KuppingerCole Analysts' View on Cloud Service Providers



Is it going to be an Altostratus then?

Amar Singh

Is that going to be Cirrus, Stratus, Cumulus or how about we go for the Altostratus?

To some the names may sound completely strange and weird but all of the above are names of the types of clouds that "roam" planet earth. So, you may be wondering if this is an article on IT Clouds or a meteorological white paper arguing a new name for something that is in all essences just water.

It’s the former. I am writing about the IT Cloud and the topic I am discussing is something very close to my heart. You see a pet peeve of mine is the often lack of decision logic when it comes to choosing a cloud provider. People do more research buying a car than when deciding which cloud holds their companies’ crown jewels! That is just wrong!

So, how do you go about the selecting the right cloud provider? Seems like an easy question right? Just choose the biggest (and not necessarily best) one out there. Sorry no names, but you get the gist... Just chose the biggest and everything will be fine.

That approach may have worked in the past but the IT sky is more crowded and innovative than before. The IT Clouds may have easy to remember names or not.

To achieve maximum business value and maintaining adequate protection, two often conflicting priorities, today’s organisation must adopt a standardised approach, supported by adequate organisation, in selecting the ideal cloud provider.

Some points to consider:

Adopt a Business Services approach: This is not the same as requirements driven selection process. The business services approach talks of what service does the business want to run? For example, Legal council may have a requirement for contract storage search and retrieval. The IT service’s function or as I call it, job, is to service the business service requirement.

The selection approach to the cloud provider becomes clearer when it is driven by the business. The business does not need to know or dictate the cloud provider. In this example, the Legal Council should not and probably will not interfere with the cloud selection process. However, the business services approach will allow the IT function to formulate a standardised selection criteria based on the top level business services definition.

Conversely, the opposite is true. IT must NOT base any methodology on pure technology alone. The ability to "dynamically spin up hundred database servers with full cross wire redundancy" does not and will not enable the business service, unless the business actually demands for such a configuration.

It’s not always about COST - Although the CFO will love you to bit if you base your selection criteria solely on cost, the pitfalls of doing so can be counterproductive. An example that I have seen many times now follows:

  • Business services want to deliver an ultra fast multimedia rich user experience to their customers. The same service must exist when the customers purchase a product. The business goes to the IT function to demand the appropriate infrastructure.
  • The Cloud is the organisation strategy but IT has no standardised approach to selecting the cloud provider. So, for this requirement, they have chosen the cheapest cloud provider and ordered the necessary infrastructure.
  • The business is going to go live in the next 2 days and IT has just realised that the cloud provider provides (1) the necessary e-commerce infrastructure at a significantly higher cost (2) and is unable to support any kind of traffic overload that the business expects.

I leave the next part of the story for you to imagine! It is not a pretty sight. A standardised approach is only possible with if the business drives the selection process rather than the other way around.



Can EU customers rely on US Cloud Providers?

Martin Kuppinger

The recent US court decision has added to the concerns of EU customers (and of other regions such as APAC) regarding the use of Cloud services from US-based providers. The decision orders Microsoft to turn over a customer’s emails stored in Ireland to the US government. The decision required the company to hand over any data it controlled, regardless of where it was stored.

While the judge has temporarily suspended the order from taking effect to allow Microsoft time to appeal to the 2nd US Circuit Court of Appeals, it remains, like the sword of Damocles, hanging atop of the US Cloud Service Providers (CSPs).

The decision further increases the uncertainty many customers feel regarding the Cloud, and is the latest since the Snowden revelations. So let’s look at the facts behind the FUD (fear, uncertainty, doubt).

In fact, the most important issue of the Cloud is control, not location. There have been critics against many of the current regulations focusing on the location instead of control. When appropriate security controls are in place, why should it make a difference whether data is stored in an EU datacenter or in an US datacenter? The location argument is somewhat invalid anyhow given the fact that data might be routed through other locations, based on how the IP protocol stack works. This caused the recent discussion about an EU Cloud.

However, if control is the better concept in these days of the Internet and the Cloud, the court decision has some logic. The alternative – it is about location, not about control – would in fact mean: A US criminal can hide data simply by storing it outside the US in the Cloud.

Notably, the recent US court decision (still subject to appeal) does not provide blanket access to data held. In this case it appears that the data is related to criminal activity. It is common in virtually all legislations, that data can be seized by law enforcement if they have suspicion that a crime has been committed.

