Given all the attention lately on Cloud, I thought I'd write a short piece on what organisations need to think of when moving to the cloud. It is reasonable to say that there are some risks involved when migrating to the cloud. Such as; a hacker only needs to compromise a single infrastructure (i.e. the cloud provider) to potentially access data from multiple organisations, conduct a denial of service that could impact an entire industry, etc.
However there are also benefits to moving to the cloud, such as agility in deploying products and services, infrastructure cost savings, availability of skilled resources at the cloud provider, etc. When considering a move to the cloud, organisations ought to conduct an appropriate level of due diligence and recognise the fact that migrating to the cloud does not mean migrating risk or compliance obligations to the cloud provider. Risk and regulatory compliance obligations are still owned by the organisation.
The way I see it, there are three phases:
- Why: Why do you want to move to the cloud.
- Who: Who do you select as your cloud provider.
- Check: Regular checks to ensure the cloud provider is consistently meeting its obligations.
Why: Understand why you want to move to the cloud - what are you trying to achieve by moving to the cloud. What workloads does your organisation want to move to the cloud, does cloud technology provide your organisation with definitive benefits such cost savings, agility in launching new products and services, etc. It is also important to consider what contractual and regulatory requirements your organisation is subject to and if that is conducive to moving to the cloud.
Who: After you have confirmed moving to the cloud meets your required objectives, you will need to assess potential cloud providers. Cloud providers ought to be measured against a set list of criteria. At the very least, ensure the criteria are in line with the policy requirements of your organisation (assuming your organisation has appropriate policies in place). When assessing cloud providers make sure a thorough and detailed initial assessment is conducted on, for example (this is by no means an exhaustive list):
- Compliance assessments the cloud provider undertakes e.g. ISO 2700x, attack and pen testing, etc. and how often the cloud provider undertakes these assessments.
- How will your organisation's data be segregated from the data belonging to other organisations.
- What is the control environment like (e.g. implementation of data leak prevention tools, identity and access management, etc.).
- What monitoring and logging capability does the cloud provider have. Crucially, what incident management processes does the cloud provider have in place.
Check: After you have been through the Why and Who phase, the final phase is the Check phase. This is a cyclical phase that involves your organisation taking ownership of the assurance exercises that ought to be conducted on the cloud provider. The assurance exercises are to ensure the cloud provider is continually meeting its obligations as agreed in the Who phase. The Check phase ought to be conducted at least annually.