As we all know, cloud service provider Nirvanix Company recently declared bankruptcy, let its customers into trouble. Nirvanix provides companies less than one months to transfer data. To avoid being relegated to the same situation as these customers, organizations should follow the best practices below to move data securely.
Due diligence: Financial position in the first place
The Cloud security Alliance's February 2013 report, "The main threat to cloud computing in the 2013", shows that lack of due diligence is a continuing threat to cloud computing. When companies evaluate cloud computing providers, they have a one-sided view of things. Cloud Security's chief operating officer, Johnhowie, said: "Cloud users focus too much on information security and privacy, or focus too much on reducing and saving costs without investigating the financial situation of suppliers." ”
"Profitability does not mean the stability of companies or service providers," Newhorizonscomputerlearningcenters chief information security Officer Adamgordon said, "corporate governance strategies can achieve financial success overnight and improve profitability , the company and its partners could soon ' fall into the cliff ' if no one was concerned. ”
The enterprise should evaluate the financial position of the cloud service provider. Companies can check their regulatory filings (such as 10K) through the Securities and Exchange Commission (SEC) to investigate listed companies, Howie said: "This will detail the financial situation and the risk of self-awareness of cloud service providers." ”
"If possible, you should at least check the financial audit statements for the last two or three years," Gordon said. "These should be able to show the overall trends in asset growth and management." While we see fluctuations and negative results over a period of time, we should see positive growth and expansion of revenue and profitability within the years time range. ”
The financial situation will also show the enterprise Management and enterprise development Strategy, which can show whether the company has a clear direction of development, long-term planning, sound risk management and the ability to weather the crisis. "Investing in long-term strategies to promote the development of enterprises and increase market share is also an important indicator of enterprise stability." ”
Howie recommends that large companies consider cloud brokers to analyze cloud computing requirements, determine their risk tolerance, and choose a matching cloud service provider. "The Cloud Broker will check the overall financial position of the supplier and determine the potential for the supplier to exit the service," Howie said. "Specialpublication500-292, published by the National Institute of Standards and Technology (NATIONALINSTITUTEOFSTANDARDSANDTECHNOLOGY,NIST), defines the role of the cloud broker," he said.
CIOs or other C-level managers should be involved in collaboration with cloud brokers to establish the necessary strategic adjustments to derive value from brokers by driving and directing the consumption of cloud services. Gordon added: "You can get federal and state government-level government departments to find successful real-world use cases that work with cloud brokers, for example, Texas has been using cloud computing brokerage since 2011, and many federal agencies are using it." ”
Prepare to leave: Contract language, Cloud portability
"For companies that cannot hire brokers, the Cloud Security Alliance advises enterprises to solve the problem of termination of service in the contract language," Howie said. "The terms and conditions of the contract should be clear: the cloud service provider must give adequate notice of the termination of the service and make clear the tools that are used to transfer data from the cloud and the assistance that the vendor will provide to ensure that the enterprise can continue to use the data in another cloud service."
According to Howie, cloud-computing contracts can require a cloud service provider to make a lot of promises, including a vendor reserving funds in a Third-party service escrow account to help customers extract data. These agreements can also identify storage and processing equipment for use by corporate customers after a vendor has gone bankrupt. The contract may further cover third-party warranties or insurance. Finally, the contract may require the supplier to disclose its quarterly financial position and, if the financial situation indicates that the supplier is in trouble, allow the enterprise customer to terminate the contract.
However, if a company chooses a private or start-up cloud company, the above contract requirements are not sufficient. Companies must consider whether they are able to take risks when suppliers suddenly stop providing services. "Companies should always have an exit strategy as part of a business continuity management plan," says Howie. ”
Domain6 of the Cloud Security Alliance's Security Guide to Key cloud computing areas (securityguidanceforcriticalareasoffocusincloudcomputing) offers some suggestions Let the enterprise consider how they will transfer data from the cloud service provider's services. "In the 6.2 portability introduction, portability is an important aspect to consider when choosing a cloud service provider, and we specifically mention disaster recovery," Howie said. ”
The failure of the cloud service provider is a disaster and should be covered in the Business Continuity management plan for the enterprise. Speaking about the security guide for the Cloud Security alliance, Howie said: "6.3.2--portability recommendations and 6.3.3-recommendations for different cloud models provide specific guidance and high-level considerations." ”
In 6th. 3.2, the security guidelines for the Cloud Security Alliance recommend that enterprises understand the platform dependencies of different services and different cloud architectures. When an enterprise's applications and data depend on one platform, there may be technical challenges when using a move to a vendor that uses a different architecture.
Proprietary authentication technologies and identity management systems will hinder cloud data, applications, and services from moving to cloud environments and vendors that do not use the same authentication and identification flags. The security Guide for the Cloud Security alliance shows that by using an open flag IAM platform (such as SAML), organizations can implement portability of these mechanisms when moving to another cloud service provider.
The Cloud Security alliance also urges companies to maintain control over encryption keys to ensure that they are securely transferred from existing cloud vendors. Similarly, companies should take steps to ensure that when they move to a new cloud computing environment, they can eliminate all metadata from existing cloud service providers, thus avoiding data leakage incidents. These best practices are also included in the Security Guide for the Cloud Security alliance. This security Guide provides detailed guidance to help organizations safely migrate from each cloud model.
"Prevention, treatment as a supplement"-Benjamin Franklin
Before moving to the cloud computing environment, companies should make every effort to ensure that their applications and data are transferred unscathed. Doing so will prevent companies from falling into the same predicament as Nirvanix customers.