One of the main barriers to cloud adoption is data privacy. This is an issue because, for the majority of cloud providers, EU/EEA and US data privacy and Information Security standards are minefields which are very difficult to cross. And that is because their focus has been on the ease of use and functionality of their services rather than the all-important data privacy, information security, data integrity and reliability requirements around providing these services responsibly.
But, when looking through the plethora of cloud service providers, you can immediately sort the 'wheat from the chaff' once you start drilling down into the data privacy, information security, data integrity and reliability capabilities offered to ensure the protection of your and your customers' data.
In this guest blog post, Mike McAlpen, the executive director of security & compliance and data privacy officer at 8x8 Solutions outlines the questions cloud users must ask their providers before signing a contract.
Have you chosen the right cloud services
- Mike McAlpen
By asking your cloud services provider the following questions you will be on the way to knowing whether you can entrust your data into its care.
- Compliance with EU/EEA data privacy standards
The most important question is whether your provider can provide third-party verification/audit assurance of their compliance with EU/EEA and/or US data privacy standards? It is not enough for the provider to simply produce this verification/audit assurance, it must show that it has fully implemented the UK Top 20 Critical Security Controls For Cyber Defence and/or ISO 27001 and/or rigorous US standards such as the Federal Information Security Act (FISMA) and International Information PCI-DSS v3.0 security standards.
If this verification/audit assurance is not available then your business is at peril of not meeting EU/EEA and/or US standards.
In the US, many EU/EEA and other countries it can be a criminal offence if a breach of personal data privacy occurs and an individual employee or senior management, depending on the circumstances of the breach, is deemed to be responsible.
- Onward Transfer of Data
Does your provider work with third-party suppliers in order to deliver the cloud services it offers? If so you must check that it has contracts in place with its third-party suppliers that provide assurance that they are, and will continue to be, compliant with EU/EEA and/or US standards.
- Data Encryption
Does the cloud solutions vendor provide the capability to encrypt sensitive data when it is being transferred across the Internet and importantly again when it is 'at rest'? (i.e. Stored by your cloud services provider, or in files on a computer, laptop USB flash drives or other electronic media?).
- The Right to be Forgotten
Has your provider's solution been engineered to enable it to identify and associate each user's personal information data? It must also provide the capability for each user to view and modify this personal data. In addition, if the user wishes this data to be deleted, the provider must then be able to completely erase all of that person's personal data without affecting anyone else's data.
- Service Level Agreements (SLAs)
Outside of compliance with data privacy standards, another key issue is asking your provider how you will determine and then document, within your services contract, the required service level agreements (SLAs). It's no use whatsoever having the cloud services you have always wanted if you have no way of measuring or monitoring if they are actually being delivered to an acceptable level or if there are no financial penalties for non-compliance.
If your provider cannot answer "yes" to the above questions and you cannot agree to mutually acceptable SLAs - look for another provider!