GRC: 7 Questions to Ask Your Cloud Service ProviderBy Tony Kontzer
CIOs overseeing migrations to the cloud want assurances that the services their companies subscribe to won't present excessive risk and will enable them to govern those environments as if they are an extension of the organization. For more on how organizations are handling these issues, read our strategic tech feature, GRC in the Cloud. To get the assurances required from cloud vendors, CIOs need to ask hard questions. That list of questions should include the following:
- What will the service do? Every vendor should offer documentation that spells out functionality. "If that's something that's not made available by the vendor, you should certainly ask for it," says John Pavolotsky, an IT attorney with global law firm Greenberg Traurig. "You want a reasonable assurance that there won't be any decrease in functionality, or other modifications, during the subscription period."
- How thorough is the vendor's service-level agreement? Any SLA worth its weight should specifically address uptime guarantees, as well as incident response times and remedies. These things should be negotiable. Try to ensure you have the ability to terminate the agreement if the SLA frequently isn't met.
- How much will data backup cost, and how quickly can you get at data once it's been backed up? Some vendors reportedly ask to be paid all past-due amounts before handing over backed-up data. You can count on the fact that you and your vendor will not agree on how much is owed. It's best to iron out these issues contractually before your relationship begins.
- How is intellectual property handled? If you're accessing software as a service, the software and any modifications to it are owned by the vendor. Customization add-ons and data should be owned by the customer. Make sure this is spelled out.
- Do the vendor's policies and procedures map to mine well enough for me to comply with HIPAA, SOX and any other regulations that might apply? When it comes to vendors with large customer rosters, you'll be hard-pressed to get them to change any processes to suit your data-related needs.
- Where is my data? If it's in Indonesia, for instance, it will take about two days of travel to gain physical access, and it may not meet the privacy requirements of other nations in which you do business. Be sure that the provider isn't transferring data out of the country in violation of privacy law.
- Is the vendor bound to give me physical access to the servers housing my data? Make sure you have the contractual rights to image entire servers (including deleted data residing in unallocated hard drive space), take backup tapes out of rotation or turn off auto-delete functions. "Cloud vendors make money by volume and efficiency," says Eric Friedberg, co-president of digital risk management company Stroz Friedberg. "They can't be bothered--and probably aren't even set up--to take a call to ask if they can take an image of an unallocated area of a hard drive."