A proper and well-formulated plan detailing an exit strategy during cloud service negotiations is key to keeping one’s job. Let’s have a look at some fundamental principles that should be observed when selecting a cloud provider and negotiating the necessary contract terms.
The Cloud Security Alliance Guide (v3.0) dedicates a whole chapter to the topic of Interoperability and Portability. I would like to highlight the important aspects of the chapter and also add my own perspective, based on personal experience with cloud providers:
Firstly, selecting a cloud provider is no different from choosing any 3rd party vendor for any other service. Yet for some unexplained reasons, company directors have a higher level of trust in a cloud provider than a “standard” 3rd party vendor. This can be a fatal mistake, especially if the organization hands over key business services to the cloud provider.
It is vital to undertake risk assessment for each business process to highlight what the impact would be if the data and systems were compromised, changed or simply unavailable. In my experience, the management is often overly optimistic in these assessments, especially when calculating the likelihood of a disastrous event.
Perhaps this is part of human nature, as we are often very poor in assessing likelihood of threat generally. They blindly see a way of reducing cost by outsourcing these services to a cloud provider, mistakenly believing that they will do a better job than an in-house IT function! Negotiate hard as if the contract is with a “3rd party vendor”.
Secondly, it is key to formulate an exit plan whether it is a planned exit or due to an abrupt (as in the story above) halt to services. Different cloud service models (IaaS, PaaS, SaaS, SecaaS) have distinct characteristics at a technological level, which ultimately affects how a company transfers these services from one cloud provider to another, or to a company’s own datacentre.
Infrastructure as a Service (IaaS) is seen as the easiest to migrate while Software as a Service (SaaS) can prove extremely difficult, costly or even impossible. This aspect should always be added to the base business case before deciding whether to use a cloud service. Sadly, this does not happen often, and in many cases future CIOs pick up the bill for previous incumbent’s lax approach. Plan for migration from the cloud provider and be pessimistic about the difficulty of the migration.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.