10 questions to ask a potential data storage vendor

10 questions to ask a potential data storage vendor

A healthcare provider organization that has outgrown its data storage capabilities or does not possess resources to store data security may consider partnering with a company specializing in data storage, says David Stalcup, chief technical architect at Sanity Solutions, a Denver-based IT and data management vendor. With the organization’s data at stake, finding an expert and reliable partner is essential. Here are 10 questions that all potential data storage vendor partners should be asked.

Are you government compliant?

To mitigate legal concerns, ensure that the data storage vendor is up to date with all government regulatory compliance requirements such as PCI, HIPAA and SOX. Each governing body has a specific method of testing for compliance. You will want to understand the parameters of compliance and validate that a vendor has all compliance metrics strictly enforced.

How long have you been in business?

When it comes to an organization’s data, trusting a new and untested startup is risky. Make sure that a potential vendor is an established company with the necessary experience to manage the data. If it is a publicly traded company, review their financials. If it is a private startup, review their funding and ask questions about their current customer base. Speaking with current customers is always a great source of information.

Where will the data be stored?

The location where data will be kept is critical. Ensure the organization’s data will be stored in the country where the organization is doing business and that the data storage vendor is bound by, and following, the laws of that country. Vendors with multiple locations are always deemed more readily equipped to handle geo-distribution needs.

How secure will the data be?

Vendors are not immune from data breaches. Determine the methodology and technology the company will use to protect and control access to the data and ensure that it meets current security trends and regulations. Also, understand the frequency and depth of the provider’s penetration testing and authentication methodology. Two-factor authentication can protect against brute-force attacks.

How will the vendor deal with a government subpoena?

First, familiarize yourself with the Stored Communication Act (SCA), which provides the details of how the government can subpoena your data, and it details your rights after a subpoena has been issued. Insist that your organization’s primary objective is to place within the agreement with the vendor that your organization is the sole owner of the data. Data owners are afforded fundamental rights protecting the data. After a subpoena has been issued, the owner of the data will have a predetermined amount of time to respond to the subpoena. This plan should be placed in writing in the agreement with the vendor.

What method of encryption do you use?

If the vendor says that their data is encrypted, ask them what method of encryption they utilize. Some are more secure than others, such as 128 bit vs. 256 bit encryption. Does the vendor utilize SSL transfer encryption, which provides another layer of protection during file transfer? Finally, ask if a third-party encryption approach can be implemented, because this enables the organization to own the security keys, offering further protection against brute force attacks.

Are there limits on stored data, and is an SLA associated with data access?

Determine what limits, if any, the vendor will place on data storage. Is there a cap on the size of an individual file or is there a total capacity limit? Does the vendor place caps on daily ingress or egress of data? If those caps are exceeded, what are the associated charges? Understand what services and Service Level Agreements (SLAs) will be associated with the organization’s data.

What are the vendor’s billing policies?

The billing method and how often you will be billed is also important. Data storage vendors will typically set a fee for PUT, COPY, POST, or LIST commands and set another fee for GETS. For example, placing data in cold storage can be very inexpensive; however, users accessing data through the GET command may be billed at a rather high cost per transaction. Costs will also be based on the speed of the storage in addition to the commands listed. Billing can be complicated, so understand the charges clearly for the tier the organization will be using.

What happens if the organization decides to switch?

If the organization wants to leave the data storage partnership, how will the organization retrieve its data from the vendor? This DATA OUT process can be a completely different tier of pricing. Methods for DATA OUT can vary from physical disks to network replication. Again, the method of DATA OUT will impact billing, along with the quantity of data moved. If data is needed in hurry, acceleration is available for a fee, of course.

What is the organization's insurance against data loss?

Make sure that potential vendors are architected to mitigate events that can compromise the data both virtually and physically. Understand the replication scheme used by the vendor, with more copies of data the better, as well as the overarching security of the physical locations for vendor data centers.