CONSIDERATIONS BEFORE MOVING TO THE CLOUD 44 Bearfoot Road, Suite 1A Northborough, MA 01532 ceservices.com 508-919-8280 info@ceservices.com
Contents Introduction..3 Organizational Compliance Related to IT..4-5 Compliance Audits 4 Security Measures 5 Hosting Facility, Data Backup, & Infrastructure Backup Location(s) 5-6 Hosting Facility Location.5 Backup Locations.... 6 Service Levels..6 Cloud Provider Shutdown.7 Data Security.7 Transmission of Data..8 Initial Setup. 8 Exporting and Removing Data..8 Encryption...9 Data Breach Notification....10 Questions to Ask Potential Provider 10 2
Introduction When talking technology today, it s very rare that the word Cloud doesn t come up. The benefits touted with the cloud include ease of use, easy to deploy, scalability, reduced capital expenditures, and the list goes on. Cloud services include virtualization, storage, backup solutions, software-as-a-service, business continuity and more. And, whether your business is considering one solution or five, there are multiple factors that management needs to consider before going to the Cloud. In this guide; we will discuss the following areas: Organizational Compliance Data Security Data Center Transmission of Data Location of Data Service Levels Data Breach Notification Encryption of Data Provider Shutdown 3
Organizational Compliance Related to Information Technology Many state and federal regulations apply to your business whether you are privately or publicly held. Regulations are always changing and you don t want to be caught off-guard. Making sure you meet regulatory requirements can be quite complicated and often times frustrating. Now, let s throw cloud computing into the mix. A lot of concern has been expressed around cloud computing, the security measures employed and meeting compliance requirements such as: Sarbanes-Oxley (SOX) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI DSS) Protection of Personal Information for MA Residents (201 CMR 17.00) Gramm-Leach-Bliley Act (GLBA) Compliance Audits In your review of cloud services providers, you ll want to inquire about where your data will be hosted to ensure they meet the specific compliance requirements for your business. For data centers to be compliant they need to pass a variety of audits based on what data will be hosted in the facility. For example, to be HIPAA compliant they need to pass an audit to guarantee the facility follows the Code of Federal Regulation (CFR) set by HIPAA inspectors. The inspectors will take a comprehensive look at the facility to make sure that all data stored is protected and only available to authorized users. Once complete, a report is generated documenting that the provider has the proper procedure and policies in place to provide HIPAA hosting solutions. Other compliance audits include SSAE 16 (Statements on Standards for Attestation Engagements No. 16) formerly known as SAS 70, SOC 1, SOC 2, and SOC 3, and PCI DSS. For the Protection of Personal Information there are certain security measures that you need to ensure your third party vendor is adhering to such as encryption of data and access control measures. According to a Symantec Study State of Cloud Global Results January 2013, more than half of survey participants said they were concerned about being able to prove they have met cloud compliance requirements. And, 23% revealed they had been fined for cloud privacy violations. The following websites provide more detailed information on each of these compliance audits: http://www.aicpa.org/soc http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit https://www.pcisecuritystandards.org/security_standards/ 4
Security Measures Data centers must provide ample security measures to protect the data of their clients to meet certain compliances. These security measures include: HTTPS and SSL Certificates For web-based access to information which is encrypted and secured to prevent unauthorized connections Encryption of data stored on servers A Secure Firewall - A secure firewall will prevent any unauthorized access to protected files. Remote VPN Access For authorized users to access the network using a remote computer. Disaster Recovery - A documented backup recovery plan in case of lost data or server malfunction. Hosting Facility, Data Backup, and Infrastructure Backup Location(s) Hosting Facility Location Make sure the hosting facility location is not too close to your headquarters. Chances are if the two are close and a natural disaster damages or shuts down your corporate location, it could happen to the data center as well. You want to be close to your data, but not too close. Choose a facility away from flood zones and areas subject to hurricanes, tornadoes, earthquakes, as well as airports and power plants. This may seem easier said than done these days, but a reputable data center will have a well thought out location plan. During Superstorm Sandy, many data centers in New York City were down due to flood and power outages. These locations were in low lying areas in Manhattan and were susceptible to flooding. In many instances, the water flooded the generators preventing them from working. Airports and power plants typically have high electromagnetic interference or radio frequency interference. Because they are such large sources of interference they have the potential to impede the performance of the data center s servers and networking services. 5 5
