A guide to negotiating and assuring cloud services
by Mike Small - Senior Analyst at KuppingerCole - Wednesday, 17 April 2013.
How can an organization safely adopt cloud services to gain the benefits they provide? The easy availability of cloud services has sometimes led to line of business managers bypassing the normal procurement processes to obtain cloud services directly without any consideration of the governance and risks involved.

There is a confusing jungle of advice on the risks of cloud computing and how to manage these risks. This guide provides the top tips to negotiating and assuring cloud services.

1. Remember it’s just another way to obtain an IT service

The cloud offers an alternative way of obtaining IT services and, for most organizations, will form just part of the overall IT service infrastructure. It needs to be considered together with other alternatives using standard criteria such as risk, security and efficiency. Good IT governance is the best way to manage, secure, integrate, orchestrate and assure services from diverse sources in a consistent and effective way.

2. Understand the business needs

Understand the business requirements for the cloud service – the needs for cost, compliance and security follow directly from these. There is no absolute assurance level for a cloud service – it needs to be as secure, compliant and cost effective as dictated by the business needs – no more and no less.

3. Adopt the best practices

Adopt one or more of the frameworks or industry standards for IT governance and security management that are available. These represent the combined knowledge and experience of the best brains in the industry. However, be selective as not everything will apply to your organization. Whatever standards or frameworks you choose, select a CSP (cloud service provider) that conforms to them.

4. Classify data and applications

The needs for security and compliance depend upon the kind of data being moved into the cloud as well as its sensitivity. The most important step is to classify this data and any applications in terms of their sensitivity and regulatory requirement needs. This helps the procurement process by setting many of the major parameters for the cloud service and the needs for monitoring and assurance.

5. Adopt a standard process for selecting cloud services

Set up a standard process for selecting cloud services that enables fast, simple, reliable, standardized, risk-oriented and comprehensive selection of cloud service providers. Without this, there will be a temptation for lines of business to acquire cloud services directly without fully considering the needs for security, compliance and assurance.

6. Manage contracts

Managing the cloud service depends upon the terms of the contract between the cloud customer and the CSP. A recent article on negotiating cloud contracts published in the Stanford Technology Law Review provides a comprehensive list of the concerns of organizations adopting the cloud and a detailed analysis of cloud contract terms. According to this article, many of the contracts studied provided very limited liability, inappropriate SLAs, and a risk of contractual lock in. Beware of standard terms and conditions set by the CSP and consider carefully when to accept them. If the CSP won’t negotiate, try going via an integrator.

7. Ensure clear division of responsibilities

You can outsource the processing, but you can’t outsource responsibility – make sure that you understand how responsibilities are divided between your organization and the CSP. For example, under the UK Data Protection Act, the cloud processor is usually the “data processor” and the cloud customer is the “data controller”. The “data controller” can be held responsible for breaches of privacy by a “data processor”.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th