Everyday more and more people choose to use cloud services and it is now evident that these services are not just a sign of the times, but a technological evolution that is here to stay. Based on this information the issue, which most people have concerns about, is not whether they will choose cloud or not but it is how safe they are in a particular cloud and what are the important questions to be put on suppliers of such services in order to find out.

Are my data protected from any possible threat?

Get carefully informed about the overall policy adopted by a supplier for preventing access to your data by an unauthorized user. This policy should provide both “natural” and “electronic” security of your data.

The term “natural” security refers to the protection of data from unauthorized access that somebody could possibly obtain to physical servers and network equipment of the data center where the data are stored. To achieve this kind of security, the supplier must have set the required classified security levels concerning access to the building, entering the data center and access to the equipment. Access to the building that houses the data center is important to be controlled through an identification system of the incoming persons and the perimeter of the building should be monitored. Entrance in the data center could be done through special magnetic cards which only authorized personnel own, so that personnel access information can be recorded and monitored easily by a security officer. Finally, access to data center equipment, such as Rack Cabinets, storage devices, main server and network devices is very useful to be protected by placing them in special rooms (e.g. computer room), where only authorized personnel has access.

The term “electronic” security respectively refers to the protection of data from any unauthorized access that a person could possibly obtain to the network of the data center via internet. To achieve this type of security the supplier must have created the required isolation levels of the internal network and critical data from internet by using sophisticated protection systems (firewalls, intrusion detection systems, antivirus software, antispam/antimalware software), as well as special systems of encryption and security of communication protocols which are widely used. Also, business data deemed “sensitive” should be given increased protection through being stored in special storage devices where the user access control is stricter.

Are my data backed up and how? How can I recover them?

Investigate the supplier’s capabilities for creating backups of your data and the way they are created. The supplier should use modern and effective tools, both hardware and software, making the backup and recovery easy, fast and reliable.

The backup system should be compatible with all applications that you want to backup (e.g. SQL server, Exchange server etc). It is also important that all activities which occur during the backup and recovery process are analytically recorded in log files so that these files can later be checked for detection of possible errors or data loss during the procedure. The backup files should be preferably stored on hard disks instead of storage tapes, to enable rapid recovery. Of particular value is the capability for incremental backup, which means update of an existing backup with the new changes without having to create backups over again. In this way there is no need for the system to be set off in order for the backups to be created, so it is available 24 hours a day. Finally, high compression of backup files is desirable, so that they occupy less storage space and can be retrieved much faster.

Is the supplier certified on internationally recognized security standards?

It is important for the supplier’s data centers to be under a continuous process of checking and evaluation at regular time intervals (e.g. every year) by international certification organizations, regarding their compliance to international security standards. Some of the most famous and widely accepted standards are ISO/IEC 27000 and SAS 70 Type I & II.