Recently, I discussed the importance of thoroughly investigating a cloud computing company before handing over your data or information technology operations to a stranger. This topic begs the question of how to go about investigating these companies. Some of the larger, public companies make some of the relevant information publicly available. For example, Salesforce.com publishes some of the statistics about its service at trust.salesforce.com and there is the SEC filings that can be found through EDGAR.
But many of the cloud computing companies are small and private. So a lot of the information you would like to review is not publicly available. Regardless of the amount of money involved in the service contract, you should ask for the information you need to feel confident in the cloud provider. However, the amount of money involved will usually dictate the amount of information, if any, the cloud provider will disclose.
If the cloud provider will not disclose any information to you, that should send up a red flag. But if the cost of the service is low, you may not need as much information to get comfortable with the cloud provider. At a minimum, you should try to investigate the cloud provider’s ability to keep your data secure. Generally, you can find out if a cloud provider is SAS 70, ISO 27002, or ISO 27001 compliant, or if the cloud provider has been certified by TRUSTe or Verisign. If you can’t find even this information about the cloud provider, then you may want to reconsider engaging Leroy’s Cloud Computing Company as your cloud provider.