It takes an IT catastrophe of epic proportions before many organisations realise the full value of good information security.
The latest disaster involved a hacking attack on web host Distribute IT which virtually ruined the company.
Key administrative controls for responding to security incidents are business continuity planning (BCP) and disaster recovery planning (DRP). The golden rule of BCP and DRP is to make sure backups stored in a remote location are actually available for recovery.
But all organisations choosing a hosting company must undertake a searching due diligence process before making a leap of faith. Anyone either considering, or already hosting or using services in a public or private cloud, must address the following seven areas of risk of moving to the cloud, as defined by industry analyst Gartner.
Privileged user: Service providers should have a combination of adequate training plans, character assessments and stringent hiring processes with employee background checks before granting staff access to privileged systems and data.
Regulatory compliance: Anyone hosting/using cloud services to gain regulatory compliance, who might be under the impression they can handball the hard work and all the risk over to a service provider, should remember it is their data and they are ultimately responsible for it. It is essential to check to ensure that a service provider has a good understanding of the compliance your organisation is trying to achieve.
Data location: Does your organisation know where its service provider is storing your data and its backup data? Do you require that data resides within Australia? Don’t assume that just because your service provider has a presence here, that the data will also reside in Australia.
Data segregation: Because service providers may capitalise on virtualised and shared infrastructure to deliver services, make sure that your data is not being shared with other customers. Don’t assume that data segregation is included – ask your service provider to explain how each customer’s data is segregated.
Recovery: Can your service provider recover from loss of a file, a disk drive, computer system, network outage, power outage, or loss of an entire data centre? The survival of your business may depend on questioning your provider about its ability to recover and the service levels applied to data recovery.
Investigative support: If and when things do go wrong, does your service provider have the visibility to detect problems with availability, performance or security? More importantly does it have the ability to respond and remedy? Make sure that your service provider’s incident detection and response procedures give you that visibility.
Long term viability: Nothing lasts forever, so make sure your service provider is financially stable, is not about to be swallowed by or merged into a bigger organisation, or is not about to be split off into a subsidiary that is poorly funded. It is crucially important that you gain satisfactory answers to these questions.
Anyone who has not performed a full due diligence in choosing a service provider should begin immediately – doing so late is better than never.
If you don’t like the answers you receive, find a new service provider who has addressed all seven areas of risk.