English   Deutsch   Русский   中文    

Top Ten Tips for Negotiating and Assuring Cloud Services

Feb 04, 2013 by Mike Small

KuppingerCole research confirms that “security, privacy and compliance issues are the major inhibitors preventing organizations from moving to a private cloud.”  Our report on Cloud Provider Assurance provides information in depth on how to manage these issues.  Here is a summary of our top ten tips on negotiating and assuring cloud services.

  1. Consistent IT governance is critical: The cloud is just an alternative way of obtaining IT services and, for most organizations; it will be only one component of the overall complex IT service infrastructure.  IT Governance provides a way to manage, secure, integrate, orchestrate and assure services from diverse sources in a consistent and effective way.
  2. Adopt best practices that are relevant to your organization from one or more of the frameworks or industry standards that are available.  These represent the combined knowledge and experience of the best brains in the industry.  However – be selective – not everything will apply to your organization.  Whatever standards you choose – select a CSP (Cloud Service Provider) that conforms to these standards.
  3. Understand the business requirements for the cloud service – security, privacy and compliance needs follow directly from these.  There is no absolute level of assurance for a cloud service – it needs to be as secure, compliant and cost effective as dictated by the business needs – no more and no less.
  4. Implement a standard process for selecting cloud services: This should enable fast, simple, reliable, standardized, risk-oriented selection of cloud service providers.  Without this there will be a temptation for lines of business to acquire cloud services directly without fully considering the needs for assurance.
  5. Manage Cloud Contracts – beware of CSP standard terms and conditions and consider carefully when to accept them.  If the CSP standard contract satisfies the business needs – that is fine.  If not accept nothing less than you would from your in house IT!  If the CSP won’t negotiate try going via an integrator. 
  6. Classify data and applications in terms of their business impact, the sensitivity of the data and regulatory requirement needs.  This helps the procurement process by setting many of the major parameters for the cloud service and the needs for monitoring and assurance in advance.
  7. Division of responsibilities:  when adopting a cloud service make sure you understand what your responsibilities are as well as those of the CSP.  For example, in most cases under European law, the organization using a cloud service is the “data controller” and remains responsible for personal data held in the cloud. 
  8. Independent Certification of CSP: Look for regular independent certification that the service parameters which are relevant to your business need are being met.  Typically external audits are only performed once or twice per annum and so whilst they are important they only provide snapshots of the service.
  9. Continuous Assurance: To provide continuous assurance of the cloud service, require the CSP to provide regular access to monitoring data that allows you to monitor performance against the service parameters.
  10. Trust but Verify - Using the cloud inherently involves an element of trust between the organization using the cloud service and CSP.  However - this trust must not be unconditional and it is vital to ensure that the trust can be verified.
For more details on best practices for cloud computing attend European Identity & Cloud Conference held in Munich during May 2013.  This will feature a one day workshop on Cloud Provider Assurance.  This workshop uses real life scenarios to lead the participants through the steps necessary to assure that cloud services meet their organization’s business requirements.


Author info

Mike Small
Fellow Analyst
Profile | All posts
KuppingerCole Blog
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live training sessions.
Register now
Cloud Risk & Security
Many organizations are concerned about the use of cloud services; the challenge is to securely enable the use of these services without negating and the benefits that they bring. To meet this challenge it is essential to move from IT Management to IT Governance.
KuppingerCole CLASS
Trusted Independent Advice in CLoud ASSurance including a detailed analysis of the Cloud Assurance management tasks in your company.
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on Google+

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2015 KuppingerCole