1. 10 Questions
You Must Ask
When Buying a
Cloud Solution
The essential questions to ask when
researching and purchasing cloud
solutions for your organisation
2. Attitudes towards cloud solutions are changing. Organisations
previously cautious to embrace cloud solutions are now
acknowledging that, in many areas, it is now the best way to deliver
effective results.
There are several key reasons for this change, including:
Cloud First Policy – mandate for central UK government to
consider cloud solutions before all others when buying IT
solutions, announced on 5th
May 2013 (following the lead of
federal US agencies in 2010).
Creation of the G Cloud Procurement Framework- support
from central government in the UK, heralded by the creation of
the G Cloud Procurement Framework, is providing
accreditation for cloud providers.
Cost efficiencies- as budgets are squeezed, public and private
sector organisations need to find further cost efficiencies and
provide streamlined shared services. The flexibility of cloud
services can often provide this for organisations.
Lack of funding- the lack of funding from the banks to facilitate
ongoing capital investment in internal infrastructure is
encouraging organisations to find more affordable solutions.
Improved security- the increasing robustness of cloud
solutions, together with the improvement of security related
concerns through careful development and management of
security policies, means that concerns about cloud security
can now be properly addressed.
But, for organisations that are now looking to buy software as a
service (SaaS) solution, there are still some concerns. How long could
business continue and survive if you cannot access your data or your
data was irretrievably lost? Are disaster recovery processes, without
wider protection against insolvency, genuinely covering all the risks?
These are legitimate concerns. Researchers McGladrey and Pullen
estimate that a shocking 43% of businesses who lose electronically
held data never reopen, and 29% close within two years.
3. We have put together 10 questions you should be asking any cloud
service provider when buying a solution for your organisation, to help
make sure you are properly protected.
1. Where will your data be
stored?
Establish the countries where your data will be stored, processed, and
transitioned. For ease, this should be the EU. But if it’s further afield,
you should take legal advice. It is generally not permissible under the
Data Protection Act 1988 (as amended) to host data outside the EU
(except with certain safeguards).
When you are dealing with a software or network vendor for a cloud
solution, ensure the identity of your Data Centre provider is stipulated
in your contract. Also, make sure that the nominated Data Centre
provider will not be changed without your consent or knowledge.
Assert that any change in control would entitle you to terminate your
contract, for example if an EU hosting provider is acquired by a
competitor or a foreign government.
2. How valuable is the data that
will be stored or transmitted in
the cloud?
Find out if any of the data going into the cloud will include personal
details of customers or employees. Also, check whether any valuable
commercial information, such as details of patentable inventions and
legally privileged information, will be stored or transmitted in the cloud.
4. This type of data is clearly more valuable, sensitive and confidential
than other data. As a result of this a higher degree of due diligence
around the Data Centre provider is required.
3. What are the data backup
provisions?
Ascertain who carries out the data back-ups and what location they
back up to. If the data held by the cloud solution is business critical or
valuable for other reasons, someone should be mirroring or carrying
out daily back-ups of the data in line with ISO 27001 and good
industry practice. Identify who in your contract will be carrying this
work out. Ideally the location of a back-up site (or, where the tapes will
be stored if disc to disc back up is still used, the location of the
secondary storage) should be sufficiently distant from the premier
hosting site to ensure that both sites would be unlikely to be affected
by the same set of circumstances, such as a natural disaster, floods,
or a terrorist attack. At least 20 miles distance apart is a good guide.
Also, do not assume that disaster recovery is included.
Ideally you should look for automated fail-over to the secondary site.
At the same time, check the Recovery Time Objective (how quickly will
the system be back up and running) and the Recovery Point Objective
(how much data will be lost if they have to go back to the last back-
up), to fully understand how your data will be backed up.
5. 4. What size is the broadband
link/network access to the Data
Centre?
Determine the size of the broadband link to the Data Centre. As well,
check what the failover provision is, should the primary link fail.
