Many managers are understandably cautious about moving to the cloud, yet it doesn’t have to be a daunting endeavor. Here are ten easy steps to mitigate risk as you begin leveraging cloud applications.
1/ Move applications in a reverse risk order, with a clearly documented service level agreement (SLA) from the hosting provider. This way, you have an opportunity to become comfortable with cloud and its benefits before moving mission-critical applications to the cloud. Also, this ensures that both you and the hosting party are crystal clear on the deliverables and who is accountable for what.
2/ Look for more than audit reports. There are cloud providers who provide much more than just audit reports. You need them, but they are completely reactive. The best providers also offer real-time dashboards delivered via web services to show service quality states.
3/ If the hosting provider provides redundancy or backup services, there must be a specific SLA that defines the deliverables and limitations of liability.
4/ The connection between the client and the hosting provider must be a secure connection, not a series of port-level connections to the client. They must have VPN/SSL connectivity at a minimum.
5/ The hosting provider must provide documented assurance and audits of the location of all client files in production and in backup. Any background replication of customer data must be clearly documented, and the hosting provider must also provide assurances that if you elect to remove data or applications from the hosting provider that following such removal, all related archives and backups will be removed from all hosted repositories. For more information, check how U.S. data privacy rules apply based on the data repository location.
6/ If the hosting provider will be offering access to solutions via the Internet, or using the Internet as a means for internal transport, the security warranties for such transport must be clearly documented. It’s critically important to understand who is liable and accountable for which elements, and where accountability lies in the event of a breach.
7/ If the hosting provider will be delivering services based upon the identity of the end user, the hosting provider should have a federated connection to your end-customer identity repository such that synchronization of proprietary data does not become a problem.
8/ If the hosting provider is hosting an application, there should be an application performance management model in place that provides an SLA for availability and performance.
9/ Be sure that the cloud provider doesn’t require you to go poking holes in your firewall to get information out of your system. Doing so will invoke the ire (correctly) of your security teams.
10/ Be sure all parties are clear on what kind of data and data relationships will be stored at the provider’s location. What you want to avoid are surprises. You should also know if you have a dedicated or shared infrastructure.
Posted
Aug 23 2010, 10:07 AM
by
RossChevalier