Trusting the cloud: questions you should ask your provider

By 2013 cloud services have become a working reality for many companies. Email, file storage, CRM, accounting - all of it is migrating or has already migrated onto a provider's infrastructure. The decision follows obvious logic: faster, cheaper, no need to keep your own administrator.

The question is not whether that is right or wrong. The question is that most companies move to the cloud without asking their provider a few specific questions. And then it turns out those answers mattered from the start.

Where the data physically lives

This is the first question, and "on the provider's servers" is not an answer. You need to understand:

• which country the data centres are in;
• whether you can choose a storage region;
• where backups go and in which region they are kept;
• whether the storage location changes as the provider expands its infrastructure.

For some categories of data this is a regulatory question. For others it is a question of which jurisdiction applies if a government authority makes a request.

Who can see your data

The standard provider answer sounds reassuring: "we do not share data with third parties." But that is an incomplete answer. Ask specifically:

• does the provider's technical staff have access to data content for support or monitoring purposes;
• how access rights are structured inside the provider's infrastructure;
• what the process is when an official request arrives - will the provider notify you before handing over data;
• whether encryption at rest is used, and who holds the keys.

That last point is fundamental. If the provider holds the keys, they can technically decrypt the data. If you hold the keys, they cannot.

What you can verify yourself

Trust in a cloud provider should not be blind. Some things can be checked:

• independent certification: SOC 2, ISO 27001, or an equivalent. Reports under these standards describe actual controls, not declarations;
• incident policy: how the provider communicates breaches, within what timeframe, and what the notification covers;
• service termination terms: what happens to data if you leave or if the provider shuts down, and in what format and timeframe you receive an export.

If a provider cannot produce certificates or an audit report, that itself is information.

What is often missed when signing the contract

SLA terms in cloud contracts usually cover service availability. Rarely liability for data loss. Almost never compensation for the consequences of a breach.

Before signing, it is worth checking:

• who bears responsibility for the data - provider or client, and to what extent;
• what the recovery procedures look like in the event of an incident;
• what rights you have if the provider changes its data storage terms.

This is not a reason to avoid the cloud. It is a reason to read the contract, not just the pricing page.

A simple filter before deciding

Before moving any category of data to the cloud, I suggest answering three questions:

1. What happens if this data becomes publicly known?
2. What happens if it becomes unavailable for 24 hours?
3. What happens if we want to switch providers in two years?

If all three answers are non-critical, the cloud works fine without special conditions. If even one answer is serious - that means a more careful review of the provider and the contract before you start.