This post was originally published on Business.com.
The “cloud” is a popular marketing buzzword in business today. Despite the fervor surrounding it, many are still uncertain about what this term actually means.
With current reports indicating 88 percent of companies are using public cloud services—and 63 percent are using private cloud services—business leaders should understand how the cloud functions and also how their organizations’ sensitive information will be secured and managed.
A recent survey shows 93 percent of enterprise-level businesses are using CSPs (cloud service providers) in 2015, but 68 percent of those run less than a fifth of their application portfolios in the cloud. Big businesses are obviously interested in the cloud, so why are many of them keeping the majority of their data off of it?
The proliferation of data digitalization has resulted in the need for strong security compliance regulations to protect the privacy of consumers, businesses, and stakeholders — particularly for companies that maintain credit card numbers, patient health information and personal client or employee details.
Data security breaches can result in the loss of millions of dollars in profit and in customers’ trust. Further, this may lead to lawsuits or substantial government fines for noncompliance. Having a plan to mitigate data security risks is critical as business leaders face a tough choice between the convenience of cloud-based data management and the inherent risks of giving up complete control over data security.
To decide whether you should move your data to the cloud, consider the following areas of potential risk:
When entrusting a vendor with the storage and handling of your data, remember you’re ultimately at the mercy of that company’s reliability. What happens to your data if your CSP changes its terms or goes out of business? Or, what if a breach occurs in your environment?
More than likely, you have control over how to handle and communicate it. Conversely, should a CSP breach occur, control isn’t guaranteed.
Different industries cope with varying levels of data security risks and compliance regulations.
Without a clear understanding of your industry’s requirements and how your provider will meet those needs, you could end up dealing with a big mess—if your CSP does not fully comprehend the Health Insurance Portability and Accountability Act (HIPAA) regulations, for example.
Paying a third party to host data can cost more than managing it in-house, and choosing the wrong package can add up to hidden fees. Once you send data to the cloud, your CSP has leverage because your process is ingrained in that cloud platform.
While it may seem like a good deal at first, what if prices increase next year? Other hidden costs include the resources needed to set up applications in the cloud, as well as unexpected usage rates that could increase exponentially without appropriate contract terms.
There are several ways to reduce risk when considering a cloud-hosted data solution:
1. CHOOSE YOUR VENDOR WISELY
Find out everything you can: How long has it been in business? Is it well-funded? Does it have a solid reputation within your industry? What kinds of service level agreements (SLAs) and contract protections does it offer? Answering these questions helps to determine whether a CSP will live up to its promises.
Transparency is key. Confirm you’ll be able to monitor your CSP—SLAs are important, but if a CSP doesn’t offer to report against those SLAs, move on to the next vendor. Make sure to vet all SLAs upfront, and that recourse for failure to meet them is clearly stipulated in the contract.
2. UNDERSTAND YOUR NEEDS
Before a CSP can meet your needs, understand the scope of any regulations with which you must comply. Start by establishing data security classifications. Not all data is created equal, so determine whether it’s public, private or confidential.
Clarify exactly how it’ll be handled (e.g., if sensitive data will be encrypted as it’s sent and received online, per HIPAA). Work with a compliance expert to cover all bases, and confirm the information restricted within your organization will boast the same safeguards when sent via the cloud.
Some smaller CSPs may employ marketing techniques used by the bigger ones by claiming an “HIPAA compliant” status (or any number of other certifications). In reality, they might have done that assessment themselves and didn’t take into account all of the requirements. Be wary—this means they won’t understand yours.
3. CRUNCH THE NUMBERS
Find out what kind of recourse is available if the CSP fails to meet SLAs: What if service goes down? How much will implementation cost, and does the CSP offer those services? Are you covered for usage spikes? (You risk being overcharged if you sign a pay-per-use contract.)
Once you understand these costs, compare them to the price of hosting data in-house. Be sure to factor in seasonal increases or decreases in sales and projected growth to understand the true cost of scaling your solution to meet the evolving needs of your business.
4. HAVE A BACKUP PLAN
Vetting vendors and running numbers will help reduce risk, but there’s no way to completely avoid it. Create disaster recovery plans that include steps your business would take if your CSP suffers a catastrophic event.
Learn how data will be backed up should you lose access. A multi-cloud strategy prevents all of your data from residing in the hands of a single vendor or from being housed on a single server. According to the survey mentioned above, 82 percent of enterprises using cloud services implemented multi-cloud strategies in 2015.
Cloud computing can optimize your data security and compliance requirements with proper planning, but business leaders should remember there’s no “one size fits all” solution when it comes to data management.
Making the decision to move to a cloud-based solution (or to manage data internally) requires a complex analysis of the needs, benefits, risks, and costs for each business on an individual basis.