How can an organisation safely adopt cloud services to gain the benefits they provide? The easy availability of cloud services has sometimes led to line of business managers bypassing the normal procurement processes to obtain cloud services directly without any consideration of the governance and risks involved.
Cloud is just another way to obtain an IT service
The cloud offers an alternative way of obtaining IT services and, for most organisations, will form just part of the overall IT service infrastructure. It needs to be considered together with other alternatives, using standard criteria such as risk, security and efficiency. Good IT governance, based on Cobit for example, is the best way to manage, secure, integrate, orchestrate and assure services from diverse sources in a consistent and effective way.
Understand the business needs
Understand the business requirements for the cloud service – the needs for cost, compliance and security follow directly from these. There is no absolute assurance level for a cloud service – it needs to be as secure, compliant and cost-effective as dictated by the business needs, no more and no less.
Adopt the best practices
Adopt one or more of the frameworks or industry standards for IT governance and security management that are available. These represent the combined knowledge and experience of the best brains in the industry. However, be selective, as not everything will apply to your organisation. Whatever standards or frameworks you choose, select a cloud service provider (CSP) that conforms to them.
Classify data and applications
The needs for security and compliance depend on the kind of data being moved into the cloud, as well as its sensitivity. The most important step is to classify this data and any applications in terms of their sensitivity and regulatory requirement needs. This helps the procurement process by setting many of the major parameters for the cloud service and the needs for monitoring and assurance.
Adopt a standard process for selecting cloud services
Set up a standard process for selecting cloud services that enables fast, simple, reliable, standardised, risk-oriented and comprehensive selection of cloud service providers. Without this, there will be a temptation for lines of business to acquire cloud services directly without fully considering the needs for security, compliance and assurance.
Managing the cloud service depends on the terms of the contract between the cloud customer and the CSP. A recent article on negotiating cloud contracts published in the Stanford Technology Law Review provides a comprehensive list of the concerns of organisations adopting the cloud and a detailed analysis of cloud contract terms. According to this article, many of the contracts studied provided very limited liability, inappropriate service level agreements (SLAs), and a risk of contractual lock-in.
Beware of standard terms and conditions set by the CSP and consider carefully when to accept them. If the CSP will not negotiate, try going via an integrator.
Ensure clear division of responsibilities
You can outsource the processing, but you cannot outsource responsibility – make sure that you understand how responsibilities are divided between your organisation and the CSP. For example, under the UK Data Protection Act, the cloud processor is usually the “data processor” and the cloud customer is the “data controller”. The “data controller” can be held responsible for breaches of privacy by a “data processor”. One example is the record monetary penalty of £325,000 for a hospital in the UK, where discs containing patient data were sold on the internet.
Require independent certification of your CSP
Independent certification is the best way to assure the claims made by a CSP. However, it is important to properly understand that what is certified is relevant to your needs. ISO/IEC 27001:2005 remains a key information security standard (although a new standard for cloud services is being developed). Although they are not specifically focused on cloud, the recent standards for service organisation control (SOC) reports are very relevant.
The Cloud Security Alliance (CSA) has published the CCM (Cloud Controls Matrix), is a set of cloud service controls mapped to most major standards. The CSA has also published Open Certification of CSPs vision – there are currently a number of CSPs self-certified in the CSA STAR registry. This is planned to evolve to independent certification and continuous assessment.
ISACA has also developed IT Control Objectives for the Cloud and a related audit programme.
To provide continuous assurance of the cloud service, require regular access to data from the CSP that allows you to monitor performance against the service parameters.
Trust but verify
Using the cloud inherently involves an element of trust between the consumer and the provider of the cloud service. However, this trust must not be unconditional and it is vital to ensure that the trust can be verified.
Mike Small is a member of the ISACA London Chapter and senior analyst at KuppingerCole.