How to select a Cloud Service Provider
With data at the heart of egaming performance, the security risks attached are significant. While recent developments in European Data Protection and the MGA consultation document introduce regulatory and compliance concerns, selecting a cloud service provider just got more complex. In this article/series of articles, Scott Hanson lifts the lid on the best practice guidelines anyone using cloud services within egaming should adhere to.
In the third and final chapter to our Best Practice Guide: How to select a Cloud Service Provider, I will cover what I think are the add-on services which really make a difference to your business. Note that these are not requirements – yes, you can do without them – but just like that recyclable paper sleeve that accompanies your take-away coffee, they do make it a lot more comfortable to enjoy the service. Cloud services are not a commodity when enjoyed with the right supporting services.
Monitoring will support some of your regulatory requirements, and will also enable your business to take a proactive approach. Monitoring can happen purely at the platform level, or it can extend to the full managed service. With effective monitoring you have full visibility of performance, events, and can even pre-empt some incidents. With capacity reporting and trending reports, you’ll be able to adjust your provisioning, plan for future, better scope out new projects – in short you will be able to take a proactive approach. By being better able to plan work your IT team is yet again better able to use their time and resources. A key question to ask, whether monitoring is handled inhouse or is out-sourced is ‘who monitors the monitor?’
Audit trails of changes ensure full accountability and auditability in the event of an incident. Other factors within the discipline which contribute to minimised risk are system logs and security logs, as well as server change tracking. Look for cloud service providers which can provide the full catalogue of risk management practise, which always starts at a scope assessment, where key processes and dependencies are identified, and a risk register is maintained. With essential risk management processes in hand, compliance requirements become easier to handle, and operational routines absorb less IT resource. There are tangible business benefits in implementing change control measures, configuration management, and incident management. (could this paragraph be built out?)
The extras that make the difference
The cost of con-compliance with PCI DSS does not require a great deal of illustration. High profile breaches have in the past attracted a lot of media attention; in part playing on end-users fears surrounding the integrity of their data, in part citing exorbitant remedial fees, and also no doubt from a data forensics angle, when it is unearthed how the breach could take place. Anyone who has been involved in preparing for a PCI audit knows the rigorous processes to adhere to, and the extensive reports that are required. The audit may be onerous, and in the public cloud the fear of a breach is real. When applying these requirements to a private cloud, partnering with the right specialists is critical. An operator whose card processing facilities are removed in response to an occasion of non-conformance will also be subject to card scheme fines with no upper limit and forensic investigation costs. This along with reputational damage can damage a business beyond repair. It is important to understand how your CSP meets your compliance requirements, and ensure that they are able to maintain flexibility around these needs. A capable cloud service provider will offer managed services which are ISO certified, and have an understanding of PCI DSS requirements on your business, as well as an ability to work with you to establish which parts of the service are within scope our outside of it.
Here are the keys to managing risk:
Still think all these elements are nice-to-haves that are added onto a commodity service? The cost of not comparing service providers is that you may face
-being tied to long contracts
– failing to realise full benefits of service
– lack of control
– lack of auditability
In summary, therefore, adopt the following principles to ensure that your deployment of cloud services meets with the following checkpoints:
2 Geographic location
3 Backup and Disaster recovery
4 Right to audit
5 Reports for PCI compliance
We frequently run POCs (proofs of concept) for our clients and would be delighted to talk to you about your next project, whether it is running an additional environment or the launch of your startup. If you would like some more information on recent launches and recent clients, please get in touch with us!
Topics covered in this part of the guide – watch this space for further articles on these!
If you missed the webinar, get in touch for a white board session and insights into use...read more
Ardenta and its customers benefit from the low-latency connectivity to vCloud Air in thi...read more
Keeping agile: Prioritising IT to gain a competitive edge in an evolving marketplace Conso...read more