Cloud Service Risk Management Paper II
1. Support issues
Quality of professional support can affect the availability and smooth functioning of the application. Cloud provider help desk is a risk factor outside client’s control. Therefore it is difficult to manage this risk effectively. This is especially the case with non-private cloud solutions. When a client chooses a non-private cloud solution it is likely that support would be coming from a shared resource. For private cloud application support, it is either from internal IT team or combination of internal and external resources. This type of support is important especially when the system is complex, mission critical and data is sensitive. The cloud outages can come from various components such as:
- Risk from natural disaster
- Poor infrastructure maintenance,
- Lack of planning at the facility
- Employee turnover.
- Use of sub contract resources with less control
- Communication skill
- Cultural difference
- Law enforcement and site closure
When an organization relies solely on cloud provider’s help desk, it is a single point failure and therefore client is at a higher risk. Organization should have an in-house standby support as it would be necessary if the business needs to take recourse on application provider. Client could take a proactive measure by requesting information on support history and have SLA to guarantee an acceptable performance level. Client may also want to explore insurance to cover the loss of business from extended outage.
As a good practice, even if you have outsourced entire applications to cloud, client should consider having a third party oversight firm to review the risk factors and test mitigation strategy.
2. Data restore and recoverability
For SMB, lack of application availability and failure to recover data can cause irreparable damage to the business. In most cases, SMB does not have the right expertise to examine the risk factors and therefore can’t see the risk factors ahead. Client requires expertise in migrating data to the cloud, data conversion and getting the data back for testing.
Client should check with cloud provider on access to backup files for test restore and recoverability at client’s premise or at third party site. The practice would help to validate the soundness of backup process. If the provider has not shared the disaster recovery results, chances are when there is an outage client’s business will be affected. Therefore SMB business should consider access to backup files and work with a third party technical support to review cloud strategy, test restore and recovery plan. Maintaining a periodic backup at a different location is a prudent decision as it would help in the event provider goes offline for reasons outside client’s control.
3. Terms and conditions
Terms and conditions in an agreement are vital to protect business interest when running business application on the cloud. Here are some of the key areas the agreement should cover.
- Contract termination and transfer of data.
- Infrastructure availability and performance
- Data protection
- Define colocation hosting centers
- Intellectual property protection
- Low enforcement and lock down
- Certified and licensed platform
- Third party access to data
- Right for Information
4. Data Integrity
Data integrity is a concern when application data is managed outside in a public cloud. Client may not receive communications from provider on changes in security, server, storage, database, network, human resources unless it causes outage. Often provider would resist informing security breach to customers as it would affect confidence and integrity of the business.
Client can mitigate risk by having periodic data validation on application data. Result should help to identify data integrity to a certain extent. Secondly client can request for information on security incidents using ‘Right for Information’ in the contract. Client can engage a third party technical support firm to validate security settings if it is open for client access. In most cases provider do not share access to infrastructure as it would open up security vulnerability.
Over all, cloud service offers big benefit for SMB if risks are managed effectively. SMB client should consider engaging a third party technical firm to validate risk factors and mitigate effectively.