Rule Number 2: If you put data into the cloud, you must ensure it is recoverable. Backups are a must, and similarly, testing the backup methodology and process is a necessity. If you fail to cover contingent liabilities with an all-encompassing plan, the cloud will become no better than your data center self-rule. If you kept backups of your data for six months in your own data center, then implemented the same term for your cloud app, you have not improved the situation much more than divorcing yourself from the day-to-day activities.
But for some reason, we are not following these two basic rules; rather, we act like teenagers that store files through a service and then ignore the fact they have lost all control.
Who’s to Blame?
Blame for what, you ask? Simply put, we are not learning from our mistakes, and from a doom and gloom perspective, the stage is set for serious data loss as the cloud paradigm is adopted by more and more users. On the surface, this may sound antagonistic or confrontational but shifting responsibility from an internal organization to an external organization does not guarantee success and security.
Every cloud user must be completely involved with the definition of what the cloud will be for the organization; what services it will provide; who will monitor and provide oversight. The same requirements imposed when everything was in-house remain when you outsource to the cloud. This means that some functions, such as vendor management and oversight, must still be a budget line item and must still be part of a review process.
The cloud can be a safe haven for corporate data only if you take the time to implement proper controls and oversight. The cloud will not protect you from yourself unless you establish guidelines upfront to allow it to protect you. The cloud, whatever cloud you choose, is not in itself perfect, and security has yet to be tested on a broad scale. You cannot ignore safeguards of your assets, be they music files for your MP3 player, emails for your office or customer databases. Outsourcing expectations should not be viewed differently from those for your own data center. If anything, you should expect— and demand—more and better.
The cloud does offer agility. The ability to react rapidly to changes in requirements is one of the best value-adds that cloud providers offer. Agility is great but security is better and more important.
Rule Number 3: Take full responsibility for your cloud implementation. Designate someone in your organization to monitor application operation and interface directly with the cloud provider. Treat the cloud provider as a vendor and require them to sign a service level agreement specifically detailing everything required by your corporate or federal standards for IT, such as, at a minimum:
• Establish a point of contact for all issues, along with a process for problem escalation and a maximum time limit for corrective action.
• Ensure compliance with legislative requirements such as HIPAA, FedRAMP or for PII, and certified reports proving they are in compliance annually.
• Embrace a rigid backup and recovery procedure and policy.
• Encourage an application update strategy and cycle.
• Enforce clear understanding of who owns data and what happens to it once deleted.
Proactive Cloud Control