A guide to negotiating and assuring cloud services

How can an organization safely adopt cloud services to gain the benefits they provide? The easy availability of cloud services has sometimes led to line of business managers bypassing the normal procurement processes to obtain cloud services directly without any consideration of the governance and risks involved.

There is a confusing jungle of advice on the risks of cloud computing and how to manage these risks. This guide provides the top tips to negotiating and assuring cloud services.

1. Remember it’s just another way to obtain an IT service
The cloud offers an alternative way of obtaining IT services and, for most organizations, will form just part of the overall IT service infrastructure. It needs to be considered together with other alternatives using standard criteria such as risk, security and efficiency. Good IT governance is the best way to manage, secure, integrate, orchestrate and assure services from diverse sources in a consistent and effective way.

2. Understand the business needs
Understand the business requirements for the cloud service – the needs for cost, compliance and security follow directly from these. There is no absolute assurance level for a cloud service – it needs to be as secure, compliant and cost effective as dictated by the business needs – no more and no less.

3. Adopt the best practices
Adopt one or more of the frameworks or industry standards for IT governance and security management that are available. These represent the combined knowledge and experience of the best brains in the industry. However, be selective as not everything will apply to your organization. Whatever standards or frameworks you choose, select a CSP (cloud service provider) that conforms to them.

4. Classify data and applications
The needs for security and compliance depend upon the kind of data being moved into the cloud as well as its sensitivity. The most important step is to classify this data and any applications in terms of their sensitivity and regulatory requirement needs. This helps the procurement process by setting many of the major parameters for the cloud service and the needs for monitoring and assurance.

5. Adopt a standard process for selecting cloud services
Set up a standard process for selecting cloud services that enables fast, simple, reliable, standardized, risk-oriented and comprehensive selection of cloud service providers. Without this, there will be a temptation for lines of business to acquire cloud services directly without fully considering the needs for security, compliance and assurance.

6. Manage contracts
Managing the cloud service depends upon the terms of the contract between the cloud customer and the CSP. A recent article on negotiating cloud contracts published in the Stanford Technology Law Review provides a comprehensive list of the concerns of organizations adopting the cloud and a detailed analysis of cloud contract terms. According to this article, many of the contracts studied provided very limited liability, inappropriate SLAs, and a risk of contractual lock in. Beware of standard terms and conditions set by the CSP and consider carefully when to accept them. If the CSP won’t negotiate, try going via an integrator.

7. Ensure clear division of responsibilities
You can outsource the processing, but you can’t outsource responsibility – make sure that you understand how responsibilities are divided between your organization and the CSP. For example, under the UK Data Protection Act, the cloud processor is usually the “data processor” and the cloud customer is the “data controller”. The “data controller” can be held responsible for breaches of privacy by a “data processor”.

8. Require independent certification of your CSP
Independent certification is the best way to assure the claims made by a CSP. However, it is important to properly understand that what is certified is relevant to your needs. ISO/IEC 27001:2005 remains a key information security standard (although a new standard for cloud services is being developed). Although they are not specifically focussed on cloud, the recent standards for SOC reports (service organization control reports) are very relevant.

9. Trust but verify
Using the cloud inherently involves an element of trust between the consumer and the provider of the cloud service. However, this trust must not be unconditional and it is vital to ensure that the trust can be verified.