While there are the obligatory security and general risk questions you can obtain from any number of sources, eg. NZ Govt Cloud Risk Assessment Questionnaire and those are for your specific functional needs, there are a few extra questions you need to be comfortable with the Cloud providers response, or include in the contract before you commit.
1. What is the ‘exit process’ for ensuring successful transition to an alternative offering?
As many organisation are starting to understand how to use Cloud services (and Cloud providers themselves are maturing), there will no doubt be some mistakes along the way. If you find yourself in a position where you decide to exit, you want to make the transition to another Cloud provider (or back on premise) to be as smooth as possible. How will the Cloud provider assist in extracting your data - what formats, at little or no cost? How will they ensure the removal of your data from their systems to your satisfaction, that is, to ensure your data is not the subject of a future attack or internal Cloud provider data leakage?
2. How do I restore my data if there is a failure?
For SaaS (Software as a Service) or PaaS (Platform as a Service) Cloud solutions, that’s not your responsibility, but the Cloud providers. For IaaS (Infrastructure as a Service) solutions, this will be your responsibility and you need to be clear how your data would be recovered in different failure scenarios. For example, if the Cloud provider Data Centre fails, failure of IaaS platform within Data Centre, loss of data due to customer's mistake. Cloud providers can offer a range of solutions, some quite turn-key, others you need to solution yourself through a variety of sub Cloud services.
3. What's your downtime history?
Your Cloud provider should explain the scenarios where there are planned outages for the likes of upgrades and unplanned outages due to platform failures, or human error at their end. Their story around planned outages should explain how these are kept to a minimum and the smart solutions they have that allow most upgrades to occur with no outages. In terms of unplanned outages, these are typically rare and the industry is too new to try and extrapolate any long term patterns (unless of course they have had a lot of failures), but what you really want to gauge is their level of transparency eg. do they welcome such questions, do they even publish such outage histories. Even the biggest cloud providers can experience prolonged outages such as Amazon’s AWS service outage in February 2017. What’s really important is how they deal and communicate with their customers such events.
For many organisations, they have experience in SaaS and understand some of the risks, but PaaS and IaaS services are newer and there is a lot more responsibility and hence risk on the customer's side. Having a clear Cloud roadmap that defines how Cloud services will be governed, risk mitigated, and implemented over time is required.
Cyma have experts at creating such roadmaps and aligning business objectives with technology solutions. If you’re looking for some advice in this space, we’re happy to help.