Technologies like cloud computing have created new challenges for CIOs and IT teams, but working with a cloud service provider (CSP) can relieve some of that pressure. How can your CIO and IT organization ensure that your CSP is doing the right things?
Here are eight tips to get you asking the right questions:
Before consulting with a CSP, assess your cloud needs. Start by asking your IT team:
These questions help establish the parameters of cloud service delivery.
These questions help ensure that you don’t get painted into a corner. A commitment to cloud impacts service, equipment, personnel, licensing, governance and overall development of an IT organization. A back out strategy ensures that potential risks are adequately considered.
Calculating total cost of ownership (TCO) and return on investment (ROI) is part of developing a cloud strategy. However, it’s important to know what’s included in the calculation, including unseen costs. For example, equipment that has no book value due to depreciation can still be used inside an organization. By understanding how TCO and ROI are calculated, you can understand where the break-even point is when shifting from capital costs to utility billing. Cloud becomes part of the equipment lifecycle planning process.
Is vendor transparency in line with your business’ need for risk mitigation, compliance and auditing? If your IT organization is tied into the corporate risk matrix, cloud vendors must exceed these metrics.
Different industries, regions and countries have varying rules about data privacy, location, legal access and more. As data travels beyond the immediate control of a dedicated IT organization, the need for protective assurances grows.
IT leaders need to understand policy, process and metrics surrounding organizational resiliency, continuity and disaster recovery. That means you should have testing and auditing procedures in place to verify your CSP’s assurances. Does the provider conduct internal and external tests and audits on services that align with your compliance needs? How are threats and resource vulnerabilities identified? If there’s an intrusion, does the vendor have a policy for communicating the nature and outcome to you? Does the provider have documented certifications and audit reports?
Data management and security require stringent questioning of cloud service providers and an understanding of your organization’s maturity. Is cloud an appropriate delivery system? If data is co-mingled with other data, is there a security concern? Who owns the aggregated or summarized data? What is the on-boarding procedure for your staff and the provider’s staff? Does it align with your security and compliance needs? Is access available per your requirements?
Any decent systems engineer will shout that all security begins with infrastructure. Access to data or applications only happens if there’s been a breach of the infrastructure. Therefore, these questions should be high on the list to ask potential CSPs:
When multiple vendors are involved, finger pointing when something goes wrong becomes a favorite pastime. Some entity must either arbitrate or accept the responsibility for managing the other vendors — and this makes vendor transparency even more important.
CIOs may be aware of the resources being managed in-house, but they need to be even more aware of resources being managed in the cloud. Asking the right questions is a major part of a CIO’s job, so hopefully this list will get you started.