Backup Locations When assessing a provider for cloud services, ask about backup locations. Are they located close enough that if the data center were to go down, the backup would be accessed in a reasonable amount of time. If business operations needed to be switched from one data center to another, are the locations close enough that your business wouldn t experience a significant of downtime. And, as in choosing the hosting facility, make sure backup locations are far enough away that they are unlikely to be affected by the same disaster. How Much Downtime Can Your Business Afford? 99% Uptime vs. 99.9% Uptime Service Levels Service levels are defined in a Service Level Agreement also referred to as a SLA. Service levels include uptime, security, availability and much more depending on the nature of your business. Before discussing service levels, consider what is important to your business. Identify what your business requires in terms of your technology and processes. Do you have an e-commerce site? If so, it s important that your uptime is as close to 100% as possible since you want your customers to have access at any time to order your products. You will see a lot of providers offering 99.9%. Think about what would happen to your business if the hosting facility had a security breach or Internet access outage. What business processes would be interrupted? Operations, Customer Service, and Employee productivity could all come to a halt. Data is a crucial element of your business and its security needs to be a priority when considering a cloud service provider. Not all data is created equal. Financial information, employee information, and competitive data could all be considered data that needs a high service level in terms of security. How data will be protected should be laid out in your SLA*. If you find you need higher levels of service in terms of data protection, disaster recovery or any of the services above, these should be clearly identified in the SLA as well as what the consequences are if the agreed upon levels are not met. Once you identify the business requirements, you can decide what type of services you need. The result can also determine whether to consider a public, private, or hybrid cloud model. 6
Cloud Provider Shuts Down A cloud provider could shut down for a variety of reasons such as bankruptcy, an un-recoverable power outage, contract disputes, vendor issues, etc. Although it s rare for a provider to shut down immediately without warning, it can happen. Therefore, it s important to have a contingency plan in place that addresses how you will get your data back. If you are working directly with the data center, the data must be given back to the customer since they do not have the capability to transfer data to another provider. However, if you use an IT Managed Services provider for cloud services, they can take care of giving your data back to you or transferring it to another supplier. To avoid complications due to a shutdown or interruption in cloud services: Make sure the provider has a documented plan to give your data back including method of transportation and formatting in case of closure. In the SLA, clearly identify the ownership and control rights of all company data Assess the financial strength and check references of the provider Have a backup plan in place to protect your business and your data in case your cloud services provider goes out of business. Data Security The security and integrity of data in the cloud causes a lot of hesitation for business owners and decision makers when it comes to considering cloud services. Before looking for a cloud services provider, inventory your data. Identify the different types of data whether it s highly sensitive or not, how it s managed, and how it s stored. Consider whether or not it would be best for your business to store your data in the cloud. You may have to comply with industry or state regulations and going to the cloud may complicate processes. Once the decision is made to move to the cloud, many factors regarding data security come into play when selecting a provider. Here s a high level checklist of what to ask of a Cloud Services Provider: Data Center Facility Security Find out what the physical security measures are to prevent unauthorized access to servers such as surveillance, key card access, security guards, etc. Infrastructure Security - Make sure controls are in place to prevent hackers from stealing your data. A reputable provider will have anti-intrusion measures such as secure firewalls, SSL (Security Sockets Layer), encryption, antivirus software, and a password policy. Accessibility of Data Unless you have a dedicated server, chances are highly likely that you will be sharing a server with other cloud service provider clients. This is referred to as multi-tenancy. Ask how they separate information and systems and make sure that unauthorized users are not allowed to get their hands on your data. Data Loss Find out what provisions are in the contract if the provider loses or corrupts your data. There should be a clearly defined plan in your contract, if not; you may want to consider going elsewhere. Data Backup - Make sure daily backups are performed and that the backups are tested. Performing regular backup routines is critical but verifying these routines actually work is just as vital. 7
Transmission of Data Initial Setup You are going to need to move your data and files which are stored on hard drives, servers, or tapes into the cloud. This means you will need to upload your data to the cloud server of the hosting provider. There are many ways to do this so make sure you ask your provider how they will make the switch. Some providers will have you upload all of your existing files, while others will just start with new data. Existing data will remain on the systems, or will have to be uploaded separately. As uploading of files demands a lot of resources, you should understand when it will be done. If your files are transferred during business hours, this will result in sluggish Internet speeds. It s best to work with a provider who is flexible as to when you want the data uploaded. Also, ask the cloud provider what file and document formats are supported. While most of the larger cloud providers support almost every type of file/document, there are some providers that may have limitations as to the type of file that can be uploaded, stored, and how you can use it. The takeaway here is to determine if you will need to convert files and data to a format the