KuppingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Good afternoon, ladies and gentlemen, welcome to our KuppingerCole webinar. How mature is your cloud? My name is Martin Kuppinger I'm founder and principal Analyst at KuppingerCole this today's webinar. I will look at what defines maturity of the cloud, why we have to look at this issue, touch a lot of topics around this. Look at the approaches on tips, on how to improve maturity. Look at also how to, to measure maturity, etcetera, looking at a lot of aspects around this, touch some of the points rather quickly going a little bit more into detail on others.
Lets assume the webinar will take approximately 45 to 50 minutes plus Q and a session. So before we start some general information on keeping a call, keeping a call is some Analyst company we're providing enterprise it researcher advisory, decision support and networking for it professionals through our research services.
So where we create reports, our leadership computer documents, comparing vendors in various segments, etcetera, through our advisory services where we provide trusted advisory in projects for end user organizations and vendors and our events amongst our events and aside of all the webinars we are doing, there are two upcoming events to where. So onsite events, one is the EIC, which will be held again next year, may and Munich delete Ference in Europe around so leadership and best practice and it went, you should not miss.
And the other one, I think it was a very interactive directive and interesting when it's our upcoming information risk and security summit. This is one and a half day went, which will be held November 27th, 28th in Frankfurt. It's about odd leadership again and it's, it's done in a very interactive session format.
So we have five identified, five key topics, probably five, five of the most interesting important topics in information, risk management, information security these days, which include cloud maturity, which include several other of topics, like how to extend your enterprise, how it deals all the external services, cetera, all the external identities. And this will usually our sessions will be in a way done in a way where we start with a short sort of mind thought provoking presentation, usually by a company call Analyst and then have a lot of time for more intensive discussion.
It's a peer to P format format sort of so focuses still on the end users it's really event for end users and the Analyst. And so it's an great opportunity to exchange very intensively with a group of peers. So an event you shouldn't miss, and one of the topics will be around cloud maturity, diving deeper and beyond what we are doing doing today. So have a look at this event, some guidelines for the webinar, you are muted centrally, so you don't have to mute or unmute yourself. We control these features. We will record the webinar under podcast.
Recording will be available tomorrow or latest Monday, and then there will be a Q and a session at the end. You can enter questions at any time using the questions feature, any go to webinar control panel. So usually the right side of your screen, there's a go to webinar control panel. And this control panel, you can go to the AR the, the area section questions and enter your questions. I recommend entering these questions once they come to your mind so that we have a comprehensive, comprehensive list of questions by the end of my presentation.
So the agenda, the sort of the bigger, the core strain view on the agenda is rather simple. I will talk about how much is your cloud talk? So doing my presentation afterwards, we will have time for Q and a.
However, I have a fine crane agenda. So the six bullet points here in our, the cloud driving it transformation. So I will set up the scene a little bit, not spending too much time there, especially not spending too much time around what is the cloud or anything like that, but really more, what does it mean for organizations, etc. And looking at what really is connected to the topic of cloud maturity, which is our core topic today. There's the area of cloud risk, which is around which risks do we have to face on.
Especially when we think about maturity, then there are specific sort of, of high risk areas and areas of specific importance for this topic of maturity and there's cloud governance, which is a part of maturity approach, which also includes cloud assurance standards. So standards, which can help us to increase our maturity. In some areas, I will then come to some tips for increasing your cloud maturity and talk a little bit about measuring your cloud maturity. So what can you do, how to approach this, or how do we do it as an Analyst in advisory organization?
So my, my starting point is slide. Some of you might have seen before, which is the computing to slide. It's about a used scope of information security we were facing today. This scope was far bigger than it ever has been before. So we are not only looking at our on-premise and outsourcing environment and our internal users, maybe some partners at our desktop systems and notebooks, but at more types of device, sort of mobile computing stuff at more types of users, which in fact is more than social computing.
It's real dealing with all our customers, leads prospects with more business partners in a more flexible way. And clearly there's the area of cloud computing. And these are three evolutions we are facing, which mean that we also have to look at it differently from a perspective of information security. So how to do information security in this changing landscape. And when looking at a cloud maturity stuff, then information security and information management clearly are, are key aspects around the, the question of how mature is your cloud.
And so this is one of the things we, we, we clearly have to look at information security, information management, plus cloud computing, cloud maturity are title related topics. So we're looking at today's business challenges. There are various challenges organizations are facing, and some of these challenges really are driving the use of cloud services or at least the demand for cloud services.
