Small and Mid Sized businesses have to always be concerned with keeping their costs under control. With this in mind, more and more SMBs are looking to cloud services to provide them with enterprise class services that their infrastructure budgets would otherwise not allow for.
While cloud services can definitely offer SMBs many benefits such speed of implementation, flexibility, scalability and cost savings, I’ve found that many SMBs often don’t always follow best practices when moving to the cloud.
Not only are there often unforeseen costs, there are often security implications that the SMB management have not considered.
For SMBs that are ready to move to cloud-based services or are in the early stages of consideration, below are some important things to consider to help ensure a seamless and secure move when picking a cloud service provider:
- Get an Understanding of the Provider’s Security Controls: Every Small or Mid Sized business’ security needs and expectations are going to vary, so it is vitally important to understand if and how the vendor can meet those needs. There is a wealth of information available at the Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR), which is a publicly available registry which documents the security controls provided by various Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) providers. There is a searchable registry allows users to review the security practices of providers under consideration. Make sure to also check the cloud vendor’s certifications and references and look for case studies of organizations that are similar to your own.
- Inquire about the Provider’s Data Backup Practices and Procedures: You must know how the prospective cloud provider backs up data, and what happens in the event of the provider being acquired, going out of business, or if you should decide to move your data to another provider. Do online research and reach out to other business owners to try to get a feel for the provider’s reputation and their uptime track record. Inquire about the locations of their data centers and the redundancy built into their infrastructure. Since you will not likely be doing a physical walkthrough of the data centers (although, if possible, I highly recommend it), be sure to inquire about their physical security and controls of who has access to the data centers. Also inquire if they are located in a colocation (shared) data center – if so, make sure to get as much information about the physical security as you possibly can (again, a visit is ideal).
- Secure Crystal Clear Service Level Agreements (SLAs): The best way to avoid issues and ensure good service is with solid SLAs with very clear contractual language. Many vendors will promise things like 99.99% uptime, but few are linked to financial penalties for underperformance. Look for cloud vendors who publish their performance metrics and have clear penalties outlined if they fail to meet their SLAs.
- Evaluate the Team: The value of the people behind a cloud service is paramount, and should not be underestimated. The vendor being staffed 24×7 is great, but inquire about the training program and the experience requirements for their staff.
- Test the Service: Most reputably cloud service providers will agree to allow you to test their service before you buy via a trial that is easy to deploy. The trial is usually limited in some way (bandwidth, storage, etc.), so while you will not be able to get an exact feel of how the service will perform under your production loads, you will get a good idea of what to expect. Also, during the trial, have someone make a call to the cloud service provider’s support desk to get an idea of what that experience may be like when you have a business critical issue.
While all of the above are crucial when searching for a cloud provider, there are even more important things that a SMB must do to ensure a smooth transition and to minimize their security risks once a selection has been made.
SMBs must properly educate their employees on policies when it comes to using cloud services. Making your employees aware of not only the policies but also why they are important to the business helps to ensure employees know how and when to use cloud services securely and efficiently.
Mandating that employees only use business approved cloud services is very important. In most businesses where a cloud service provider has not already been selected, there are already unauthorized cloud services being used by employees. These “Rogue clouds” are usually not being used with malicious intent – it is usually done by well-meaning employees who are trying to be more productive because there is no currently implemented solution to meet their needs. So, what are the potential risks of this? Imagine your sensitive company information such as marketing materials for a new upcoming product launch or your customer information being stored beyond the control of your company. Employees generally don’t understand that they are introducing new risks to the business.
To prevent the proliferation of rogue cloud deployments, you should consider a “pick one” approach for each type of cloud offering. This means that you should work to identify what it is that users need and then, after doing the aforementioned research, standardize on a solution that meets the employees’ and the company’s needs. If users have a need for sharing large files outside the organization, or collaboration tools, then choose a cloud solution that provides the needed tools and certify it and implement controls on it. Then educate the users on the policies surrounding the implementation and forbid the use of competing cloud services.
The cloud can offer significant advantages over more traditional IT models, but it also introduces new risks. All SMBs need to understand the challenges and plan from the beginning – a failure can have a huge impact on your business. With limited IT resources and smaller budgets, SMBs can afford to learn about the potential hidden costs of cloud services the hard way.
If all of this seems daunting, and you would like to speak to someone about evaluating and certifying cloud service providers, as well as coming up with policies and an education plan for your employees, feel free to contact us as we would love to assist you in reaching your cloud services deployment goals.