<img src="https://secure.ruth8badb.com/159098.png" alt="" style="display:none;">

Cadre Blog

Never miss the latest in IT Security! Subscribe Now.

9 Questions You Should Ask When Considering Cloud-Based Tech

Posted by Tim O'Connor on Oct 14, 2019, 9:20:40 AM

Questions to ask about cloud securityTo paraphrase Zoolander, cloud-based technology is so hot right now. There are good reasons for that—cost, scalability, and convenience—but if you haven’t asked the right questions, you may face an unpleasant surprise later on. It sounds dramatic, but it’s true—the wrong decision could substantially hobble your business strategy for years to come. 

That’s why we put together these nine questions to help you weigh potential drawbacks as you consider implementing a cloud-based strategy. They’re also useful in evaluating your current strategy and seeing where it could be stronger. 

1. Are you controlling your technology or is the technology controlling you?
This is the overarching question when you’re considering cloud-based tech. The cloud has many advantages at first glance (and maybe at every glance, depending on your situation) but you need to weigh many factors to see if you’re setting up a situation where your business strategy is dictating your technology or your technology is dictating your business strategy. If you evaluate answers to the rest of our questions, you should have an answer to this one.

2. Is your main motivation for moving to the cloud cost savings? 
If so, you may want to be especially careful crunching the numbers. There are a lot of good reasons to move to the cloud, but cost savings may or may not be the right reason. A lot of people don't realize that over time they are not getting the cost savings they expected because projects turn into something much more complicated. Would iterations or complications still put the price below the same changes happening internally? There’s the additional complication that the price the cloud vendor quotes isn’t always the actual long-term cost of the project. 

3. Is scalability a big concern? 
If yes, this is one of the most valid reasons to go to the cloud. You can scale a project effectively and efficiently. Of course, you should always compare to internal functionality, but chances are, the cloud’s scalability will always triumph.

4. How important is connectivity?
In general, the cloud is far more mobile- and remote-friendly option. After all, it’s a lot easier to get a mobile device to connect through the internet than it is to connect to a corporate network where you’re housing an application. If you’re building a consumer-facing app with a front end on a phone or a tablet or for use by people with laptops that are coming from outside of your organization, there's a big benefit to using a cloud-based product.  

5. Will you be leashed to one cloud vendor once you sign a contract? 
Perhaps the cloud is the right choice, but you become unhappy with the vendor after you’ve already deployed your data, product, or app.  Think in advance about your options in case pricing or service deteriorates significantly. What will it cost you to take your application or product and go somewhere else with it? Your options are to either go to that cloud vendor’s competitor or you take in back in house.  

The goal is to not get into a situation where you’re unhappy but are locked into a situation that hurts your business.  That’s why you must have this in mind when designing your product and shopping for a cloud vendor. Leave yourself the option to pull out of one cloud vendor and migrate to another or failover between two different cloud vendors. 

If you don't have a plan and an idea of how much it's going to cost you to go to a competitor or take it in-house, you could be locked in for a long time—and that’s bad for your business. 

6. Do you have full transparency into processes?  
If you don't understand how your information flows and how your cloud product works on a technical level, then your technology might be controlling you instead of vice versa. You must have an understanding of your cloud-deployed products or services beyond just a glossy brochure-level comprehension. You need to know exactly how your information is flowing, where it is, what formats it’s in, and how it's moving.  

Most organizations either don’t have the resources or the knowledge to assess and evaluate their connection to a cloud vendor, along with the flow of information. In that case, you should bring in a third party—someone with cloud expertise and auditing expertise. If you're going to shop for a third party to help you with transparency, find someone familiar with standards and practices and assessments. You need someone who is familiar with industry best practices and can perform an audit or assessment of your information, not just someone who says they're a cloud expert.

7. Are you the only entity in control of your information?  
This is a very important consideration. For example, in the Capital One breach, they had encrypted their data stored on AWS, but they weren’t the only ones with the keys. If that had been the case, it wouldn't have mattered that someone familiar with the AWS infrastructure was able to break into AWS because the hacker wouldn’t have been able to read the encrypted dataThe lesson: you should encrypt your data so the cloud vendor employees cannot read it. They should be able to house it, move it, and process it, but they shouldn't be able to read important dataYou must be proactive because, if you dig down into your agreements and SLAs, you’ll learn the vendor doesn’t take on all the risks to your data and your business processes. 

8. Do you understand how the cloud affects international data laws? 
The laws that affect your data are based on where your data is physically located. If you have a fairly decent cloud application that goes across different regions of the United States or the world, it demands a fair amount of legal expertise.  

On a very high level, this is how responsibility breaks down: when you copy data from North America to Europe or from United States to Canada, the cloud vendor ensures that you're not violating privacy policies. What you have in your data is not your cloud vendor’s business. That's your business--and if you don't know where your data is and you don't know what laws pertain to that data, you're potentially leaving yourself open to some very serious fines. 

9. Do you understand the top 3 risks to your infrastructure?
If you have a cloud product and you don't have an answer off the top of your head, you've got a really big problem. You should be aware of your weak spots and have a plan to address them. If you don’t, you should bring someone in to help you design a strategy.  

Overall, you need to make sure you consider all the pluses and minuses of being in the cloud.  Cost savings, scalability, flexibility and mobile access are all great, but weigh those advances against having a complete understanding of your processes and being able to control your own data technology.   

If you don’t have full answers to all nine questions, you’re not alone. Cadre can help you work out the answers and design a strategy. If you need help evaluating more in-depth questions to ask, please get in touch.  

New call-to-action

Topics: Security, Security Awareness