As we continue to try to exist in a world where data breaches are commonplace occurrences, organizations have to ask more questions when it comes to storing data. This is especially true when data is being stored with a third party.
Companies need to comply, not only with their own internal rules, but with external regulations such as the GDPR, and soon, the California Consumer Privacy Act.
According to Todd Matters, chief architect and co-founder of cloud company RackWare, there are three questions that organizations should be asking cloud vendors.
Physical regulations
The first important thing to question is what physical regulations there are, Matters explained. It is important to ensure that your cloud provider has the appropriate physical regulations in place, such as physical access to and surveillance around the data center.
He believes that running data centers has become its own science. In the past, those running data centers just needed to worry about having an air conditioner to keep it under a certain temperature. Now, people have to ask questions like: Is the data center in a flood plain or an earthquake zone? And the answers to those questions will inform aspects of their disaster recovery plan. “Getting all of that information from your provider and understanding that, at least from a physical perspective is very important,” said Matters.
Infrastructure management
The second important question to ask is about how infrastructure is managed. In a data center, personnel need to have access to certain servers, systems, and routers. Therefore, it’s important to know how those people are monitored and how they access those systems.
In addition, there are a number of standards that are new today that didn’t exist in the past, such as password standards and two-factor authentication standards. It’s important to also understand the compliance requirements for those elements.
How cloud providers implement multi-tenancy
The third question to ask is how the cloud providers implement multi-tenancy. A cloud provider offers infrastructure for many different companies, so it is important to ask them how they handle that. “It’s definitely a worthwhile question to ask your provider. ‘How do you handle multitenancy? What safeguards do you have in place? How can you ensure that however many companies, it could be dozens or hundreds that are running on the same physical infrastructure, are you guaranteeing that they can’t access any of my data?’ ”
According to Matters, compliance needs to be a joint effort between companies and cloud providers. “Regulation requirements must clearly span provider infrastructure and personnel, as well at IT aspects relegated to cloud users. Most providers have material readily available that describes their compliance strategies. This allows for the simple implementation of basic controls.”
He also believes that, for the most part, companies are not asking these questions unless they’ve received an audit failure or citations that could compromise the business.