Once you’ve figured out candidates for moving to the cloud, the next stage is to take a deeper look at requirements and risks. Just to make it more complex these will differ between private, public, community and hybrid clouds. For the purposes of this blog let’s imagine that you are moving to public cloud.
One of the issues that you need to tackle up front is how to assess risk. It is all too often that someone waves a risk flag that is unqualified. This is the classic, “If it is not in my control, or my idea, or I don’t understand, then it is clearly too risky to be done” approach. A risk is escalated like a skyrocket and everyone stops. The reason everything stops is because there is usually no process to actually manage any risks that are raised. Unless you have a risk framework then you’re just going to slow down every time one is raised.
Basic risk frameworks allow:
- Risks to be identified.
- Risks need to be scored, likelihood to happen, and consequences of occurrence. The higher both, and so the total, the higher the risk. There are dozens of different risk scoring methods out there.
- Risks to be managed. Risks can be accepted, avoided, reduced, and shared. You need someone with authority to make those decisions, and a plan.
For a good start to Risk Management, check Wikipedia.
Armed with your risk management framework, you can now start to assess common risks and requirements that you’ll need to cover off with any services that could be candidates for Cloud.
Security as a Risk & Requirement
Security is probably the most mentioned risk and reason not to utilize Cloud, but how real is it? On the face of it, moving to Cloud does not increase your security risks at all, and depending on what your organisation does today by way of security for your internally delivered ICT Services, it may actually be less risky to be in the Cloud.
Again, this is very similar to outsourcing your services. Effectively, as an organisation, you lose control over your ICT Services while at the same time increasing the number of people who have access to them at an admin level.
One of the reasons that is sited to move to outsourcing, and cloud, on the flip side, is the need to increase security for an organisation.
The Moving to the Cloud whitepaper (Cloud Computing Use Cases) notes that:
“Security is consistently mentioned as the most important concern for organizations moving to the cloud. Although the cloud does not introduce any new security threats or issues, it does increase the number of people who have access to the organization’s resources. The most significant difference when considering security from a cloud perspective is the organization’s loss of control, not any particular technical challenge. With an in-house application, controlling access to sensitive data and applications is crucial. With a cloud-based application, access control is just as important, but the data, infrastructure, platform, or application is under the direct control of the cloud provider.
To adequately secure any system, a number of security controls are necessary. Some of the most common security controls include securing data, storage, networks and endpoints; defining identities and roles and the access control policies for them; and key and certificate management. The services offered by a cloud provider must support all of the security controls the organization needs.”
Privacy as a Risk & Requirement
Following closely behind the Security issue is privacy. Organisations, particularly in New Zealand, have very stringent legal requirements set down in this area. Failure to protect privacy can result in personal trauma to individuals, embarrassment to an organisation, and very costly fines.
Again, the risk component of this needs to be managed carefully. How does your organisation manage this today? Is that enough? What increases in privacy protection could Cloud provide? What requirements do you need to put around privacy?
I suspect that in most cases, within New Zealand, and with small to medium companies, privacy rules and classification (sensitivity) of data are not that well-managed. The reason being is that it is a compliance cost and overhead that requires a reasonably large organisation to have the resources to look after. Cloud may bring an opportunity to resolve some of those issues.
Single Sign On
This is obviously a requirement, not a risk. In order to access cloud services, deliver the correct level of security, and manage privacy, some type of single sign on is going to be needed to authenticate your users. As the hybrid cloud grows (different services sourced from different cloud providers in the private, community, and public clouds) the requirement for a robust single sign on service increase exponentially.
Vendor Lock In Risk, or, the Requirement for Interoperability & Portability
There is a real risk, particularly in smaller markets, that vendor lock in can occur for your cloud services. While this may be acceptable if you are moving your ICT Services into a private cloud, for community, public, and hybrid cloud services, this presents a problem. Once the Cloud provider has your business locked up in their datacentre the ability for you to move away is massively reduced and the transition costs high.
This means that you need to set some requirements around interoperability and portability of your ICT Services. For highly consumable services, this is reasonably easy (think web or development environments), but for legacy and bespoke applications, this can be more difficult, you may have an application that simply can’t be virtualised and needs to have its own piece of infrastructure to operate. There will be a trade-off between vendor lock in, cost, and flexibility. Don’t forget, vendor lock in can be more than just technical, make sure whomever is negotiating the commercial agreement doesn’t lock you in legally.
I covered Service Levels in the Moving to the Cloud – Classifying your Information Services, but I can’t stress this enough.
If you don’t know what ICT Service levels your business needs you to deliver to support them, via a simple framework, then you are going to have a very tough time knowing what you want to buy and analyzing offerings.
The move to Cloud has its risks and it’s rewards. Risk has to be measured via a framework, as does reward. Risks present an opportunity.
There are a number of requirements that are unique to Cloud, similar to outsourcing, these need to be carefully articulated in order to drive your risk down and meet your business needs.