Before you get the benefits of a national cloud—cost savings, improved service delivery, sustainability—you need to know that your privacy and security strategy is bulletproof. How will sensitive data be shared and protected? Who should have access to it and who can be trusted with it? To make sure your privacy and security needs will be met, ask your IT staff six questions.
1. Have we documented the rules and regulations that are in place in our country?
Your IT team needs to fully understand the requirements around the use, security, and privacy of your information. For instance, governments may set restrictions on which types of data can be stored offsite or outside your own physical facilities. You may need to conduct a risk assessment of your data. Is it mission-critical? Are there personal privacy or national security implications? Is it considered a public record? Start here so you can identify the cloud model that applies to your needs.
2. Do international privacy/security standards apply in our country?
Some governments adhere to international standards such as ISO 27001 or SSAE 16, which certify that your organization follows a recognized system of controls for managing information. If such standards are mandated in your country, they’ll influence your approach to a national cloud model.
3. Have we formally documented our operating environment?
Based on the answers you get from the first two questions, you need to establish which types of cloud services you can implement, which types of information require protective measures (I addressed data and app classification for hybrid clouds in my last post), and which of your governmental agencies are affected by these standards.
4. Do we know if our cloud service provider can meet our specific requirements?
It’s not just your internal IT leadership that must understand your obligations for privacy and security. Be prepared to verify and document that your cloud service provider—whether it’s local or out-of-country—comprehends your country’s rules and regulations, and that it can design and manage a cloud service that conforms to your requirements.
5. Do we fully understand the terms of the contract that our cloud service provider is proposing?
Make sure you know what your service provider is contractually obligated to provide. It’s vital that you know this before an outage or security breach occurs. Identify the measures the service provider will put in place, such as third-party audits, to ensure it lives up to those obligations, and get it in writing.
6. Is the service provider technically equipped to protect our data?
Assess your service provider’s capabilities for providing encryption to protect data connections, such as traffic between the customer and the service provider, between the service provider and the data center, or even for traffic at rest. Don’t stop there. Can the service provider keep your data separate in a public cloud environment? Can they ensure you’ll have easy access to your information, and that your data stays in the country? Look for a provider that takes security as seriously as you do, and goes above and beyond to deliver it.
As always, asking the right questions upfront increases the likelihood of backend success. It’s especially true for a national cloud deployment. The answers you hear—or don’t hear—will tell you whether you’re ready to move to a national cloud, and will guide your strategy for ensuring the privacy and security of your data once you get there.
Have a comment or opinion on this post? Let me know @Microsoft_Gov. Or e-mail us at email@example.com.