So amongst these challenges, there are permanent challenges, just globalization, like the competitive landscape, the crows, the changing competitive landscape and the crows, the need for crows of organizations, other challenges are to increase earnings, which is related to crows, the hand for talent or occasionally economic TURs such as the financial crisis or the Euro crisis changing regulations as an organization to remain competitive and successfully means we have to react on these challenges.
And when I look at some of these challenges, then for instance, when we look at globalization and other things and the extended enterprise comes into blame. So dealing with other services, when we look at growth, when we look at adapting to, to economic turmoil and other changes in our environment, agility clearly is a very important factor for success. And that means the consequence that we as organizations need to become more agile by in today's world.
It means we need also to become more agile in our it, and that's nearly one of the areas where cloud services come into play, but also sometimes for collaboration, for innovation set around the other hand, there's compliance, which might be sort of the, the downside of going to the cloud. So in some cases, compliance really becomes a challenge, especially in these states where we've learned that there's Probably more activity by the NSA and other secret services that we have expected.
So this is the other side of the story, maybe where we say, okay, compliance also might be a mitigating factor when moving to the cloud, something, I will talk about a little bit more at a later point of time in my presentation. So when we look at these business success factors and the business drivers, so these changes we, or these things we need to have in the business and at information security, then some of these are, are more business oriented, such as agility, extended enterprise, etcetera.
Whereas others are more on the information security, such as compliance, breach notifications, maintaining the value of information, protecting our valuable information, our intellectual property rights. Etcetera. What it's clear today is that in this changing landscape, just computing CRO stuff, information security is a very important aspect to enable the business success factors. So agility can't come on the, or for the price of compliance or ending up with breaches cetera.
So information security needs to enable to move, move enables, moving forward and agility in it in cost savings and things. And that means when we do things. And when we use the cloud, as one of the important changes we are facing and the new opportunities we are, we are seeing in it, then we still need to do it in a secure way without prohibiting or inhibiting our business in moving forward and becoming more agile, more open saving costs, etcetera. And this is really where, where, where the interesting story around cloud maturity starts. So we have various cloud models.
So we have the public cloud model. We have the private cloud model. So in the public cloud model, everyone is sharing the same infrastructure as everyone. And anyone that's necessarily sharing the data, hopefully not sharing the data. The private cloud is more of sort of the opposite. You are really using your own environment. There might community clouds where you are sharing the infrastructure with selected others, hybrid clouds, where you might share some things sometimes, etcetera.
So this is basically the picture you are all aware of them and the cloud on the other hand, and we might add one other cloud to this picture, which is the on premise environment. The cloud is not the thing we will only use. So it's one amongst the others. And so this goes into our, could be cold future.
It, it paradigm we have to find some, was it close to two years ago? And this paradigm we thought about how should it look like in future? So it organizations look like how should we structure it? And the result is this three layered model on the top. It's about providing to the business for business really requires. So the design of services, requesting services, et cetera, at the bottom layer, that's where these services come from and this can be on premise or the cloud or everything in between.
So when looking at the various cloud models and to be successful from our perspective, it's a hundred percent important to manage services and information consistently across the various production procurement environments. So this is the point where we really need to keep things together. And from our perspective, cloud maturity really means that we manage cloud services and consistent way, and that we manage them inconsistent also with our on-premise services.
In fact, it means that we have to understand our on-premise it production. So the, the technical part of our it is trust of sort of one other cloud and all services are handled the same way, regardless from where they come. And also information is handled consistently across all services where it is managed, regardless, whether it's on premise, private cloud hybrid cloud, public cloud, whatever you can imagine. And then it and security management on one end.
So the key area of it management, especially information security come into play, looking at how we handle information, how we secure this information that's that can be done consistently. If we manage to have a consistent service management across all services, all cloud services. So not having to spread across the organization, running in departments, cetera, we have to keep it under control in a new, it act, fell different from today's it several challenges, but this is where we really have to bring things together.
Again, all the it service we have. That's also where the governance comes into place. Governance really looks at service and, and information management. We have various reports out that. So around the future of it, organizations C which described this paradigm, and one of the things we consider as highly important for large maturity is that we have an adequate organization of using cloud and on-premise it services.
And the only, the, the only place from our perspective we can do this is, and the only ways doing it by having a central service and information management layer in place where we run these things. It's a, usually I don't pick questions, but there's an interesting question coming in and I just want to pick it directly. So where does business continuity management fit into this paradigm? It fits into this paradigm on two layers. One layer is the service and information management layer.
So really for it management information security from the governance, our requirements that identifying controls, cetera, which influences in service management. There we have, for instance, the understanding of what is the reach service level, cetera, in the information management. We also have the, the, the view on this, our information secured, can we restore information cetera?
