By now, a lot of you will have considered taking your first steps into using cloud computing. It’s a logical step, as cloud services offer:
- Predictable and low monthly fees
- No upfront capital expenditure
- Offloading of maintenance and security responsibility to a third party
- And guaranteed latest versions of software and tools
In essence, the cloud gives small businesses access to competitive, enterprise-grade technology without any of the upfront costs.
Indeed, we conducted some recent research that found that 65% of small businesses are already adopting cloud services in some form, and a whopping 81% expect the cloud to be vital to their business operations in the next two years.
However, cloud providers come in all sorts of shapes and sizes, and “offloading responsibility” shouldn’t come without some due diligence. Because if you want to hold business-critical information in the cloud – perhaps client data or sales information, for example – your customers will hold you, rather than your cloud provider, responsible if something goes awry. It’s therefore entirely your job to evaluate your cloud providers’ security credentials before signing up.
If you’re not a technology specialist and that sounds daunting, don't worry: we’ve gathered together the questions to ask.
SLAs are Service Level Agreements. It’s what you sign when you take up a Cloud service, and includes commitments on the part of the provider to maintain a constant and secure service. Read this document very carefully – it’s your key recourse if anything goes wrong.
- Proof of compliance
Ask what proof your provider can offer that they have the systems, processes and coverage to ensure that your information is safe. Look for a SAS70 Audit or similar external certification.
- Tiered or role-based authentication
Adequate password authentication is, of course, a must; and most services will treat it as such. However, most businesses, as they grow, will want to offer different degrees of access to different individuals in their organisations (or, indeed, to their clients too). Make sure that your provider offers the ability to deliver access to parts of the service based on discrete permissions, roles or privileges.
- Two-way encryption
Amazingly, plenty of web services neither encrypt passwords during sign-in, nor data as it flows between you and the central repository. Demand fully encrypted transmission at all times.
- Location of Data
Ask where your data is physically held. It should be held in a secure environment, not down the back of a sofa. It should be backed up in near real-time, in more than one location. It should also be stored in a country with a reputable legal system: in our globalised economy, there’s no point crying over spilt milk if you’re afforded all the legal recourse of a dubious banana republic.
- Company History and track record
Ask straight: has your provider had any security lapses in the last 24 months? Has any data been lost or stolen? If the answer is yes, move on.
- Data mining is non-negotiable
It is tempting for some businesses who store large amounts of data to use that data in some way to conduct advertising or marketing activities. That might seem surprising, but it’s something we’re actually very used to – look at Facebook, for example. However, in a business context, this is utterly non-negotiable. Any cloud service which intends to use any aspect of your information for data-mining must come off your list of options immediately.
- Multi-layered security
One firewall is only as good as one lock on your front door. Look for a many-levelled and proactively managed security policy. Microsoft’s cloud servers, for example, are covered by nine tiers of protection, designed to offer an unrivalled barrier to data theft without compromising day-to-day ease of use.
- And what about the people?
Finally, no amount of technology will ensure that people act responsibly, too. There’s no easy way to ensure that a company manages its staff effectively without, frankly, sticking your nose into their personal lives rather too intrusively. However, it’s worth asking what a provider’s recruitment policies are: if you don’t get a satisfactory answer, that could point to a deeper lack of commitment to security elsewhere in their organisation.