Securing your data in the cloud

Everything you ever wanted to know about SaaS but were too afraid to ask

When outsourcing to the cloud, you need to trust the company that has access to the underlying infrastructure. Look for firms that have appropriate certifications such as ISO27001 (as a minimum), and ask them how they regulate and monitor their systems administrators' server access.

You must also ensure that the data is well backed up. Ask the vendor for its restore times and how many redundant copies are available. You should also ask about uptime/ availability guarantees, and remember that for UK companies the data may need to be stored within UK borders for data protection purposes.

The risk with software-as-a-service (SaaS) is that all your eggs are in one basket. A solution is to disintegrate the stack, enabling you to move your software from one place to another. A typical example of this is using third-party open source solutions to deliver hosted software services on their infrastructure. That way, if the software provider fails, you can still get to the data and if the hosting company fails, the software company can help you transfer to a new host.

Many SaaS providers essentially run one application for thousands of clients, with their data mingling on the same infrastructure and in the same databases, separated only by the software itself. This is a security risk, because if there is a flaw in the provider's code, it could be exploited to allow access to other customers' data. This may not be a problem for some services, but for critical company or personal data you should obtain extra segregation.

When weighing up SaaS suppliers, you must also see if they have a portability policy. Where a privacy policy discloses what a company can do with your data, a portability policy discloses how a user can access and transfer their data once it is stored with that firm.

Once you're clear on who has your data, where that data is held, what is being done with it and how it is protected, you need to establish what procedures are in place to allow you to migrate your data.

For SaaS providers, look for an API or tools to download your data in a meaningful context. This could be as simple as a widget to download a CSV file, or it might be a fully fledged XML API. Failing that, and if taking the stack disintegration approach, ensure that the database in which the information is stored is transparent and well documented. As it is frequently not in a SaaS provider's interest to make data portability easy, this can be a difficult item.

As with any service provider contract, you should negotiate clear SLAs for your cloud provider. These should include, but not be limited to, clear metrics around performance, provisioning, change management, patching and vulnerability remediation.

Kate Craig-Wood is CEO of Memset