1 Executive Summary
This report is one of a series of documents around the use of cloud services. It recommends how the governance of security and compliance for the use of cloud services should be organized and implemented.
Many organizations are now using cloud services although some do not realize how many. Some of these services are being used to enable business transformation and to allow them to get closer to their customers to provide enhanced services. Some are being used to reduce the costs of commodity IT functions such as email and CRM systems as well as to facilitate rapid development of business systems. Other are being used by employees just to get the job done.
Using cloud services places control of the service and infrastructure in the hands of the Cloud Service Provider (CSP) and this changes the risk and compliance landscape. However, since the customer does control some aspects, the overall responsibility is shared between the customer and the CSP.
There are four principle categories of risk from the use of cloud services – compliance, business continuity, data security and cyber security. Loss of compliance is the most prominent concern of organizations using cloud services. The specific risks depend upon the service model (SaaS, PaaS, or IaaS) and the deployment model (Public, Private, Community or Hybrid).
KuppingerCole recommends taking a good governance approach to all IT services and this is fundamental to securely embracing the use of cloud services and the benefits that they provide. The governance process must have board level sponsorship and clearly define the organization’s business objectives for the use of cloud services as well as the policies and constraints for their use. This approach must be implemented through managed processes covering their acquisition, security and assurance.
The organization itself needs to be ready to use cloud services; success starts with mature internal IT governance processes. There must be a robust process for procuring cloud services that should be easy to use so that it is not bypassed by line of business managers. Not all risks are equal – this procurement process must prioritize which risks are important and specify the controls needed to manage these. The cloud service customer must ensure that the controls for which it is responsible are properly implemented. Since the delivery of the cloud service is outside the direct control of the customer, it must assure that the service is delivered securely to the agreed specification.
The Future IT Paradigm by KuppingerCole, provides a standardized model which organizations can use to implement their digital transformation. In this journey there are many stakeholders, and the future IT organization needs to engage with all of these to be successful. To successfully exploit cloud services there must be a leader for the cloud management processes. It is recommended that this leader is taken from the IT services organization. The leader must identify and engage with the organizational stakeholders in cloud services and ensure that the management processes achieve the required business objectives.