10 QuestionsYou Must AskWhen Buying aCloud SolutionThe essential questions to ask whenresearching and purchasing cloudsolutions for your organisation
Attitudes towards cloud solutions are changing. Organisationspreviously cautious to embrace cloud solutions are nowacknowledging that, in many areas, it is now the best way to delivereffective results.There are several key reasons for this change, including: Cloud First Policy – mandate for central UK government toconsider cloud solutions before all others when buying ITsolutions, announced on 5thMay 2013 (following the lead offederal US agencies in 2010). Creation of the G Cloud Procurement Framework- supportfrom central government in the UK, heralded by the creation ofthe G Cloud Procurement Framework, is providingaccreditation for cloud providers. Cost efficiencies- as budgets are squeezed, public and privatesector organisations need to find further cost efficiencies andprovide streamlined shared services. The flexibility of cloudservices can often provide this for organisations. Lack of funding- the lack of funding from the banks to facilitateongoing capital investment in internal infrastructure isencouraging organisations to find more affordable solutions. Improved security- the increasing robustness of cloudsolutions, together with the improvement of security relatedconcerns through careful development and management ofsecurity policies, means that concerns about cloud securitycan now be properly addressed.But, for organisations that are now looking to buy software as aservice (SaaS) solution, there are still some concerns. How long couldbusiness continue and survive if you cannot access your data or yourdata was irretrievably lost? Are disaster recovery processes, withoutwider protection against insolvency, genuinely covering all the risks?These are legitimate concerns. Researchers McGladrey and Pullenestimate that a shocking 43% of businesses who lose electronicallyheld data never reopen, and 29% close within two years.
We have put together 10 questions you should be asking any cloudservice provider when buying a solution for your organisation, to helpmake sure you are properly protected.1. Where will your data bestored?Establish the countries where your data will be stored, processed, andtransitioned. For ease, this should be the EU. But if it’s further afield,you should take legal advice. It is generally not permissible under theData Protection Act 1988 (as amended) to host data outside the EU(except with certain safeguards).When you are dealing with a software or network vendor for a cloudsolution, ensure the identity of your Data Centre provider is stipulatedin your contract. Also, make sure that the nominated Data Centreprovider will not be changed without your consent or knowledge.Assert that any change in control would entitle you to terminate yourcontract, for example if an EU hosting provider is acquired by acompetitor or a foreign government.2. How valuable is the data thatwill be stored or transmitted inthe cloud?Find out if any of the data going into the cloud will include personaldetails of customers or employees. Also, check whether any valuablecommercial information, such as details of patentable inventions andlegally privileged information, will be stored or transmitted in the cloud.
This type of data is clearly more valuable, sensitive and confidentialthan other data. As a result of this a higher degree of due diligencearound the Data Centre provider is required.3. What are the data backupprovisions?Ascertain who carries out the data back-ups and what location theyback up to. If the data held by the cloud solution is business critical orvaluable for other reasons, someone should be mirroring or carryingout daily back-ups of the data in line with ISO 27001 and goodindustry practice. Identify who in your contract will be carrying thiswork out. Ideally the location of a back-up site (or, where the tapes willbe stored if disc to disc back up is still used, the location of thesecondary storage) should be sufficiently distant from the premierhosting site to ensure that both sites would be unlikely to be affectedby the same set of circumstances, such as a natural disaster, floods,or a terrorist attack. At least 20 miles distance apart is a good guide.Also, do not assume that disaster recovery is included.Ideally you should look for automated fail-over to the secondary site.At the same time, check the Recovery Time Objective (how quickly willthe system be back up and running) and the Recovery Point Objective(how much data will be lost if they have to go back to the last back-up), to fully understand how your data will be backed up.
