2012 was an interesting year where more services were moved to the cloud and at the same time we saw the risk of cloud services shutting down. In the case of MegaUpload.com (the notorious filesharing site shutdown by the FBI), the government seized all of the hosting servers and made all the information on them unreachable. Even legitimate users ,like the XDA developers, end up losing their information (over 200,000 XDA files were hosted on MegaUpload – all legal).
Other times, a commercial decision is made that can see a free service become for pay or a service can be shelved completely. A good example of this is Google’s decision to scrap the free version of its Google Apps services and charge $50 per year per user for new customers wanted this service (which was free for up to 10 users until December 2012).
EMC killed off its Atmost cloud service and provided a short notice for its customers to move their data or risk losing it.
With all these risks, companies will continue to rely on cloud services because they are typically cheaper and faster to deploy. So what should you do?
1 – Due Diligence
Ensure that the provider has the redundant infrastructure (multiple data centers, multiple copies of your data and a strong backup process) you need to keep your business running. During hurricane Sandy, many companies learned that their hosting provider was only located in New York and many shutdown for weeks while the city recovered.
What are the processes the provider has to recover from the worst case scenarios and ensure the C.I.A of your data (natural disaster, terrorist attack, flu pandemic, malicious insider, etc). In this case CIA = Confidentiality, Integrity and Availability.
If you are subject to government regulation, make sure your chosen provider can meet the regulatory requirements and is willing to provide the required audit evidence.
2 – Data Portability
Before signing up for any cloud service, make your own worst case contingency plan. If the service has a material change in scope/price or is scrapped, what do you do to keep your business running?
Make sure any data export requirements are defined (as exactly as possible), negotiated with the vendor and clearly written down in the contractual language. Don’t wait until something happens to start planning.
In some cases, even with a dump if the data, it is useless because (without the cloud service) you lose the business logic to make it all work. This is a good case for the Plan – Do – Check –Act cycle.
3 – Have a good SLA
Once you know exactly what you want and have found a provided willing to meet it then make sure you spell our exactly what the providers obligations are with examples (to ease understanding) and penalties to incentivize the correct provider behavior.
4 – Continuous Audit
In an ideal situation, you should plan on conducting an annual due diligence audit to ensure continued compliance.
5 – Don’t rush
Most mistakes happen when you rush the investigation or needs determination process. Take the time to do this right and you may just end up getting what you expect.