The secret to a pleasant and successful experience in migrating to a Public Cloud Strategy for your enterprise is “minimizing risk while maximizing your return on investment (ROI) and reducing total cost of ownership (TCO)“. Sound familiar? Sounds like managing your retirement fund nest egg. In this article we will address few of the risk management guidelines and standard business practices to mitigate risk when going with a public Cloud Strategy or migrating your IT or business assets to the Cloud.
So, to remain competitive and be efficient, “how big of a risk is it to migrate to the cloud or go with a cloud strategy and how to mitigate it”? We will talk about various types of risks in going the public cloud route and ways you can mitigate them to a comfortable level so that you can achieve your business objectives.
The security as a risk can be addressed in terms of the following:
- Confidentiality, Integrity and Availability.
You should carefully review the SLA’s (service level agreements) with the public Cloud provider to address your security risk concerns.
- Question what happens if the SLA’s are not met.
- Make note of any exception conditions in the SLA.
- Look for penalties in case the SLA’s are not met.
NOTE – The thing about SLA’s is that it may act as deterrent for public Cloud providers from acting irresponsibly but the fact remains that if your mission critical application is on the Cloud and if it is unavailable or compromised within agreed SLA guidelines; your business could suffer loss of revenue and / or employee productivity.
Having said that, you should ask “How do I manage the risk?”. The answer is that the risk management guidelines should be along the same lines as you would expect from deploying private cloud in your own datacenter or conducting business the traditional datacenter setup with monolithic server farms.
Common sense coupled with proper governance dictates the following points to be thoroughly hashed out and well understood:
- Check if public cloud provider has proper certified Business Continuity Plan (BCP) in place.
If not comfortable with the BCP plan then either Re-visit cloud migration plan or Build processes or incidence response plans to address them Leverage your current or traditional BCP plans.
- Check if public cloud provider has proper certified Disaster Recovery Plan (DR) in place.
If not comfortable with the DR plan then either Re-visit cloud migration plan or Build processes or incidence response plans to address them.
Leverage your current or traditional DR plans
- Check to see if Cloud datacenter is following standard Segregation of Duties (SOD) policies and procedures.
- Check if public cloud provider has contract in place for breach. Typically breach contract should address cost of data loss, data integrity, downtime, customer notifications. Plus, having traditional security defenses should be in place. Look for important certifications such as SAS70, SSAE 16 and SOC 2 and SOC 3.
If not comfortable with the contract or certifications then either Re-visit cloud migration plan or Build processes or incidence response plans to address them.
- Check public Cloud provider background.
- Check if you have access to Cloud provider key performance indicators (KPI) to review them. Review the KPI and get a certain level of comfort before signing up.
If not comfortable with the KPI’s then either Re-visit cloud migration plan or Build processes to address the KPI’s.
- Check if you have access to Cloud provider key risk indicators (KRI) to review them. Review the KRI and get a certain level of comfort before signing up.
If not comfortable with the KRI’s then either Re-visit cloud migration plan or Build processes to address the KRI’s.
- Check if the Cloud provider is financially sound.
There is more visibility into publicly traded cloud provider’s financials, while there is less visibility into privately held provider’s financials.
- Check how to get your data back if provider shuts down operations.
If not comfortable with the provider plans then either Re-visit cloud migration plan or Build processes for data recovery to address them.
- Check what happens if your cloud provider goes bankrupt.
If not comfortable with the provider bankruptcy plans then either Re-visit cloud migration plan or Build processes to address provider bankruptcy.
- Check if provider is using industry standard technologies and processes so that your business is not locked to a single cloud provider.
If not comfortable with the provider technologies, processes and plans then either Re-visit cloud migration plan or Build processes to address migrations.
- Check the location of the datacenter for national or state boundaries to avoid:
- Regulatory restrictions and
- Performance issues
While the Cloud Strategy benefits are real and are changing how we do business AND perceive business models; the fact remains that if your business is at stake and then you have to balance the risk vs. reward equation.
In a nutshell; do your due diligence, put detailed policies, processes and controls on implementing proper checks and balances to mitigate risk to comfortable and acceptable standards in place and reap the benefits of the new paradigm, namely “Cloud”.
By Harry Sangha