4. What size is the broadbandlink/network access to the DataCentre?Determine the size of the broadband link to the Data Centre. As well,check what the failover provision is, should the primary link fail.Enquire how flexible the arrangements are, if you need additionalcapacity for a temporary or permanent increase in activity. And, if thedata transfer is capped (e.g. on a monthly basis), find out if there is thecharge for exceeding this cap. At the same time, establish if it is a truepay as you go agreement or if there is a minimum term withassociated notice requirements.5. Is the Data Centre insured?Find out if the Data Centre provider is properly insured. This shouldinclude professional indemnity insurance for loss of data or breach ofthe Data Protection Act 1988 (as amended) and also cyber liabilityinsurance. Make sure it is clear if you will have the benefit of these andthe upper limit of cover. The value of your data could easily exceed thevalue of a Date Centre or cloud solution provider’s liability to you underyour contract. Ensure that appropriate caps on liability for loss of data(backed up by appropriate professional indemnity insurance) areprovided. These are often unlimited or a substantial sum i.e. £5-10mper claim. It needs to cover the maximum fines which can be imposed,for example by the Information Commissioner, and also possiblyreputational damage.You may need to review and update this from time to time, if thenature and sensitivity of the data changes. The contract should alsodeal with the question of which party bears the risk in the case ofsecurity breaches. If the Data Centre provider is taking the risk, you
should also require the Data Centre provider to have adequateinsurance to cover the potential losses. Cyber-security policies arenow available from a number of insurers.6. What is the financial standingof the Data Centre providerand/or the cloud solutionprovider?Always complete a full credit check on your Data Centre providerand/or the cloud solution provider, to see how financially credit worthythey are. And, if appropriate, ask them what would happen if they wentout of business. Disaster recovery processes do not cover insolvency,and an “it will never happen” answer is not an acceptable response. Inthe current climate, all Data Centre providers should be monitoredfinancially and it is worth considering a “new breed” escrowagreement, which covers cloud services. Be aware, particularly if youare public sector bodies obtaining services from G Cloud (or othergovernment framework agreements) that: There is in effect no Pre-Qualification Questionnaire whichscreens the financial status of cloud solution providers. The current OGC financial distress clauses in many publicsector procurement contracts rely on supplier’s financiallymonitoring themselves, which is not an ideal situation.
7. How easily can you retrieveyour data?Regardless of how your contract ends, ensure via the contract thatyou can readily access your data in an easily accessible format. This isparticularly important where there is a contractual dispute with yourData Centre provider or cloud solution provider, who may be unwillingor unable to support you.8. Does the Data Centreprovider own the freehold to thepremises where the servers arelocated?Establish whether the Data Centre provider owns the premises wherethey host your data, which would be ideal. However, most don’t,meaning you’ll need to do some comprehensive due diligence work onback-ups and disaster recovery strategy in case of the insolvency ofthe Data Centre provider itself or the owner of the premises. Forexample, this could occur if one of the parties does not pay theelectricity or telecommunications bill. These scenarios could disruptyour service at the Data Centre.Also, check whether the Data Centre host your data on a dedicatedserver or store your data with third party data? Endeavour to protect adedicated server that you own by inserting retention of title clausesetc. in contracts with Data Centre providers.
9. What are the service levels toexpect from the cloud solutionsprovider?Stipulate appropriate service levels by the cloud solutions provider anddescribe the consequences if those levels are not achieved andmaintained. Make sure you incorporate a demonstration of the serviceas part of the acceptance testing regime, with an option to terminate ifservice criteria are not achieved, or to withhold (part) payment untilsatisfied. Ask for evidence of appropriate security and disasterrecovery measures.10. Is there a SaaS Escrowagreement in place?When purchasing a cloud solution, look to implement a “new breed”escrow agreement to protect you against complete data loss. This isoften very cost effective as it can save you from the cost ofunnecessary back-ups of your data and the configured softwaresource code. With a “new breed” escrow agreement in place, you won’tsuffer blank screen syndrome where the Data Centre provider or cloudsolutions provider go bust, nor be held liable for loss of data, whereyou are a data controller and subject to legal obligations imposed bythe Data Protection Act 1998.
Find out more about anaffordable SaaS Escrowsolution, AccessAssure, byvisiting www.leaas.co.uk orcalling 0800 456 1115