However, there is a risk that your data could legally be seized by law enforcement in a non EU country (e.g. the US, Russia, etc.) on suspicion of an act that is not a crime in your country and which may not have been committed in the country wishing to seize it. There have been a number of contentious example of UK citizens being extradited to the US for these kinds of reason.

The differences in laws and legal system between various countries and court decisions, such as the recent one, do not make it easier for EU customers to trust non-EU Cloud Providers. In fact, uncertainty seems to increase, not decrease. Waiting for harmonization of legislation or trade agreements such as (TTIP Transatlantic Trade and Investment Partnership) is not an answer.

Organizations today are in a situation where on one hand business wants new types of IT services, some only available from the Cloud. On the other hand, there is this uncertainty about what can be done or not.

The only thing organizations can (and must) do is to manage this uncertainty in the same way as for other kinds of risks. Businesses are experienced in deciding which risks to take. This starts with a structured approach to Cloud Service Provider selection, involving not only IT but also procurement and legal. It includes legal advice to understand the concrete legal risks. It also includes analyzing the information sensitivity and information protection requirements. In this way, the specific risk of using individual Cloud Service Providers and different deployment models such as public or private Clouds can be analyzed. It transforms uncertainty into a good understanding of the risk being taken.

KuppingerCole’s research around Cloud Assurance and Information Stewardship and our Advisory Services, for instance, can help you with this.

Notably, the frequently quoted answer "let’s just rely on EU CSPs" oversimplifies the challenge. It needs real alternatives and pure play EU offerings. Both are rare. Many EU offerings are not feature-equal or are far more expensive; others are not pure play EU. The same applies for other regions, for sure. Yes, these services must be taken into consideration. But "EU is good, US is bad" is too simple when looking at all aspects. It is better to understand the real risks of both and choose the best way based on this – which might include on-premise IT. The basic answer to the question in the title simply is: "It depends." The better answer is: "Understand the real risk."



Cloud Provider Assurance

Mike Small

Using the cloud involves an element of trust between the consumer and the provider of a cloud service; however, it is vital to verify that this trust is well founded. Assurance is the process that provides this verification. This article summarizes the steps a cloud customer needs to take to assure that cloud a service provides what is needed and what was agreed.

The first step towards assuring a cloud service is to understand the business requirements for it. The needs for cost, compliance and security follow directly from these requirements. There is no absolute assurance level for a cloud service – it needs to be just as secure, compliant and cost effective as dictated by the business needs – no more and no less.

The needs for security and compliance depend upon the kind of data and applications being moved into the cloud. It is important to classify this data and any applications in terms of their sensitivity and regulatory requirement needs. This helps the procurement process by setting many of the major parameters for the cloud service as well as the needs for monitoring and assurance. Look at Advisory Note: From Data Leakage Prevention (DLP) to Information Stewardship – 70587.

Use a standard process for selecting cloud services that is fast, simple, reliable, standardized, risk-oriented and comprehensive. Without this, there will be a temptation for lines of business to acquire cloud services directly without fully considering the needs for security, compliance and assurance. For more information on this aspect see Advisory Note: Selecting your cloud provider - 70742.

Take care to manage the contract with the cloud service provider. An article on negotiating cloud contracts from Queen Mary University of London provides a comprehensive list of the concerns of organizations adopting the cloud and a detailed analysis of cloud contract terms. According to this article, many of the contracts studied provided very limited liability, inappropriate SLAs (Service Level Agreements), and a risk of contractual lock in. See also - Advisory Note: Avoiding Lock-in and Availability Risks in the Cloud - 70171.

Look for compliance with standards; a cloud service may have significant proprietary content and this can also make the costs of changing provider high. Executive View: Cloud Standards Cross Reference – 71124 provides advice on this.

You can outsource the processing, but you can’t outsource responsibility – make sure that you understand how responsibilities are divided between your organization and the CSP. For example, under EU Data Protection laws, the cloud processor is usually the "data processor" and the cloud customer is the "data controller". Remember that the "data controller" can be held responsible for breaches of privacy by a "data processor".

Independent certification is the best way to verify the claims made by a CSP. Certification of the service to ISO/IEC 27001 is a mandatory requirement. However, it is important to properly understand that what is certified is relevant to your needs. For a complete description of how to assure cloud services in your organization see Advisory Note: Cloud Provider Assurance - 70586.

Related KuppingerCole Research

Related KuppingerCole Podcasts

Related KuppingerCole Blog Posts