KuppingerCole research confirms that “security, privacy and compliance issues are the major inhibitors preventing organizations from moving to a private cloud.”  Our report on Cloud Provider Assurance provides information in depth on how to manage these issues.  Here is a summary of our top ten tips on negotiating and assuring cloud services.

  1. Consistent IT governance is critical: The cloud is just an alternative way of obtaining IT services and, for most organizations; it will be only one component of the overall complex IT service infrastructure.  IT Governance provides a way to manage, secure, integrate, orchestrate and assure services from diverse sources in a consistent and effective way.
  2. Adopt best practices that are relevant to your organization from one or more of the frameworks or industry standards that are available.  These represent the combined knowledge and experience of the best brains in the industry.  However – be selective – not everything will apply to your organization.  Whatever standards you choose – select a CSP (Cloud Service Provider) that conforms to these standards.
  3. Understand the business requirements for the cloud service – security, privacy and compliance needs follow directly from these.  There is no absolute level of assurance for a cloud service – it needs to be as secure, compliant and cost effective as dictated by the business needs – no more and no less.
  4. Implement a standard process for selecting cloud services: This should enable fast, simple, reliable, standardized, risk-oriented selection of cloud service providers.  Without this there will be a temptation for lines of business to acquire cloud services directly without fully considering the needs for assurance.
  5. Manage Cloud Contracts – beware of CSP standard terms and conditions and consider carefully when to accept them.  If the CSP standard contract satisfies the business needs – that is fine.  If not accept nothing less than you would from your in house IT!  If the CSP won’t negotiate try going via an integrator. 
  6. Classify data and applications in terms of their business impact, the sensitivity of the data and regulatory requirement needs.  This helps the procurement process by setting many of the major parameters for the cloud service and the needs for monitoring and assurance in advance.
  7. Division of responsibilities:  when adopting a cloud service make sure you understand what your responsibilities are as well as those of the CSP.  For example, in most cases under European law, the organization using a cloud service is the “data controller” and remains responsible for personal data held in the cloud. 
  8. Independent Certification of CSP: Look for regular independent certification that the service parameters which are relevant to your business need are being met.  Typically external audits are only performed once or twice per annum and so whilst they are important they only provide snapshots of the service.
  9. Continuous Assurance: To provide continuous assurance of the cloud service, require the CSP to provide regular access to monitoring data that allows you to monitor performance against the service parameters.
  10. Trust but Verify - Using the cloud inherently involves an element of trust between the organization using the cloud service and CSP.  However - this trust must not be unconditional and it is vital to ensure that the trust can be verified.
For more details on best practices for cloud computing attend European Identity & Cloud Conference held in Munich during May 2013.  This will feature a one day workshop on Cloud Provider Assurance.  This workshop uses real life scenarios to lead the participants through the steps necessary to assure that cloud services meet their organization’s business requirements.