Cloud computing is on-demand access to measured service. Its traits are self-service, rapid elasticity and open access. The top three reasons for moving to the cloud are efficiency, agility and innovation. Resource pooling makes cloud computing both appealing and dangerous. Managing cloud’s built-in risks can help you achieve its benefits.

IT and business leaders know there are risks to cloud computing. Security is the top concern, cited by over half of those considering cloud. Top security fears are corporate confidentiality, privacy of personal data and data integrity.

Certainly, security is a risk. Still, many IT professionals have not performed an objective risk assessment. The top risks are actually data interoperability and portability, control and visibility of the services and legal issues.

Failing to determine and address your actual risks before choosing a cloud provider could set up a catastrophe.

Our research shows that 75–80 percent of cloud adopters will save from 20 to 50 percent, depending on their cloud service and deployment models. The risk of failures, vendor lock-in, governance issues and jurisdictional concerns are real, too. If you assess your risks, you can determine what is most important to your firm. Use that information to compare provider packages, choose a provider, and manage the relationship. To obtain the best return on investment, you must confirm the faith you place in cloud providers — that is, trust but verify.

See IT Decision Brief “When to Adopt Cloud Computing” to help decide if the time is right to move to cloud computing.

Use service catalog management (SCM) to evaluate your readiness for cloud computing and make the best decision. Use your service definitions to discover what you do for whom and to understand threats. Determine what cloud computing means to the identified assets (e.g., service or service component) and how and why it can affect your firm and IT.

Assume that the business reasons for moving the asset(s) to the cloud do not represent your primary sources of risk. Assess your own risks using information security management methods such as ISO/IEC 27005. Determine the odds of each threat occurring and the negative business impact each would have. Work with affected business peers for this effort.

Using service level management (SLM) techniques, develop service level requirements (SLRs) based on your risk assessment. Use those SLRs to compare and select cloud providers and platforms. Obtain proof from selected vendors that they address all SLRs completely. Further verify via a welldefined trial.
Put in place service monitoring and event management. Service monitoring is end-to-end transactional visibility vs. traditional IT operational metrics around CPU, network, or storage. Event management is how you handle service issues.

Use supplier management to ensure all contracts support SLRs and all providers meet all contractual obligations. Monitor vendor performance. Use SLM to ensure business satisfaction. Identify and define improvements with periodic planned reviews, and as needed, review and adapt.

Get started now by creating a cloud computing team to consider the steps outlined in this brief. Determine which cloud service model (SaaS, PaaS, or IaaS) and deployment mode (public, private, community, or hybrid) is best for your firm. Develop a short list of providers based on your service definitions and risk assessment. Revalidate your risk assessment based on data flow between your firm, your selected providers, and any vendors they use in their delivery.

Be sure to use the process outlined in IT Decision Brief “How to Confidently Decide to Adopt Cloud Computing” to improve your odds.