As virtualization technologies become increasingly popular, more and more businesses are thinking about using cloud computing for Disaster Recovery. Experts in the field believe that there are many advantages in embracing this solution – however, there are also some potential threats that need to be taken into account.
In order to consider cloud computing services, organisations need to evaluate the potential risks to their Information Assets and, in particular, how a 3rd party supplier will affect the Confidentiality, Integrity and Availability of their data.
Here are five tips on how to deal with the main challenges:
1. Risk Assessment and Asset Valuation
Right from the outset, organisations should try to understand what the greatest risks to the business are and identify which information assets are too important or too sensitive to hand over to a 3rd party supplier to control.
2. Smoke and Mirrors
To overcome the risks associated with choosing a new supplier, it is a good idea to carry out due diligence on the Cloud Supplier – find out all you can about who you will be trusting with your information and review their facilities, processes and procedures, references and credentials, i.e. if they are ISO27001 accredited.
3. Migrating Information
Once a decision is made to either partially or wholly migrate data/systems to the cloud, the biggest challenge is how to ensure there is a seamless migration to the external provider’s service. This is a very delicate step which, if dealt with inadequately, may result in data loss, leakage or downtime which could prove extremely costly to the business.
4. Service Level Management
When businesses trust 3rd parties with their vital corporate, personal and sensitive information, it is important to set up structured SLAs, Confidentiality Agreements, Security Incident handling procedures, and reporting metrics, and above all ensure they provide compliant, transparent, real-time, accurate service performance and availability information.
5. Retention and disposal
Depending on the policies and regulatory requirements applicable to the business, one of the main challenges with cloud computing is how to ensure the corporate retention polices are enforced if the information is located outside the company’s IT network perimeter. Obtaining certificates relating to the destruction of data is one thing, but proving that information identified as sensitive or personal is only kept for as long as necessary is another. With the economies of scale often associated with cloud computing, total adherence with retention policies of individual companies may prove difficult if resilience, backup and snapshot technologies are employed to safeguard the environment from outages or data loss.