So the, the management part of business continuing management is done at a service and information management layer because it's part of service and information management, and it might be, it might deliver into governance controls into information security, other controls, technical enforcement that is done usually by the it service protection of procurement. That might be also the need for having additional services, which are in order by service and information management from on premise or cloud for additional business continuity capability.
So I won't don't want to spend too much time on that because I have a lot of Analyst slides, but that's basically the idea behind this. I think it's very worse to have a look at this paradigm. As I've said, there's a lot of information available to our websites, such as the report on the future of it organizations, there will be some updated documents around it as well soon. Okay. So let's move forward.
When, when talking about the cloud, very clear thing is that a lot of people understand that there's probably most understand that there's also some risk associated with the cloud. So we, we clearly have a notion of risk when it comes to the cloud. And over the last few months, the risk perception probably has changed when, when looking at what happened with some more of the consumer facing cloud service in the us, with the NSA, having a lot of access to this cetera, then I think the perception of many people has changed and many are scared.
There's a lot of fat fear, uncertainty data out there. I think, again, it's, it's important to, to be a realistic. And the thing I want to start was before we start moved to the cloud is, and again, this is a part of the maturity story risk as a common language. It's a part of the maturity story because when we look at risk, this is where, where we need to be good to mitigate and minimize risks. So mature cloud necessarily, and ly means we are handling risk in an adequate way. And if you don't seek risk, etcetera, we are obviously not very mature in what we are doing regarding the cloud.
So there are various levels of risks. So strategic risk, operational risk reputation, risk, risk, risk.
In fact, always map two or strategic operational or reputational, or maybe sometimes modern ones. What we need to do as it, as information security guys is we need to move away from, we can't use that service. We can't do that, or we can't do that towards that's. These are the options you can, can, can choose and all of these options. So using a cloud service in a standard way, maybe moving it to a private cloud version, replacing it by an alternative service, cetera, they have to benefit their costs, the risks.
And to take some time, you might add more factors, but kept it very cost grain here. What we need to do is we need to name the risk. We need to show what are the alternatives, and then allow business to decide about and take the risks. We don't also need to provide compensatory controls. We need to provide a governance process, which goes about which, which looks that these risks, etc, which provides continuous information, but that's the way we need to do it. So this is basically the starting point risk. And then we look at the cloud, then there are, there are various areas of risk.
So probably the biggest risk loss of governance risk. You only need a credit card to use the cloud, but was there any sort given to governance risk compliance? Can you assure the service levels are met? Good question. And I think this is really one of the areas where probability is very highly impact might be very high or at least high. This is one of the, the challenges, the, the future it paradigm I've talked about before addresses this.
And that's, I think a very important thing to, and that's a very important part of cloud maturity to avoid discourse, to keep the cloud under control, but there are more risks in this area. So there are risks around policy and organization. There are technical risks and there are various risk legal risks. And when we look at policy organization, we have compliance loss of governance, reputation, etcetera, technical risks, such as inside app use of privilege, data leak, etc.
Legal, take it or leave it contract. So this is really one of the points which are important. I will look at this later jurisdiction aspects. So what happens in other categories?
So there, there are various types of risks we are facing clearly. One of the biggest risks who can access our information is it always protected well, et cetera, which is part, I would say of all of these areas of protection of data jurisdiction. That's a cloud service provider have to give away keys to due to a legal decision, which just had reason in the us how to protect data, how to avoid the daily that someone else can app use privilege by good encryption. That's so use good encryption. One of the, the measures we, we, we might use there.
So there are various types of risk and I will look at some of them. So when we look at legal risks, in general, outsourcing contracts are negotiated as a lay, but cloud provider contracts are more to take, take it or leave it approach.
So, so one of the, the risks here clearly that we don't have as much control as we should have, which might lead to a situation where we end up with a, with a standard contract, which is far worse than any outsourcing contract. We will sign. We have to be aware of this. And so liability issues, etcetera are handle differently.
And, and so this is clearly one of the areas and having a, a standardized approach, for instance, for selecting cloud services in place will also help us to understand the risks of these contracts and to understand what it really means for our business risk at the end of the day. And this is again, one of the areas when we look at maturity, we have to look at, and then we have to look at how to manage the cloud, how to manage governance. And because maturity, in fact, maturity is part of doing these things, right?
And, and one of the challenges really is we are moving away from a, from a direct governance model. We have in our on-premise environments, we have in our, we have in our outsourcing environments towards sort of an indirect governance model, we have less control about these things. And we have to handle it in a appropriate ways to understand where are the risks, how to deal with them. So that we end up as a mature cloud, which as I've said before, always starts with the question of, do we know which cloud services we are using or not?
