Recently, we highlighted a few key finding s from CIO magazine’s 2015 CIO Survey. Not surprisingly, the wave of cyberattacks that characterized 2014 has led to an increased focus on cyber security. Cloud computing and cyber security are at the top of many CIOs’ priorities lists. However, there are significant differences among cloud providers in their security posture and how they deploy security technologies, processes and personnel. These differences can impact the availability, privacy and compliance of your data so it crucial to do some research. Following are three security questions to ask your cloud provider.
How do you encrypt my data?
According to a recent data breach report, 46% of data breaches stem from the physical theft or loss of unencrypted devices. So the correct answer to this question (and the one that HOSTING provides) is, “We encrypt all data – in transit, at rest, and in mobile devices.”
Why is this so important? Because failure to encrypt all data can lead to serious consequences, especially for those organizations that must comply with regulations such as HIPAA (Health Insurance Portability and Accountability Act) and PCI DSS (Payment Card Industry Data Security Standard), just to name a couple.
Keep in mind that proper encryption not only safeguards business-critical data, it can also offer a competitive advantage. Companies with strong data encryption policies can transact securely any time, and from any place, allowing them to serve new customer segments or territories.
What certifications for security and compliance have you attained?
At the minimum, a cloud provider’s data centers should have successfully completed a SOC 1 audit under SSAE-16 guidelines (formerly SAS70 Type II), as well as testing from independent auditors. This audit verifies that the cloud provider’s data centers have met rigorous requirements around physical security, physical access, and internal controls. It also allows cloud providers to disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format.
Some cloud providers, including HOSTING, take certifications a step further by having their sites and services audited against the most stringent of the AICPA / CICAs standards: the Trust Services Principles via SOC 2 / 3. HOSTING has reported under SOC2/3 since the retirement of the SAS-70 standard rather than the less-prescriptive and less-stringent SOC 1 framework which some providers continue to leverage.
Organizations that need to adhere to compliance regulations issues by HIPAA/HITECH, PCI DSS and so forth should also ask a potential cloud provider for their certifications in those areas as well. As a leading compliant cloud hosting provider, HOSTING undergoes annual risk assessments and compliance reviews from three separate assessors to maintain a solid compliance posture against HIPAA/HITECH, PCI DSS and SOX regulations.
How do you guarantee that my data will always be secure and available?
Organizations need – and expect – their business-critical data to be available at all times. When evaluating cloud providers, it’s crucial to understand the details regarding their facility uptime, the services they offer for replicating data and their service level agreements (SLA).
A cloud provider should have a consistent facility uptime of 99.999%, at a minimum. This uptime should be backed by a detailed SLA that not only outlines measures for ensuring facility uptime and data security, but also include penalties for the cloud provider should they fail to meet these measures.
In addition, the cloud provider should offer a comprehensive disaster recovery plan that includes data back up and cloud replication – either from an organization’s on-premises environment to one of their hosting sites, or between a cloud provider’s hosting sites.
HOSTING provides facility uptime between 99.999 and 100%, backed by SLAs that exceed industry standards for performance, scalability and availability. As part of a comprehensive disaster recovery plan, we also offer the HOSTING Cloud Recovery Service (CRS). HOSTING CRS transparently replicates an organization’s entire operating environment – including applications and data – to any of our other cloud hosting sites. Customer data remains secure, encrypted and available 24 x 7 x 365 – regardless of circumstances.
Concerned about security in the cloud? HOSTING has a dedicated team of security and compliance experts to help you assess your security needs and migrate to the cloud with confidence. HOSTING and long-time partner Alert Logic also released The Alert Logic Cloud Security Report. This report lists trends that threaten online and cloud security as well as essential elements to include in a security solution. You can also register for our on-demand webinar that walks you through the report.