Go to Admin » Appearance » Widgets » and move Gabfire Widget: Social into that MastheadOverlay zone
A note for our readers: the views reflected by the authors do not reflect the views of ASPA.
By Iriana Chizek
In the ever-evolving technology space, moving to the cloud presents great benefits for government entities: increased software updates, disaster recovery capabilities and reduced staffing and infrastructure costs to name a few. While there are many positives that make the move to a cloud environment enticing, as with any technology there are risk factors to be considered as they relate to your data and how it’s being protected in the cloud.
It is important to understand what it means to “move to the cloud.” Moving to the cloud suggests that the entity is acquiring software as a service (SaaS) and additionally that software (and data) is distributed over the Internet from a third party provider’s site(s). As a result, the government entity is placing reliance on a vendor to maintain the software and the government entity’s data outside of the government entity’s domain of control.
So what are some of the considerations to effectively protect and manage the information technology (IT) components you place with a cloud service provider?
1) Establish Cloud IT Governance
Similar to internal technology deployments, strategic alignment, value delivery, risk management, resource management and performance management all need to be considered when moving to a cloud provider. These components (IT Governance) need to be addressed and typically begin with:
Anecdotal evidence indicates that most cloud customer/provider relationships start with little or no IT Governance, which result in problematic situations (as described in item 2 below). Furthermore, effective IT Governance requires entities to consider what regulatory compliance standards to uphold internally as well as require their cloud service providers to uphold. These requirements must address how failures/potential breaches will be addressed and communicated should they arise, while establishing a platform to address risk management and performance.
2) Understand the Security Around Your Data
Agreements between cloud providers and entities tend to be vague to reduce the liability for the cloud provider in the event of a data security breach. The risk is always greater when you store your data remotely and can’t control it fully. According to a recent Gartner study, 80 percent of IT procurement professionals will remain dissatisfied with SaaS contract language and protections that relate to security.
It is essential that the contract use specific language to address information security. Terminology like “industry standard” and “best practices” should be avoided. While these are shortcut phrases, they are open to interpretation. For example, to avoid confusion, a better way to address this is “security management must comply with ISO 27001 and be certified through an ISO/IEC certifying body.” Another avenue would be, “the provider must obtain at its cost an annual independent SOC 2 report in compliance with the security and availability principles.”
Additionally, to mitigate some of the risks, clear metrics and requirements should be defined for:
Another important aspect to consider when thinking about security in the cloud is “shared environments” versus “private environments.” In a shared environment, the entity’s data will be placed on the same storage device as that of the other patrons, bringing to light concerns about backup and security. In a shared environment, the entity’s data are backed-up right along with all other customers. Human error can occur and backups can be restored to wrong customers/environments. Moreover, it is difficult to destroy the data when terminating the relationship with the cloud provider (as described in the exit strategy below). Public sector entities will not want to place information in a shared environment.
While there are many options when it comes to cloud providers, competiveness in price and service delivery, find someone that matches your risk comfort to best safeguard your information.
3) Develop and Agree to an Exit Strategy
Standard cloud provider contracts will always allow the cloud provider’s right to suspend or terminate the service. However, the entity must be protected to assure that enough time is provided to migrate to another solution. Data must continue to be available, in a usable format, for at least as long as necessary to facilitate the replacement solution.
In addition, from the government entities side, should the relationship with the cloud provider be terminated, contract provisions should stipulate the “return of data” to the entity. Return of data should be narrowly defined within the contract as: all entity data being transferred to a location specified by the government entity though secure and agreed-upon means, and the destruction of all data at the cloud provider for all storage devices including tapes and backup devices at an agreed-to date.
Cloud services are still new, and the majority of entities are still addressing governance, security and transition. It is important to expand vendor management policies to address cloud providers and that entities are considering how to their contracts will address cloud providers along with the entity’s needs. Standard cloud provider contracts need to be scrutinized to make sure the entity is not giving up the any rights to dictate how their systems and data are managed. Prior to signing a cloud provider agreement, consider the entity’s security strategy, risk management posture, deliverables, performance requirements and business needs and verify that the contract considers all of them.