Enquire how flexible the arrangements are, if you need additional
capacity for a temporary or permanent increase in activity. And, if the
data transfer is capped (e.g. on a monthly basis), find out if there is the
charge for exceeding this cap. At the same time, establish if it is a true
pay as you go agreement or if there is a minimum term with
associated notice requirements.
5. Is the Data Centre insured?
Find out if the Data Centre provider is properly insured. This should
include professional indemnity insurance for loss of data or breach of
the Data Protection Act 1988 (as amended) and also cyber liability
insurance. Make sure it is clear if you will have the benefit of these and
the upper limit of cover. The value of your data could easily exceed the
value of a Date Centre or cloud solution provider’s liability to you under
your contract. Ensure that appropriate caps on liability for loss of data
(backed up by appropriate professional indemnity insurance) are
provided. These are often unlimited or a substantial sum i.e. £5-10m
per claim. It needs to cover the maximum fines which can be imposed,
for example by the Information Commissioner, and also possibly
reputational damage.
You may need to review and update this from time to time, if the
nature and sensitivity of the data changes. The contract should also
deal with the question of which party bears the risk in the case of
security breaches. If the Data Centre provider is taking the risk, you
6. should also require the Data Centre provider to have adequate
insurance to cover the potential losses. Cyber-security policies are
now available from a number of insurers.
6. What is the financial standing
of the Data Centre provider
and/or the cloud solution
provider?
Always complete a full credit check on your Data Centre provider
and/or the cloud solution provider, to see how financially credit worthy
they are. And, if appropriate, ask them what would happen if they went
out of business. Disaster recovery processes do not cover insolvency,
and an “it will never happen” answer is not an acceptable response. In
the current climate, all Data Centre providers should be monitored
financially and it is worth considering a “new breed” escrow
agreement, which covers cloud services. Be aware, particularly if you
are public sector bodies obtaining services from G Cloud (or other
government framework agreements) that:
There is in effect no Pre-Qualification Questionnaire which
screens the financial status of cloud solution providers.
The current OGC financial distress clauses in many public
sector procurement contracts rely on supplier’s financially
monitoring themselves, which is not an ideal situation.
7. 7. How easily can you retrieve
your data?
Regardless of how your contract ends, ensure via the contract that
you can readily access your data in an easily accessible format. This is
particularly important where there is a contractual dispute with your
Data Centre provider or cloud solution provider, who may be unwilling
or unable to support you.
8. Does the Data Centre
provider own the freehold to the
premises where the servers are
located?
Establish whether the Data Centre provider owns the premises where
they host your data, which would be ideal. However, most don’t,
meaning you’ll need to do some comprehensive due diligence work on
back-ups and disaster recovery strategy in case of the insolvency of
the Data Centre provider itself or the owner of the premises. For
example, this could occur if one of the parties does not pay the
electricity or telecommunications bill. These scenarios could disrupt
your service at the Data Centre.
Also, check whether the Data Centre host your data on a dedicated
server or store your data with third party data? Endeavour to protect a
dedicated server that you own by inserting retention of title clauses
etc. in contracts with Data Centre providers.
8. 9. What are the service levels to
expect from the cloud solutions
provider?
Stipulate appropriate service levels by the cloud solutions provider and
describe the consequences if those levels are not achieved and
maintained. Make sure you incorporate a demonstration of the service
as part of the acceptance testing regime, with an option to terminate if
service criteria are not achieved, or to withhold (part) payment until
satisfied. Ask for evidence of appropriate security and disaster
recovery measures.
10. Is there a SaaS Escrow
agreement in place?
When purchasing a cloud solution, look to implement a “new breed”
escrow agreement to protect you against complete data loss. This is
often very cost effective as it can save you from the cost of
unnecessary back-ups of your data and the configured software
source code. With a “new breed” escrow agreement in place, you won’t
suffer blank screen syndrome where the Data Centre provider or cloud
solutions provider go bust, nor be held liable for loss of data, where
you are a data controller and subject to legal obligations imposed by
the Data Protection Act 1998.
9. Find out more about an
affordable SaaS Escrow
solution, AccessAssure, by
visiting www.leaas.co.uk or
calling 0800 456 1115