Selecting a cloud service provider for backing up public debt databases

Following our presentation on “ICT for Effective Debt Management” at the Asian Regional Public Debt Management Forum (organised by the Asian Development Bank in Istanbul last year in May), a number of debt managers have contacted us wanting to know how they should approach and select a service provider to back up their public debt databases in the cloud.

 

In this blog, José Maurel (PDM Practice) and Sanjay Lollbeharree (Debt Management System Expert) discuss what to look out for and provide some general guidance on the matter. In doing so, they make two keys assumptions:

  • That the DMO staff would already be familiar with cloud computing as well as the various service and deployment models that exist. If not, the very first step would be for them to familiarize themselves with the subject matter; and
  • Their intention is to use cloud computing technology for data backups only (as opposed to running applications in the cloud) which would entail an additional set of considerations.

 

Defining the organisational needs and environment

The very first step is to have a clear understanding of organisational needs as well as the operating environment in which the debt office evolves. Organisational needs will comprise a number of considerations: how much data needs to be backed up? At what interval? What level of security is required? – while the operating environment would be a mix of technical and non-technical issues such as what is the quality of internet connectivity? How critical is it for the organisation to be able to retrieve back up within a given period?

 

Most Debt Management Offices (DMOs) are under the purview of Ministries of Finance which, in turn, are part of the public sector. It will be therefore crucial to review any laws, regulations or guidelines pertaining to the use of cloud computing in government. In the absence of such documents, special clearance may be required before proceeding further.

 

If there are other public institutions already using cloud facilities for data backups, the DMO would want to talk to these organisations to find out more about their experience. If the MOF is itself using cloud technologies for backing up data for other applications (e.g. IFMIS), then the possibility of a collaborative effort should be considered. As we discuss later, an important consideration when dealing with a cloud service provider is the balance of power that exists between the client and the provider. All other things being equal, bigger clients are more likely to secure better deals.

 

Choosing a cloud service provider

It is extremely important to choose the cloud provider with utmost care. Due diligence about the company should be carried out e.g. where is it incorporated? How long has the company been operating?  Is the company financially stable? How reputable is the company? Has there been or are there any pending law suits against the provider? What are the business continuity contingency arrangements in case the primary site or storage fails? Whether the service provider already has public sector or government institutions as clients? It will also be important to determine if the company actually hosts the data or if it is a re-seller which uses a cloud hosting company. Finally, one should try to talk to existing customers. Some providers are happy to provide a list of clients who can be contacted.

 

Legal issues

A number of legal issues will need to be looked at and professional advice sought. The DMO should ensure that its plan to use a cloud hosting company actually conforms to domestic law as well as public procurement rules and regulations. Also, many countries have implemented data protection laws and the DMO should ensure that any decision taken is in conformity with such legislation.

 

Another important legal issue is about the jurisdiction where the data will be physically held. This should be clearly stated in the contract with the cloud hosting company. It would also be helpful to understand what the legislature of that jurisdiction says about the protection, privacy and sovereignty of the data. Moreover, if the cloud hosting company is foreign, it will be important to determine in which jurisdiction disputes will be resolved.

 

There will also be a number of legal issues relating to liability in terms of a number of events such as termination, exit clause, migration, data breaches etc. Each of these areas needs to be looked at in detail.

 

Service level agreement (SLA)

Much time will be spent on the SLA. The SLA is “a contract between a service provider (either internal or external) and the end user (the DMO in this case) that defines the level of service expected from the service provider”. There is sometimes a temptation to use SLA templates and to just “fill in the blanks”. Even if a template is used, the final document must be scrutinised and carefully vetted before an agreement is reached.

 

The SLA will touch on a number of key issues including:

  • A description of the service to be provided
  • Responsiveness and reliability e.g. uptime requirement
  • The number of copies and generations of data to be kept
  • How the service level will be monitored and reported
  • The frequency of data verification tests and verification reports
  • Procedures to report any issue arising
  • What are the consequences of not meeting the agreed service level
  • What are the limits of liability specified
  • Escape clauses, constraints etc.

 

A general consideration is that the DMO should ensure that requirements are specific and precisely defined and that the service level is quantifiable and measurable.

 

Technical Issues

An equally important aspect will be the technical considerations for, in many ways, this will determine the performance, reliability and security of the backup system being implemented. Cloud technology is a fast changing environment and it is worth using the services of an expert to ensure the interests of the DMO are safeguarded.

 

According to Dr Sanjay Lollbeharree, Debt Management System Expert, there is a long list of technical issues to be considered including:

  • What is the underlying technology of the service provider’s backup solution and are these any issues to do with compatibility (if any) with the client’s platform for the solution to operate?
  • What data mirroring options exist to protect the service provider’s storage solution in case of failure? What are the contingency plans in place in the event of a disaster?
  • What is the level of encryption offered by the service providers and what is the minimum requirement (if any) imposed by government? Consideration should also be given to whether the data is encrypted in transit or only upon reaching the cloud. In the event of data security breach, what are the avenues available to clients to seek redress?
  • What is the password management policy of the service provider? What are the options in case a password is forgotten? For certain high levels of security and privacy, in case a password is forgotten, it may be impossible for even the service provider’s employees to be able to restore the data.
  • How to access the backups in case a restore is required and how easy it is to restore the files? For how long earlier versions of backup are kept in case one needs to restore earlier generations of backup.
  • It is very likely that service providers might be operating in a different time zone from clients? One should therefore also make sure that the provider offers 24-hour support in case problems are faced which need urgent resolution.
  • How up to date is the cloud service provider’s certification and regulatory/legal compliance in jurisdictions where the government is running a certification program?
  • What is bandwidth requirement for the backup which may be high in case the data is voluminous? Does the service provider’s solution support incremental backup to add changes only rather than undertake complete fresh backup which will very likely consume high bandwidth?
  • What is the minimum length of a contract and what are the options and liabilities if a contract is to be terminated earlier?
  • Whether the solution supports data duplication which reduces storage size and therefore cost and possible bandwidth requirements.
  • What is the frequency of the backup (e.g. daily, weekly) and what is the limit of the storage capacity? Depending on subscription plans, some service providers offer unlimited capacity which could be attractive in case of large backups with various generations to be kept over long periods.

 

Dr Lollbeharree further adds that “some service providers may also offer hybrid backup option whereby backups are cached on-premises to avoid long restore times in case a restore is required. Another option to minimize restore times is the possibility of getting backups on disk instead of lengthy download through the internet. Certain providers can ship such storage devices containing the backup. This can be important in case short recovery time is required and network connectivity is slow or unreliable”.

 

Conclusion

From the points raised above, it is clear that choosing a cloud service provider – even if it is only for storing data backups – needs to be approached carefully and within the overall disaster recovery and business continuity strategy and plans of the DMO. More and more companies are offering hosting services in the cloud and there is a growing trend for institutions, private or public, to benefit from such services. There is therefore a widening choice available to institutions at increasingly competitive prices.

 

A balance will still need to be struck between the DMO’s requirements and cost. Obviously a standard package will be cheaper than a customised solution. As indicated earlier, the DMO’s negotiating power is likely to increase if it teams up with other departments or Ministries – which may or may not be possible.

 

DMOs should choose a cloud service provider with care for a potentially long partnership and above all, seek independent professional advice – both technical and legal – whenever required.