provider supports. If you need data conversion, ask if they provide conversion tools and support. This will make conversion a lot smoother. Keep in mind, data conversion can be a very time consuming process. DATA CONVERSION CAN BE A VERY TIME CONSUMING PROCESS. IF DATA CONVERSION IS NEEDED, ASK YOUR PROVIDER IF THEY PROVIDE TOOLS AND SUPPORT. Switching Cloud Providers Exporting and Removing Data Businesses may think that the cloud service provider they initially contract with will be the one they always use. This can be risky thinking when it comes to technology. There will come a time when you need to remove your files from the service. Be sure to ask the provider about their exit process. Some have been known to charge incredibly high rates to remove files. A good cloud services provider will assist you in removing files and will have a clear solution. As your files are saved on hard drives on servers, your data once removed, could remain on these drives. This is obviously something you wouldn t want, so ask what the provider does with the files once you remove them. 8
Encryption To give sensitive data the highest level of security, it should be stored in encrypted form. The goal is to make data unintelligible to unauthorized readers and difficult to decipher when attacked. Encryption operations are performed by using random encryption keys. The randomness of keys makes encrypted data harder to attack. Keys are used to encrypt the data, but also perform decryption. Keys are often stored to allow encrypted data to be decrypted at a later date. When it comes to data encryption, you will typically hear two terms data at rest and data in transit. Examples of data at rest include data stored on your computer s hard drive or in a storage facility. Data in transit includes data transferred through email, mobile devices, a USB stick and can even include a backup tape if you are delivering it from point a to point b. To make sure your data is protected ask your cloud provider about encryption methods. It is important to make sure your data is encrypted all the time when it s in transit and when it s at rest. Learn about how the cloud provider would manage and protect your data s encryption keys, especially when it comes to rules for access control. Although firewalls can be excellent protection from external threats, it s important to protect against internal attacks as well. Encryption for data at rest can help prevent attacks by employees who have access to sensitive information. These types of attacks are often even more devastating and cannot be prevented by firewalls. While viruses and stolen banking and credit card information are the rage in the headlines, less publicized incidents such as data theft or destruction by disgruntled former employees can result in far more damage. 9
In addition to talking to your provider about encryption methods, ask these questions: 1. How many employees at the hosting facility have access to your databases? 2. How are they storing passwords? 3. Do you they security policies in place that include auditing database security and monitoring for suspicious activity? 4. What is the security plan if database security is breached? While preventive security mechanisms like encryption are readily available, oftentimes they are not implemented to secure data from internal and external threats. Data Breach Notification Businesses are required to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorized access, modification or disclosure. The same goes for data center and cloud services providers. When looking for a provider make sure they have a documented plan on handling data breaches. Questions to ask a potential cloud services provider: What constitutes a data breach? What measures are in place to prevent and detect a security breach? How are breaches investigated? Under what criteria are more severe breaches escalated in order to be handled in a manner appropriate to the risk they pose? What s your notification procedure? The notification procedure should document how you will be notified i.e. phone call, letter, or email in the event of a breach and what the timeline is from the time of the breach to the time of notification. What are your incident response procedures You should attempt to require the cloud provider to keep to certain procedures. Particular data breach response obligations may include: Immediate investigation after a breach Providing prompt notice to the customer, within hours of the breach Written reports and status reports concerning the breach Keeping certain information that would be relevant to a data breach (including logs, planning documents, audit trails, records and reports) Documentation of corrective actions Most states have set security breach notification laws. Be aware of what the laws are in your state and how your cloud services provider plans to meet the requirements. A part of your strategy for security in the cloud is the need to have appropriate plans in place for breaches and loss of data. This is a critical component to your overall agreement with the cloud service provider. DATA BREACHES Target 110 million customers personal and payment information exposed Reason: Stolen Credentials allowed Hackers to access Target Networks Heartland Payment Systems 134 million credit cards exposed Reason: SQL injection to install spyware on Heartland's data systems. TJX 94 Million Credit Cards Exposed by Hacker Reason: Network Wasn t Protected with any Firewalls Fidelity National Information Services 3.2 million Customer Records including Credit Card, Banking and Personal Information. Reason: Employee Theft Resource: CSO Security and Risk csoonline.com 15 Worst Data Security Breaches 9
The move to the cloud is a big decision. For more information on cloud services or any of the material covered in this whitepaper: Contact us info@ceservices.com or (508) 919-8280 44 Bearfoot Road, Suite 1A Northborough, MA 01532 ceservices.com 508-919-8280 info@ceservices.com