Five Areas to Verify to Stay Safe in Your Cloud

There are a number of considerations for every company as they begin to conquer their new cloud projects,  including several technology challenges such as data security, data placement segregation, and data access coordination to name a few.  There are several other areas that can bring the business to struggle with any type of cloud project, but today we’ll only consider the following five.

Make sure your management does its due diligence and checks out the following five areas of scrutiny for cloud project safety, before these issues cause your management to suddenly cancel working with your cloud provider.

  1. Data Access Management

    Some U.S. government, personal identifier information (PII), and medical health data is required to stay in the U.S. jurisdiction and only be accessed within the U.S.  Make sure your cloud provider can meet this requirement, and that the contract covers where the data resides physically and what laws govern its access.  European country requirements are especially strict for data privacy and physical data location.

    Data location and access can be especially important when contemplating dual mirror sites, and determining backup and recovery requirements to make sure your data usage is in compliance and always accessible.

    Cloud contract termination clauses can also be interesting depending on how your company would like to finish your cloud effort.  Does the data need to be destroyed, returned, or archived for the transaction history?  The policies and processes for data purge verification or data disposal need to be resolved before any actual data processing begins.

  2. Performance Availability

    Service level agreements can be negotiated many different ways in order to customize them for your business, systems, and applications.  Whether in the shared cloud or dedicated cloud hardware environments, the minimum I/O rates, CPU utilization, and overall availability metrics need to be estimated, negotiated, and realized appropriately for your company and overall application performance.

    Do as much system, application, and capacity planning possible ahead of time to determine the requirements for your cloud implementation before the contract is finalized.  Your team needs to determine whether a shared cloud, virtualized environments, or private dedicated hardware is required.  Analysis needs to determine the best cloud environment configuration to give your business the optimum path to meet your overall security, elastic growth, and performance goals.  

  3. Levels of Security

    Security within the cloud infrastructure, your configuration, and the tools available for management are critical for any successful cloud implementation.  Levels and layers of security within the cloud should be designed and detailed appropriately so your company understands the firewalls, security roles and policies, encryption possibilities, and forensic capabilities of the cloud environment. 

    All of these components should be documented on the cloud provider side but also on your company’s host side if your cloud application interfaces with your home host systems.  All PC and mobile client firewall requirements or authentication protocols should be designed for maximum client, cloud, and host security. Data governance documentation, auditing, and reporting requirements should be regularly scheduled events tied into your overall cloud effort, the cloud services contract, and client relationships.

  4. Service Level Agreement Penalties

    Disasters happen. Your cloud contract needs to outline the business continuity and disaster recovery notification, procedures, and processes should anything impact your cloud infrastructure.  Recovery time objectives along with recovery point objectives need to be fully understood to assess the business risks and costs for uninterrupted cloud services.

    Also, governance and specialized hardware components, third parties software, and connectivity failures need to be fully defined to understand liabilities and business risks.

    Determining hardware upgrade, software maintenance, and recovery time objectives can be quite complex and should be fully understood and related to an availability promise. Make sure you understand what downtime experiences are included in a 99.9% uptime promise that’s important to today’s global mobile application requirements.

    Agreed upon standardized monitoring that exposes the possible downtime situations is vital for understanding business application goals. Many different downtime scenarios need to be spelled out in a company compensation model for immediate, deferred, or price reduction reimbursement.  Having the right SLA penalties in place helps motivate all parties and helps everyone understand the business value of the cloud application operations.

  5. Breach Procedures and Penalties

    Hopefully, security breaches are prevented, but the contract agreement needs to cover your company’s and the vendor’s liabilities, establish notification thresholds, remediation procedures, and overall security processes.  Some companies and cloud vendors offer hacking or breach insurance to cover the potential risks and liabilities.  Unfortunately, the cost of the insurance continues to grow as breaches become more common.

This blog only talks about a few of the items that need to be covered through a cloud computing contract. Remember to get involved with the company’s lawyers to explain the complex considerations to ensure that your specific industry governance issues, goals, and SLA requirements are covered effectively.


 

Dave Beulke is a system strategist, application architect, and performance expert specializing in Big Data, data warehouses, and high performance internet business solutions. He is an IBM Gold Consultant, Information Champion, and President of DAMA-NCR, former President of International DB2 User Group, and frequent speaker at national and international conferences. His architectures, designs, and performance tuning techniques help organization better leverage their information assets, saving millions in processing costs.

I will be speaking at the Detroit, Cleveland and Columbus user group meetings in August.  Below are the links to sign up for the meetings.  I will be presenting “SQL Considerations for a Big Data 22 Billion Row Data Warehouse” and “Big Data Disaster Recovery Performance.”

 


 

Also as President of the DAMA-NCR Washington DC user group I would like to announce DAMA Day September 16, 2014.  Great speakers with topics you need to know!

  • John Ladley – Using Enterprise Architecture to Manage Data Governance and Information Management
  • David Loshin – Establishing a Business Case for Data Quality Improvement
  • Catherine Ives – Understanding and working with the DATA Act
  • Peter Aiken – The Case for the CDO

For more information go to www.dama-ncr.org.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>