Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

A guide to negotiating and assuring cloud services

By Mike Small, CEng, FBCS, CITP

How can an organization safely adopt cloud services to gain the benefits they provide? The easy availability of cloud services has sometimes led to line of business managers bypassing the normal procurement processes to obtain cloud services directly without any consideration of the governance and risks involved. There is a confusing jungle of advice on the risks of cloud computing and how to manage these risks. This guide provides the top tips to negotiating and assuring cloud services.

1) Remember it’s just another way to obtain an IT service
The cloud offers an alternative way of obtaining IT services and, for most organizations, will form just part of the overall IT service infrastructure. It needs to be considered together with other alternatives using standard criteria such as risk, security and efficiency. Good IT governance is the best way to manage, secure, integrate, orchestrate and assure services from diverse sources in a consistent and effective way.

2) Understand the business needs
Understand the business requirements for the cloud service – the needs for cost, compliance and security follow directly from these. There is no absolute assurance level for a cloud service – it needs to be as secure, compliant and cost effective as dictated by the business needs – no more and no less.

3) Adopt the best practices
Adopt one or more of the frameworks or industry standards for IT governance and security management that are available. These represent the combined knowledge and experience of the best brains in the industry. However, be selective as not everything will apply to your organization. Whatever standards or frameworks you choose, select a CSP (cloud service provider) that conforms to them.

4) Classify data and applications
The needs for security and compliance depend upon the kind of data being moved into the cloud as well as its sensitivity. The most important step is to classify this data and any applications in terms of their sensitivity and regulatory requirement needs. This helps the procurement process by setting many of the major parameters for the cloud service and the needs for monitoring and assurance.

5) Adopt a standard process for selecting cloud services
Set up a standard process for selecting cloud services that enables fast, simple, reliable, standardized, risk-oriented and comprehensive selection of cloud service providers. Without this, there will be a temptation for lines of business to acquire cloud services directly without fully considering the needs for security, compliance and assurance.

6) Manage contracts
Managing the cloud service depends upon the terms of the contract between the cloud customer and the CSP. A recent article on negotiating cloud contracts published in the Stanford Technology Law Review provides a comprehensive list of the concerns of organizations adopting the cloud and a detailed analysis of cloud contract terms. According to this article, many of the contracts studied provided very limited liability, inappropriate service level agreements (SLAs), and a risk of contractual lock in.

Beware of standard terms and conditions set by the CSP and consider carefully when to accept them. If the CSP won’t negotiate, try going via an integrator.

7) Ensure clear division of responsibilities
You can outsource the processing, but you can’t outsource responsibility – make sure that you understand how responsibilities are divided between your organization and the CSP. For example, under the UK Data Protection Act, the cloud processor is usually the ‘data processor’ and the cloud customer is the ‘data controller’. The data controller can be held responsible for breaches of privacy by a data processor. For example: see the record monetary penalty of £325,000 for a hospital in the UK where discs containing patient data were sold on the Internet.

8) Require independent certification of your CSP
Independent certification is the best way to assure the claims made by a CSP. However, it is important to properly understand that what is certified is relevant to your needs. ISO/IEC 27001:2005 remains a key information security standard (although a new standard for cloud services is being developed). Although they are not specifically focussed on cloud, the recent standards for SOC reports (service organization control reports) are very relevant. 

The CSA (Cloud Security Alliance) has published the CCM (Cloud Controls Matrix) which is a set of cloud service controls mapped to most major standards. The CSA has also published Open Certification of CSPs vision – there are currently a number of CSPs self-certified in the CSA STAR registry. This is planned to evolve to independent certification and continuous assessment.

ISACA has also developed IT Control Objectives for the Cloud and a related audit program.
To provide continuous assurance of the cloud service, require regular access to data from the CSP that allows you to monitor performance against the service parameters.

9) Trust but verify
Using the cloud inherently involves an element of trust between the consumer and the provider of the cloud service. However, this trust must not be unconditional and it is vital to ensure that the trust can be verified.

Mike Small is a senior analyst at KuppingerCole and a member of the ISACA London Chapter. He will be speaking at the Infosecurity Europe Business Strategy Theatre on 24th April at 15:20 looking at cloud services, understanding whether a cloud service is trustworthy.

ISACA is exhibiting at Infosecurity Europe 2013, held on 23rd – 25th April 2013 at Earl’s Court, London. ISACA is also hosting its EuroCACS conference in London this year.

•Date: 9th April 2013 • World •Type: Article • Topic: Cloud computing

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here