Cloud Basic Checklist
Transition to the cloud could be one of the most important decisions you make in your IT infrastructure management. Thus, it is important that you do it the right way. I have collected a list of the basic things you should consider, before signing a contract with your cloud service provider:
- What is the initial setup fee?
- What are the ongoing fees?
- Are there any usage fees (charged according to bandwidth used or number of users)?
- Is there a cap on how much the provider can increase the rates by? If the provider increases the rates beyond the cap, does it provide valid grounds for service termination?
- What is the total cost of your existing IT infrastructure discounted to the present value? Is it higher than the total cost of the cloud infrastructure?
- What is the uptime guaranteed by the provider?
- How does the provider calculate the uptime?
- Is there any compensation for not satisfying the uptime guarantee?
- What is the cost per minute of your service downtime? For Instance, if you run an online store, you could include the lost sales, cost of increased support calls and an estimate of the loss of brand goodwill.
3. Data Storage
- How sensitive is your data?
- Where are the data servers located?
- What encryption methods are used to secure the data?
- Are there any guarantees to protect your data against leaks?
- Who can access your data in the data center?
- Is the provider allowed to use data and/or metadata? For Instance, in Gmail your email content can be read by Google’s algorithms for advertising purposes.
- In what formats is the data stored? Are those formats easily convertible to the data storage format you use in-house?
- How often are backups scheduled?
- Do they use any kind of RAID architecture to improve reliability?
4.Performance and Scaling
- What are the specifications of the discs, RAM and processors used in the servers?
- Do they use SSDs, flash devices or optimization techniques to improve performance?
- What is the maximum bandwidth offered?
- Are your data buses and discs shared with other users?
- How soon can you add computing resources when needed?
- What are the performance guarantees offered in the SLA?
- Can you terminate the contract at any time without a significant penalty?
- Can you terminate the contract without penalty if there is a security breach or other tenuous circumstances?
- On what grounds can the provider can terminate your contract?
- How soon will the provider return your data after termination?
- Is emergency support available 24/7?
- What kind of support channels are available (phone hotline/email/Web-based chat)?
- How helpful is the customer help desk?
- Does the provider have an extensive KB (knowledge base) to help your staff handle simple issues?
As cloud computing get increasingly complex and finds use in core enterprise applications, it it time to pay more attention to auditing. Auditing ensures that your cloud installations works per your expectations. The auditing could be done either internally by your IT or business teams, or could be done by a third party service. Regardless of who does the audit, it is important to understand the different considerations in cloud auditing.
Regulatory compliance audit
In many industries such as healthcare and finance, there are strong regulations that mandate how the data should be handled, where they should be stored and how the consumer data are protected. Not complying to the regulations might invite hefty fines and/or legal proceedings.
The regulatory compliance audit lists the all regulations that will affect your data and applications, and will check if each of those regulations are met in your cloud setup. For instance, regulations in some industries would prevent the storing of data offshore. In that case you have to make sure that your cloud service provider has domestic datacenters and uses them to handle your data and applications.
Disaster Recovery/Business Continuity (DR/BC) audit
Disaster can strike an enterprise in many forms. There could be natural disasters such as floods, earthquakes, etc. and there could be man made disasters that could disrupt your installations. It is the role of DR/BC audit to ensure that the IT infrastructure continues to be operational, at least partially, despite the disaster. Mean time to recovery and amount of data recovered are important metrics in this audit.
Security should be one of the most essential aspects of any enterprise IT system. Security audit must uncover the various Vulnerabilities in your cloud solution. Some of the security issues include unauthorized access, intentionally destroying data and Denial of Service (DoS). The audit should make sure the setup is sufficiently protected against the common type of attacks and has the adequate level of security that satisfies the enterprise requirements. Sufficient attention must be paid to data security issues to protect against any information leakage.
Performance and Reliability audit
One of the biggest considerations to move to the cloud involves around reliability. Reliability audit must make sure that your data is available to the employees and customers 24/7. The cost of downtimes can be very high, in terms of lost employee productivity and loss of goodwill from the customers. The audit should also spell out the SLA requirements and find out if all the providers satisfy those requirements.
Performance audits must identify the various metrics (time to save a document, loading time of the website landing page etc.) and verify if the cloud setup satisfies those metrics. The performance and reliability audits could also make use of stress tests to make sure the stack used is robust under severe load conditions.
ROI and business audit
Migration to cloud computing has to make proper business sense and this audit computes the ROI (Return on Investment) for the cloud infrastructure you have spent your time and money. The audit should arrive at the total cost of the solution (including the retraining costs) and find out if it is cheaper than the alternatives.
Business audit must spell out various business metrics and goals against which the cloud services have to be tested.
Keeping Your Data And Applications Secure On The Cloud
When you have all your data and applications permanently stored within your enterprise, you can get away with big security holes and poor data management practices without a serious external threat. However, once your applications and data move to the cloud, your margin for error becomes much smaller. Confidential enterprise data could be traveling all over the public Internet, enabling your employees to work anywhere, anytime, while at the same time exposing data to malicious eyes. In this post, I will cover some of the things your organization needs to get right to prevent unauthorized access.
Mind the channel
If you are on a public network with an unprotected Wi-Fi connection (such as in an airport or a coffee shop), avoid accessing confidential corporate data. An attack could range from a low-tech physical eavesdropping of your screen to a more high-tech capturing of your data in the channel. Make sure your channel is authenticated and encrypted with protocols such as IPSec,TLS/SSL, SSH and systems such as VPN. If you are sending critical data in plain text, you are inviting trouble.
Implement well-designed user access control
Properly planned user access control is needed for all your data and applications. Employees must be able to access only data they have a need to access. Also mind the flow of information outside the security perimeter. For instance, you must never allow your sales people to export all the CRM data to an excel sheet that they could easily take with them when they leave the company. Always make sure that data access happens through your security interfaces and very few bulk export options are allowed for regular security privileges.
In 2009, Twitter had a bad security breach that made all the internal discussions and confidential business data public and threatened the future of the young network. The hacker gained access to a single compromised personal Gmail account of an employee and was able to successfully access spreadsheets and documents on Google docs that contained all the corporate information.
Although Google was not at fault in this case, it shows how easy it was for the hacker to access all the corporate information after gaining access to one account. Audit your data storage systems and make sure they are compartmentalized enough to avoid cascading security failures. Classify the information based on the security level and implement high-level security for the most confidential information. Thus, a breach of a low-security account should not expose the data in a high-security account.
Educate your employees
No amount of secure protocols will help if your employees are not trained in security best practices. Mandate them to have strong passwords that are periodically changed. Educate them to never send the passwords as plain text through SMS, email, etc. (you would be surprised by how many employees in tech companies break this basic rule). All the data must be properly encrypted, and the keys must be recycled carefully.
By Balaji Viswanathan