When the cloud bursts – make sure you have an umbrella

The exponential rise of companies using the ‘cloud’ to facilitate their IT capability and data availability raises questions around how much due diligence has been carried out before trusting data to the myriad of third parties offering the service. The Megaupload situation where individuals and small organisations have had their data suspended has provided a taste of what can occur with cloud data, and a number of articles are starting to appear in business continuity industry publications highlighting some of the issues companies could face and providing guidance on how to safeguard YOUR data.

Firstly let’s look at why the cloud is such an attractive option. It provides organisations with the ability to have dispersed staff with access to data without the need for local hardware and LAN/WAN connectivity as well as reducing the hardware and maintenance required for data storage. From a business continuity point of view the risk of data loss from either technology failure or physical damage is reduced significantly as long as staff have access through internet connectivity from other locations, but the risks increase with regard to the reliance on third parties.

So is it a panacea?

It can be, but there are critical issues which need to be considered and acted upon to ensure availability and integrity of your data. The reason why availability of data is so high is because people are making lots of copies of your data to make sure it is always available. Those copies are out of your control which creates a risk to their integrity.

Harvey Betan (Risk Masters Inc USA) in his article “Beyond the silver lining”¹ provides some guidance on what organisations should consider:

• Do your due diligence in vendor selection – make sure it is the vendor of your choice, meet them, view their premises, ask the necessary questions.
• Address data transmission issues – your transmission link is now a point of failure so make sure there are alternates and capacity for increased traffic. How will data be encrypted and who has the key?
• Ensure your data will reside where you expect it to reside and will not be moved elsewhere – what legal implications are there if data is stored in another country, will the vendor advise you if they decide to move the data?
• Think about Intellectual Property issues surrounding the data.
• Consider what will happen to your data if you change vendors – how do you receive your data upon termination of contract (by either side), how quickly will it be provided, what happens if either party merges with another?
• Request and review the vendor’s continuity plans, including supply chain – ensure they have the necessary ‘tested’ plans and procedures to guarantee that not only is your data protected but also your ability to access that data.
• Prepare a detailed SLA (Service Level Agreement) with appropriate penalties – this should be based on recovery time objectives for your organisation.

In conclusion, there is nothing wrong with cloud computing and there are many good cloud providers. The important thing to remember is you are outsourcing your data to potentially an unknown data centre which results in some increased risks that must be understood and addressed.

********
1. Beyond the silver lining – Continuity (the magazine of the Business Continuity Institute) Q3 2012 – Harvey Betan CBCLA CBCP CBCV MBA is a business continuity consultant with Risk Masters Inc USA (hbetan@riskmastersinc.com)