Advisory Note: Cloud Provider Assurance - 70586

Can an organization trust an IT service provided through the Cloud? A survey by KuppingerCole showed that “Cloud security issues (84.4%) and Cloud privacy and compliance issues (84.9%) are the major inhibitors preventing organizations from moving to a private Cloud.” The answer to this question can be found in the old Russian maxim, which was often quoted by President Ronald Regan: “trust but verify”.

Cloud services are outside the direct control of the customer organization, and their use places control of the IT service and infrastructure in the hands of the CSP (Cloud Service Provider). This fits with the KuppingerCole IT Paradigm for IT Governance. A governance based approach allows trust in the CSP to be assured through a combination of internal processes, standards and independent assessments.

The governance process starts with a clear understanding of the business requirements for the service. The risks and the technical, compliance and legal requirements follow directly from these business needs. These business needs, technical requirements and risks form the basis for what needs to be assured.