(206) 838-5400
Contact Us
Hubspan Connections Blog
 
Sign up for our free expert email series
 
Contact Us

See how Hubspan can help solve your integration challenges.

verification image, type it in the box

* marks required field

 
Case Studies
Hubspan Survey
 
« Back to Hubspan Connections Blog

Cloud Security Basics: Disaster Recovery and Audit Capabilities

Posted by on April 5, 2010

We’ve previously talked about the six things every CIO should ask a vendor about cloud security, and what your vendor needs to know about the basics of securing your physical systems and applications. We’ve also discussed how to make sure your data is protected and secure in the cloud.

Now we are moving further in the discussion to cover security audits and disaster recovery and how this is related to overall cloud security.  Key questions to ask a cloud vendor around this are:

  • What third-party groups audit their security?
  • How does the vendor respond to intrusions?
  • What is their disaster recovery plan and how does data security figure into those plans?
  • What visibility do you have into the process?

The first question gives you an idea of how the company ensures compliance with the practices outlined in our blog about Access Controls. The second is essential, because you can’t assume or trust that any network, cloud-based or not, will ever be 100% secure. The third speaks to a commonly-overlooked area of security – ensuring that data stays secure and available during crisis situations. The fourth speaks to the reason why you’re asking all of these questions in the first place – to gain visibility into the safety of your data.

We’ll address disaster recovery first, because many people don’t think of the security implications of disaster recovery plans.

Disaster Recovery

  • Your vendor’s security story needs to include a business continuity plan. First of all, they need to have a failover system or backup data center. They should also be able to convincingly demonstrate to you that they can execute their backup plan. Many of the biggest cloud computing outages in recent memory were the result of a failure of the disaster recovery processes.
  • Secondly, this secondary datacenter needs to have all of the same security processes and procedures applied to it as the primary one. It’s worthless to have a second system in place, if you cannot operate securely in that environment.
  • Finally, if there were some sort of impending disaster, they need to notify you in advance. Keep in mind you may not always know where your data is physically located, so the onus of reporting is on your provider.

Audits and Reporting

  • We’ve talked a lot about setting up secure systems, but it’s equally important to know your vendor can audit them. An audit system is the best way of identifying irregularities that could lead to security breaches, as well as an invaluable tool for post-breach analysis.
  • From there, what does your vendor do when things go wrong? A good SLA would have an intrusion notification clause built-in. A great SLA would provide some transparency into the vendor’s operations in the areas of audits and compliance and how those processes are comparable to your own requirements.
  • That having been said, your cloud computing vendor should already be engaging in its own annual security audits. Audits of access systems for physical IT infrastructure are vital to protect the integrity of a provider’s data center. Audits for systems changes, general security audits from outside vendors and regular penetration testing are quickly becoming industry standards and included in most mandates, such as PCI or SAS 70.
  • At Hubspan, we conduct quarterly audits and penetration tests using an independent third-party security audit provider.  Our quarterly auditing frequency is 4 times what is considered typical industry specifications (e.g. PCI DSS version 1.2 - the current PCI specification, mandates an annual security audit).

Tags: , , ,

No Comments »

No comments yet.

Leave a comment

© 2012. All rights reserved.



Site by Portent, an Internet Marketing Company