failsafe if something goes wrong. The problem is there's no provision in law for outsourcing responsibilities, so governance is crucial. Alex Hilton, chief executive of the Cloud Industry Forum, has a whole set of concerns about this.

"It's essential, upon entering a partnership with a cloud service provider (as effectively it is a partnership more than a basic supplier relationship), to know from the outset how the customer ensures effective governance throughout the contract and what will happen at the end of the agreement, whether it is as a result of the end of the term or a forced premature end," he tells IT Pro. "Key consideration has to be given to the 'rules' around the data from the outset."

Hilton cites security and what happens in a breach as key examples. He believed businesses must know what happens if data protection obligations are unclear and as a result where data is stored and in what format. It's also worth organisations determining whether disaster recovery and related tasks would incur extra charges.

Safety first

Security is also, understandably, the primary concern of the Business Fraud Prevention Partnership. Managing director Edward Whittingham, a former policeman, says it's vital to gain an understanding of security measures before signing on the dotted line. "This should include querying the specific physical security measures they have in place to protect the data (firewalls, DDoS protection, etc), as well as what the storage specifications are but, crucially, it's important to gain a detailed understanding as to the security culture of that organisation."

It's about more than pure technology, he suggests. "Ultimately, any potential cloud vendor needs to share the same security culture as the prospective buyer given that they will typically be hosting business-critical data or data belonging to the buyer's customers," says Whittingham. "In addition to knowing the basics about physical security of each potential vendor, I recommend seeking an understanding as to whether the cloud provider conducts any employee security awareness training, simulated phishing exercises and what their information security policies consist of any vendor worth their salt ought to be providing security awareness training to their employees, as we have seen first-hand some cloud providers adopting very serious bad practice in relation to password management, email safety and the like.

"It's also perfectly reasonable to query cloud providers about what measures they've undertaken in respect of GDPR as this must form part of your own data auditing process, so you will want to be content that they're up to the job and will be compliant when it comes into effect in May. If the cloud provider isn't willing to share any this information, then they are unlikely to be the provider for you."

It's also useful to know how much downtime has been experienced in the previous 24 months. Rod Vermeulen, cloud manager of software and cloud licensing firm Comparex, suggests asking how long it has taken them to carry out repairs when there is an issue and whether this is built into a contractual SLA. "Inferior cloud performance whether high network latency or application processing delays not only negatively impacts the user experience, but also costs time and money. The 'time-to-repair' can vary; it could be up to 30 hours in some cases, depending what level of SLA a company is under. It's possible to speed up the 'time-to-repair', but it comes at a price."

Scrutiny and certification

The difficulty is that although it feels as though the technology is well established, there are many new players, as the Cloud Industry Forum's Hilton points out. "As with all new markets, especially rapidly growing ones, there are entrants who are credible, well-intentioned, capable and professional," he says. "Unfortunately there are also those that are looking to make a quick profit and whose public claims will not pass the test of scrutiny."

So what do you ask when you want to apply that sort of scrutiny? "This is where standards have a significant role to play," he says. "Organisations need reliable, consistent and clear information around what the service providers do and don't offer. They also need to know what process and operational substance there is behind these providers and what assurances are in place in to deliver service levels and effective security.

"Certification schemes, such as that operated by the Cloud Industry Forum and our Code of Practice, aim to cast light on these key areas of concern to equip end users with the information that they need to be able to make rational and informed choices about their adoption of cloud services alongside, or in replacement of, any on-premise capabilities."

The cloud is an excellent means of resolving this central issue in a cost-effective and secure way. But only when the end client is positive they have the right partner and a few tough questions will make a good start.

Main image credit: IT Pro