In the 2016 State of the Cloud Survey, RightScale reported that private cloud adoption increased from 63 percent to 77 percent, driving hybrid cloud adoption up from 58 percent to 71 percent year-over-year. It’s no surprise that cloud usage continues to rise, a whopping 95% of survey respondents said they are using the cloud in some way.
While cloud solutions and adoption continue to grow, the report did highlight an alarming trend…lack of resources or expertise is now the #1 cloud challenge (cited by 32 percent), supplanting security (cited by 29 percent). Security always needs to be top-of-mind when dealing with confidential organizational and client data, but due to the rapid adoption of cloud solutions, key steps taken to protect this data can fall by the wayside due to a lack of resources.
The data center where all of your confidential information is stored needs to be vetted properly. I sat down with our experienced IT team and came up with a list of 13 questions you need to ask your data center provider (or a potential provider) along with the answers you want to hear to ensure the highest level of security.
Follow this guide when speaking with data center providers to fully vet them before making a decision. It’s also great information to have to pass on to your customers and put their minds at ease.
1. Where is your data center located?
Ideally, you want a data center that is located in the country you reside in. Having the option to get to the data center relatively easily is ideal. To this end, you do not want a data center down the road from your headquarters. It is good to have a little distance in case one is effected by severe weather, natural causes etc.
More specifically, you are looking for a data center that is at least in a second or third tier city…think Boston, Philadelphia, Baltimore, Atlanta, Denver etc. You want to avoid data centers that are located in a tier one city (New York, Chicago, DC and Los Angeles) because they are often targets and are more likely to experience mass power-loss.
2. Do you have redundant data centers?
You want a redundant data center primarily to ensure backup. Say your data center goes offline, something happens resulting in a complete power failure. You need to know that your data is being replicated to another data center immediately so there is no chance for a loss of data.
Red Flag: Most data centers are redundant, this would be cause for concern if it is not.
3. What happens in the event of a power failure?
What you want to happen is the data centers backup generators kick on running off of diesel fuel.
Dig a little deeper and ask about their power feeds. Most data centers have two power feeds coming into the building; one is a main feed and the other is running on a feed similar to hospitals that always have power, then kick to backup generator if necessary.
How long can you run on these backup generators?
Do you have a contract with a local agency to consistently deliver this diesel fuel?
4. What is your uptime rate?
Essentially you are asking how long your services stay up, what percentage can you guarantee? While it’s almost impossible to guarantee 100%, you’re looking for an answer as close to 99.99% as possible.
5. How often do you test your backup generators for functionality and load?
It should be done at least weekly, and ideally every other day. You want them to test and ensure your backup generators can kick on, that all systems are working properly with no major malfunctions.
Sound excessive? Keep in mind these data centers are responsible for storing your client’s sensitive information, your banking information, government databases etc. It’s important to be diligent when trusting a third party with all of this.
6. How at risk is the data center for a natural disaster?
This may seem obvious, but don’t select a data center in tornado alley…or one on the beach…or next to a large cliff.
Red Flag: If they are located at any of the aforementioned locations prone to flooding, tornadoes, hurricanes, landslides, etc.
7. What is your disaster recovery plan?
First you want to hear that they have a plan to go on a second power line or fail over to generators.
Next, you want to hear that they are sending their data to another data center in the area that customers can still access.
Finally, you want to hear their restore plan. How do they plan on restoring your data back to the servers?
Red flags: Hearing that they don’t have a disaster recovery plan, a second power line, contracts with companies for fuel, and/or a second communications line for an ISP link (point to point.)
8. Do you undergo audits to maintain compliance?
You want to make sure the provider you choose is up to code and in good standings. There’s a whole industry of data center compliance…HIPAA, PCI DSS, SAS 70, SSAE 16, SOC 1, SOC 2, SOC 3 etc.
It’s a lot of important acronyms that make sure your data is safe. Here’s a Data Center Standards Cheat Sheet that OnLine Tech put together summarizing the standards.
9. Who can access the data center outside of employees?
Can any person just walk in and say I need to access a rack in there? Not good. There should be some sort of control mechanism where people log in or sign in, take a picture, and then are escorted to their rack or authorized area.
Red flags: shotty security, free roam of the place, no escorts.
10. Can I access the data center at any time?
While you don’t want just anyone gaining access to the facility you (or the deemed authority) should be able to access the data center at any time, 24/7 if need be.
Take note that it should only be authorized people from your company. If someone claims to be from your company then they should call the lead contact person to verify.
Red flag: Helen from marketing can get into the data center without verification.
Is it under lock and key? Do you have buyer recognition; both a key card and palm print/finger print?
Ask if they have different authentication areas throughout the facility, how the areas with generators is protected, what sort of security staff is employed and what their hours are.
Red flag: you can get in the data center with one tangible item (key card, key, fob) – something that could be lost or stolen.
12. Are my racks in the data center secure?
Do you have locks on them and can only data center employees access these locks? Note that someone should be escorting you to your rack.
Red flag: You are just given a key and directions to your rack.
13. Is my data secure from other clients that you host?
No one from a different network should be able to access or share your network. They should always provide dedicated networks with some sort of VLAN or networking device that segments networks.
We use this process to vet data centers that will store our sensitive and confidential information. Hopefully, this list helps you get a better sense for the level of security and preparedness of data centers that you may currently be using or when investigating potential vendors.