Adopting cloud computing means moving from “hands on” management of IT services within the organization to “hands off” IT management using governance, service level agreements and contracts. This approach sits uneasily with many IT people whose education, training and experience are in the delivery of services rather than negotiation and governance. Nevertheless the IT department is an important player in ensuring that an organization gets what it needs from the cloud. IT Service and Security Management are key components of the KuppingerCole IT paradigm which identifies the important elements necessary to successfully adopting and assuring cloud services.
An interesting article on negotiating cloud contracts was recently published in the Stanford Technology Law Review. This article provides a comprehensive list of the concerns of organizations adopting the cloud and a detailed analysis of cloud contract terms. This article suggests that: “a multiplicity of approaches are emerging, rather than a de facto ‘cloud’ model, with market participants developing a range of cloud services with different contractual terms, priced at different levels, and embracing standards and certifications that aid legal certainty and compliance”.
According to this paper the most negotiated terms are:
- “provider liability,
- service level agreements,
- data protection and security,
- termination rights,
- unilateral amendments to service features,
- and intellectual property rights”
KuppingerCole research confirms that “Cloud security issues (84.4%) and Cloud privacy and compliance issues (84.9%) are the major inhibitors preventing organizations from moving to a private Cloud.” Our report on Cloud Provider Assurance also provides information on how to assure the technical elements cloud services which lead to the concerns mentioned in the Stanford paper. In summary - it is important to follow the old Russian maxim, which was often quoted by President Ronald Regan: “trust but verify”. Using the cloud inherently involves an element of trust between the consumer and the provider of the cloud service. However - this trust is not unconditional and it is essential to ensure that the trust can be verified.
The Stanford paper highlights the risk that end users within an organization will bypass internal governance and procurement processes and procure cloud services directly. It describes this as the “click through” trap. The KuppingerCole model for cloud service management emphasizes the need for a quick and user friendly process for requesting cloud based services and assuring that they meet the needs and the risk appetite of the organization. This process should be set up ahead of time in collaboration between all of the stakeholders including governance, risk, legal and procurement.
This process should:
- Identify the business requirements for the cloud based solution.
- Determine the security and governance needs based on these business requirements. Some applications will be more business critical than others.
- Develop scenarios to understand the security threats and weaknesses. Use these to determine the response to these risks in terms of requirements for controls and questions to be answered. Considering these risks may lead to the conclusion that the risk of moving to the Cloud is too high.
- Make clear which party (customer/provider) is responsible for all important aspects.
- Specify what measures are needed to confirm that the required service is being delivered and make sure that these are measured and action is taken.