Cloud Computing – Who’s watching your back?

Cloud computing is all the rage this year, with Amazon’s Elastic Compute Cloud (EC2) and Simple Storage Service (S3), Agathon GroupElasticHosts, and dozens of other providers available to you. Amazon S3 was down for nearly 8 hours on July 20, 2008, Gmail has suffered multiple outages of up to 2 1/2 hours affecting more than 113 million users, Ma.gnolia bookmarking service suffered a database failure, and Carbonite lost data belonging to 7,500 customers. Would an outage of any length affect your company? Do you have a business continuity plan should your hosted applications or data go offline, become corrupted, or destroyed?

Before you can develop a plan to respond to cloud computing issues, you need to understand what those issues are (risk analysis) and how they affect you (business impact analysis). Do you need to think about geographic dispersal of your application? Have you investigated trans-border data issues (Especially important if you serve customers in Europe)? So what questions should you be asking your cloud provider before you migrate your applications to their infrastructure? Here is my start on a checklist:

  • What is the hosting provider’s overall uptime guarantee for a specific software instance (not the overall environment uptime)?
  • Do you have a choice of data center(s) where your application will run?
  • Will your application run on high availability (HA) systems?
  • What is their disaster recovery plan, including response to a pandemic?
  • How is the environment monitored for OS / DB / application failures and how are you notified?
  • Who is responsible for bringing a crashed environment / application back online?
  • Backups
    • Does the provider back up your data or is that left to the customer?
    • How many generations of backup are maintained in case you need to recover from a data corruption issue?
    • What is your RPO (recovery point objective) guarantee?
    • Are backups protected from theft and damage?
    • Are backups encrypted?
    • How are the encryption keys rotated and managed?
    • Are backups stored off-site?
    • How is backup data secured from loss or theft?
  • How does the service provider know who at your company is authorized to contact them by snail mail, email, or telephone and how do they authenticate the contact before making changes or releasing information?

I probably have missed a lot of questions and I would like to hear any other thoughts on this topic as well. Please feel free to email me or leave a comment.

Ron LaPedis, MBCP, MBCI, CISSP-ISSAP, ISSMP
Principal
Seacliff Partners International, LLC

Post a Comment