Recent outages by Amazon and the security fiasco at DropBox have brought some of the issues around cloud computing into sharp focus. So, how does a CIO evaluate different cloud offerings and make wise decisions for the business?
There are dozens of questions that CIOs need to answer before being able to recommend the use of a cloud service and which cloud service to choose. Here are our top five questions.
1. Is the business data critical?
If you’re planning to store data outside the company’s data centre then you need to consider the criticality of that data. What if the data is exposed, for even a short time? What if there’s a scheduled outage with the service provider that doesn’t fit in with your business cycle? If you’re going to put your data in the hands of a third-party make sure you do a thorough risk assessment.
2. Do you have the bandwidth?
Putting application servers and storage systems outside the data centre may save you some money with regards to infrastructure. However, you will probably need to increase your external connectivity as you’ll be using your external connection far more. You’ll need to do some careful analysis of your current usage, the anticipated change and the costs involved. We’ve heard of businesses receiving career limiting telecommunications bills with outsourced data storage solutions.
3. What if I change my mind?
You may find that the anticipated benefits of a cloud solution aren’t delivered or a change to your own architecture has lead to a re-think on the value of a cloud service. How can you retrieve your data? Is there a migration strategy so that you can get your data out of the cloud and back to your data centre?
4. Check the cloud provider’s security policies and procedures
The other C-Level executives in your business expect you to have policies and procedures in place. You need to do the same thing with cloud service providers. It’s not enough to just read the user agreement. With your critical data and applications, it’s important that you see their security policies and procedures. We’d also advise that your seek independent audit reports on the provider’s compliance with their policies and procedures. The last thing you want is a service provider that weakens your operational security.
5. What information is provided with regards to compliance with the service contract?
Our general working principal is that it’s important to negotiate a service contract but that things have turned quite nasty if you ever need to pull it out. That said, monitoring performance such as server speed and system availability is important. The SLA provides the metrics that define what is and isn’t acceptable. Talk to the provider and ask what reports they’ll be providing and ensure that your own monitoring is extended to include the external service provider where possible.
Australian Government - Department of Defence, Intelligence and Security: Cloud Computing Security Considerations