This question was asked by an attendee during the Proformative
Everyone keeps pushing the "cloud" but many proponents just skip past security, insurance, and managed change. Aren't those major cloud adoption issues? (Webinar Attendee Question)
Answers
Security is always an issue - not just the cloud but with any technology. In my experience most of the security breeches that I have experienced have come from the human interaction and not from hackers. I have customers in the healthcare industry that are under strict HIPAA regulations. Where I have seen security breakdown? Employees sending emails with patient information, social security numbers, etc. in them; putting a patient social security number, name, etc. on a post it note on their computer screen. From a technology standpoint controlling access to computer systems and enabling covered entities to protect communications containing paitent information transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. When information flows over open networks, some form of encryption must be utilized - in the case of reputable Cloud providers encryption is paramount.
With regards to managed change, at the core of Cloud based applications is the fact that the paradigm of the "upgrade" is broken. Basically Cloud providers will give ample warning about a new version release such that you can test the new platform to ensue that there will be no issues upon going live on the new version.
The issues with security are generally around knowing who has access to your information. If you have your own servers, you likely know who has access to them - your IT department or other parties. Most people are concerned that in the cloud, they don't know who has access to their data. This is why you want to make sure that the cloud vendor is compliant with SSAE16. Note that the cloud may be MORE secure than your own IT department - I have clients that are pretty loose about who has access to the data center.
As Tom points out, most cloud vendors provide a good degree of managed change - you will know in advance when system upgrades are being performed and what to expect.
As for insurance - you should talk to your vendor about their indemnification program(s).
Here is the AICPA description of SOC 1, SOC 2, SOC 3 compliance
http://www.cpa2biz.com/Content/media/PRODUCER_CONTENT/Newsletters/Articles_2012/
Here is another site that is easier to read
http://www.trustnetinc.com/Compliance/socssae16sas70-overview.html
http://www.trustnetinc.com/Compliance/what-soc-is-right-for-you.html
Here is a list of what to look for in a Cloud vendor, provided by Uni-Data and Communications, Inc. from a seminar I attended
10 Things to Look for in a Cloud vendor
1. Intuit Authorized Commercial Host
2. Data sits in U.S. based SSAE16 Data Centers
3. Compliance sufficient to business needs (HIPPA, PCI, etc.)
4. Service Levels sufficient to business requirements
5. References within Business verticals
6. Employee certifications/background checking policy
7. Technical/Software Partnerships
8. Hardware/Bandwidth exceeding peak load by 50%
9. Back-up policies sufficient to business needs
10. Flexible commitment/month-to-month
With a reputable DaaS vendor, disaster recovery and business continuity are part of the day-to-day maintenance of the end-user’s account. Data is backed up every day and saved for a certain period of time so that going back in time, staying in the present, and planning for the future are all possible.
Uni-Data Cloud Hosting:
Intuit Authorized Commercial Host for
Intl. Association of Managed Service Providers (MSP Alliance) accredited
Certified Intuit Solution Provider (ISP)
HIPPA, PCI compliant environments
Redundant SSAE16 SOC 1 Type 2 certified data centers (owned)
Free New York based 24x7x365 Technical Support Helpdesk
No setup costs or long term contracts
24hr SLA on purchase/account setup
Citrix and RDP hosting connections
Steven Love
[email protected]
718-445-5600 ext. 3174
Uni-Data did not go down in Hurricane Sandy.
One of the things you need to remember about standards setters is that anytime something new emerges, there are all kinds of cautions and alerts.
You do have to do your own research and satisfy yourself, but you need to remember that the
IBM is saying that 90% of all the data on the planet has been created in the last 2 years. That provides some perspective about fast things are developing.
Buying from cloud vendors is general no different from buying from on premise vendors in that you must do your due diligence as a prospect. The first question about security insurance etc is a very fair set of questions to use to test vendors with in your due diligence process. Here are some more detailed examples:
a. Security – does the Cloud vendor do a SSAE16 Soc1 and Soc2 audit and if so, how frequently do they perform the audit and will they share the results with their customers regularly and upon each cycle’s completion. Does the application provide robust security both for user access and well as data access once users are in?
b. Application Performance – Does the vendor have a reasonable SLA/uptime guarantee and do they put their money where their mouth is if this is not met (credits, Client termination rights etc). Does the vendor have backup facility, a disaster recovery plan, what is backup frequency and thus the max data loss in a disaster? What is the time to get back up and running in this scenario?
c. Data – Does the vendor agree to very strict confidentiality provisions for Client Content, is it clear contractually that customer owns their content and can retrieve it at any time, is there a clear data extraction plan upon termination?
d. Insurance – Do they have reasonable coverage in areas that the prospect cares about especially given the focus of htis question, around data and security breach protection?
Hope this helps and happy holidays, Kelly
Filed Under:
Technology