This article was updated on June 13, 2018.
Cloud providers offer a cost-effective, convenient and highly reliable way for companies to purchase technology services without the need to build their own technology infrastructure. However, according to SecurityWeek, there are trade-offs between security and ease of use that pose a financial risk. When organizations evaluate cloud services, there are specific questions for cloud providers that finance executive should ask.
After all, adopting cloud services is not an all-or-nothing proposition. With all the benefits cloud computing provides, there remain legitimate reasons not to use the cloud, including security, risk, cost considerations, culture and organizational capabilities.
To evaluate these trade-offs, here are five of the top questions finance executives should ask cloud providers.
1. How Does Your Data Encryption Work?
You should ask cloud service providers about their encryption policies and procedures. Inherent in the design of cloud computing services are applications that are running on remote servers, using a shared data center infrastructure outside of your physical network. Therefore, data sent between the cloud service and your stakeholders must be transmitted over the internet, exposing it to potential breaches. One way to protect that data is to encrypt it, notes Enterprise Networking Planet.
Data breaches and compliance violations are serious risks that can cost organizations money (fines and penalties) and customers. An organization may choose not to use the cloud for mission critical data and services, even if the cloud solution is secure. Understanding how a cloud provider secures data informs this decision.
2. What Compliance Certifications Does Your Organization Meet or Exceed?
Compliance certifications aim to ensure measures are in place to protect the privacy of the people whose data is stored on computer networks, whether on cloud services or not. Depending on the industry, compliance programs could include the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), the Payment Card Industry Data Security Standards (PCI DSS), or the TRUSTe and/or AICPA SOC, to name only a few.
Finance executives should ask cloud providers to provide proof of certifications that demonstrate the vendor meets or exceeds the same compliance requirements that their organization must meet. An organization must decide whether to trust a cloud service's ability to be compliant.
3. How Is My Data Segregated From Other Customers?
Using shared resources is what makes cloud services so efficient. The question you want answered, however, is "How is my data separated from other customer data?" You want the benefits of shared resources, but the security of separation.
4. What Does the Audit Trail Process Look Like?
Security breaches can occur both from unauthorized outside threats and from employees, contractors and others who are authorized. As noted by Computer World, when breaches occur — which many security experts believe is a significant risk — companies need the ability to monitor and track usage activity.
Finance executives should ask questions about how activity is tracked in log files and if they get access to those log files. It may seem like auditing log files and tracking usage is not preventative, such as encryption and data segmentation, but it's an important security measure that should be in place in the event of a breach.
5. What Is Your Disaster Recovery Plan?
If it's true that security breaches are seemingly inevitable, then executives should take deliberate steps to minimize the damages (and service downtime) that a breach can cause. The good news for cloud computing is that it is often designed with disaster recovery in mind, with built in redundancies, backups, and disaster recovery, according to the American Bar Association. Reputable cloud providers will have all these in place and detailed disaster-recovery plans readily available at your request. In fact, some cloud providers publish their disaster recovery plans on Amazon Web Services for anyone to read.
When it comes to evaluating cloud providers, it's important to realize there is a delicate balance between security risks, the ease and efficiency of shared resources and cost implications. Organizations also need to rememeber that, if they move their core business processes to the cloud, those services will often not cover the manual, administrative and risk-laden processes associated with compliance activities. These functions stay outside the cloud and continue to add additional cost and risk.
By asking the right questions, finance executives can understand these trade-offs and go on to make informed decisions about whether to adopt cloud services. Minimizing risk while gaining the financial and operating benefits of cloud services is what finance executives should be focused on. This may mean taking a hybrid approach and using the cloud for some services and not others.
Subscribe to SPARK updatesSign up