The Cloud Model
Here at the Thoughts On Cloud blog we concentrate on every aspect of software, process and direction vertical industries can take adopting a cloud strategy. The underlying cloud service is reaching a point where uptime is expected. Enterprises are having a hard time deciding between cloud providers based solely on claims of data center space, staffing support or available software packages. Companies now need to start including cloud assurance techniques the provider adheres to.
Process, controls and governance
Each company currently (and hopefully) has established internal processes for change management within their computing systems. With the introduction of the cloud through a totally hosted solution or a hybrid architecture, these controls must be modified and sometimes passed to the cloud provider while respecting what has been established. This holds true for governance within the data and recording when changes are made.
Your enterprise will need to produce, validate and share you own internal processes with the cloud provider to begin the conversation of what areas you can modify and what areas they match in their current provisioning. Key business processes should have controls in place that are defined and well documented. If these do not exist then be prepared to absorb whatever cloud assurance steps the provider has in place.
What should you ask the cloud provider?
Luckily for you as the reader I can give you a few sample questions to ask your possible cloud provider and direct you to http://CloudControls.org for even more information. Some possible questions to ask are:
- Where can I view your data and physical security policies?
- Where can I find an updated listing of your current software version and patch levels?
- Where can I find an updated listing of outage history (planned and unplanned)?
- Where can I view your internal change control procedures?
As you can see there are numerous areas of documentation you must not only be able to provide internally, but also view from the provider to compare overlap and areas where they do not meet your expectations up front. Many times these can be addressed or blended together.
Where does your responsibility end?
This is often the magic grey area that every provider and enterprise faces. Often small areas are left undefined and when an issue arises fingers are pointed. A well defined agreement with a cloud provider that understands cloud assurance will be able to help guide you and adjust to remove grey areas. Often, your internal network, Internet connectivity, bandwidth, local computers and local backups are your responsibility. The point most providers take over is the moment you hit their external interfaces. Unless you have a dedicated Internet link to the cloud provider, you are both at the mercy of the major Internet providers. Any outages brought on by these connections between you should be defined who will assume calling the providers and establishing timelines for service to be available.
The controls inside of cloud assurance are built to help build stronger value in your business systems. Internal processes are followed to maintain service to your customers which includes employees, customers, suppliers and partners. Provider processes are followed to give support to tens if not thousands of customers. Without these two brought together the cloud experience will fail. It is up to you as the customer to request that information from your cloud provider.
Read more about what IBM does for cloud assurance at http://www.ibm.com/cloud.