Cloud Computing Risk Management: Trust but Verify
You have to validate the faith you place in cloud providers: trust but verify.
Many IT and business leaders believe moving to cloud computing decreases cost and improves agility and innovation. It can, but failing to manage risk may have the opposite effect. This brief explores how IT leaders can use cloud computing safely and effectively.
The reasons most IT and business leaders move to cloud computing are at odds with cloud computing’s worst threats. Moreover, the top three cloud fears of IT and business leaders do not line up with the top three most likely cloud risks. If you fail to consider the threats that could have the highest impact, you could suffer a devastating failure.
At a minimum, you must take into account that new operational costs will offset some savings. In the worst case, you could cost your firm its market position. You must prepare for cloud failures just as you prepare for power failures. Service catalog, information security, event, service level, and supplier management processes are critical to your success.
Develop service definitions to understand business requirements. Using risk assessment, learn what a cloud provider must do for your firm. Select vendors based on your business-driven risk assessment. Manage vendor contracts tightly. Validate requirements and ensure customer and user productivity regularly. Obtaining the benefits of cloud computing requires IT and business leaders working jointly with strong IT service management processes.
What You Need to Know:
Cloud computing is on-demand access to measured service. Its traits are self-service, rapid elasticity and open access. The top three reasons for moving to the cloud are efficiency, agility and innovation. Resource pooling makes cloud computing both appealing and dangerous. Managing cloud’s built-in risks can help you achieve its benefits.
IT and business leaders know there are risks to cloud computing. Security is the top concern, cited by over half of those considering cloud. Top security fears are corporate confidentiality, privacy of personal data and data integrity.
Certainly, security is a risk. Still, many IT professionals have not performed an objective risk assessment. The top risks are actually data interoperability and portability, control and visibility of the services and legal issues.
Failing to determine and address your actual risks before choosing a cloud provider could set up a catastrophe.
Our research shows that 75–80 percent of cloud adopters will save from 20 to 50 percent, depending on their cloud service and deployment models. The risk of failures, vendor lock-in, governance issues and jurisdictional concerns are real, too. If you assess your risks, you can determine what is most important to your firm. Use that information to compare provider packages, choose a provider, and manage the relationship. To obtain the best return on investment, you must confirm the faith you place in cloud providers — that is, trust but verify.
What You Need to Do:
See IT Decision Brief “When to Adopt Cloud Computing” to help decide if the time is right to move to cloud computing.
Use service catalog management (SCM) to evaluate your readiness for cloud computing and make the best decision. Use your service definitions to discover what you do for whom and to understand threats. Determine what cloud computing means to the identified assets (e.g., service or service component) and how and why it can affect your firm and IT.
Assume that the business reasons for moving the asset(s) to the cloud do not represent your primary sources of risk. Assess your own risks using information security management methods such as ISO/IEC 27005. Determine the odds of each threat occurring and the negative business impact each would have. Work with affected business peers for this effort.
Using service level management (SLM) techniques, develop service level requirements (SLRs) based on your risk assessment. Use those SLRs to compare and select cloud providers and platforms. Obtain proof from selected vendors that they address all SLRs completely. Further verify via a welldefined trial.
Put in place service monitoring and event management. Service monitoring is end-to-end transactional visibility vs. traditional IT operational metrics around CPU, network, or storage. Event management is how you handle service issues.
Use supplier management to ensure all contracts support SLRs and all providers meet all contractual obligations. Monitor vendor performance. Use SLM to ensure business satisfaction. Identify and define improvements with periodic planned reviews, and as needed, review and adapt.
Get started now by creating a cloud computing team to consider the steps outlined in this brief. Determine which cloud service model (SaaS, PaaS, or IaaS) and deployment mode (public, private, community, or hybrid) is best for your firm. Develop a short list of providers based on your service definitions and risk assessment. Revalidate your risk assessment based on data flow between your firm, your selected providers, and any vendors they use in their delivery.
Be sure to use the process outlined in IT Decision Brief “How to Confidently Decide to Adopt Cloud Computing” to improve your odds.