So when looking at cloud governance, there are various aspects or various steps to do. The first one is we need to understand the business requirements. We need to understand which service we need to provide to meet these business needs.
Many, in many cases, business council says we want to use the cloud service. We might show alternatives. In that case, we need to understand the risk probability and impact and the risk response. So what are the risks on the various levels?
Leader, risks, technical risks, etcetera, what is the impact, how to deal with it, what are the compensatory controls? And so on, we need to clarify responsibilities and we need to assure the delivery of cloud service. So these are sort of five major steps within cloud governance, not so different from anything we do on premise, by the way, when we look at assessing the risks. So then we have to understand what are our risk scenarios. So the assets development, our abilities and the threats, and this also relates tightly.
So, so understanding the risk of the service relates tightly to understanding the risk of information, because the assets typically are some pieces of information that might be very valuable information. And the sense of it are, are drawn tools. This is the most important intellectual property we have. It might be also information where we say, it's not that important, but it's, we have some compliance issues around it.
So PII, presently identifiable information, for instance, it might be both. Our customer data might be both where we have to look at. So asset this information there, vulnerabilities and threats, we have to understand. And I think it's very important that we really understand who might be the attacker from the sort of the, the normal hacker up to the nation state type of attacker. The risk Analyst is likely at impact the risk appetite and the response accept mitigate transfer avoid. So what can we do?
And ideally in a maturity model in this area, for instance, the encryption stuff comes into place. So mitigating risks means thinking about encryption, adequate approaches of encryption. And these days, it probably also means ensuring that the keys are always held in your own organization, in a hardware security model, well protected and not having the cloud service provider, managing the keys to your kingdom.
Cause when we look at what originally happened with this lava, I think it's called this us email provider where, where us court decided that they have to give, give away their primary keys to really give access to the kingdom of all their customers due to legal decision, that we are a situation where we need to assure that, that we have these things under control so that we still remain protected when using cloud providers. So this is one of these, these things with a maturity approach and understanding how mature your cloud is to understand, do you have an appropriate process in place?
Do you do really a risk rating? Do you understand what your risks are?
If not, you obviously have a maturity issue it's done. And that's the consequence of the entire thing. It's about choosing the right cloud. So sometimes it's trust and public cloud service, you can access, but in many situations you might have an option either by using another type of cloud service with the same set of features or comparable set of features, or by running a service, not as public, but as a private cloud service, whatever. So in infrastructure, as a service area, several offerings allow you to run it as a private cloud instead of a public law.
And even some of the services, which commonly are perceived as pure public cloud services can be run as well as more private or hybrid services. So understanding the models, the deployment models and the management issues is very important to do here. And as part of this process, it's important to move into this direction. You also need to look at different aspects to define responsibilities.
So in the compliance area, who is responsible for what the customer, the provider, and that's also, when you look at your own responsibility beyond compliance, compliance, but especially in that area, again, encryption is a key topic.
So when you think about your own responsibility, then you should understand that even while you might say that the right providers responsibility for protecting your information, it's better protected yourself as well by encryption because you never know what occurred might request from your provider, define your responsibilities in the sense of business continuity. So here we are at this. So it's a split responsibility. When we look at the cloud, it means your responsibility is really that's.
Again, this middle layer I've been talking about service management, information management, have your plan, define your services, etcetera, request adequate solutions from your providers and maybe put additional services in place for enhanced business continuity data return. One of the most important things, if you didn't consider the data return aspects, your, your cloud obviously is not very mature. So data return is one of the major things to consider what happens when your cloud provider goes out of business.
When you want you to switch your cloud provider, when you want to switch back to on premise, you need to have thought about this before you move to the cloud. What happens in case of doing one of these things you need to ensure that you get your data back and that there's not a copy remaining at the provider side. One of the important things, one of the key requirements for Metro cloud. So there are various things.
And then, you know, in many cases, it's, it's understanding of how these things really map to each other. So you have requirements of such as your goal compliance with you, privacy laws, that you have to look at a large service in various ways, and this might be a thing. So you might say, okay, the thing I can do is information classification, which things can go out where to understand the geographic location, etcetera, and then you need to find solution and you also might find, might need to move forward and say, okay, I, I define various options.
And again, what I've had at the beginning when talking about risk, I find how risky the different options I have for a cloud service are. Okay. So I have talked a little bit about governance aspects and governance is a clear, and the broad element of the maturity in the, for true cloud implementations, let's move forward to cloud assurance standards. I won't go into detail that much on the standards. We have some other webinar recordings around cloud assurance available also several reports and cloud assurance, the cloud standards, etcetera.
So there, there are various ways. So there are major frameworks such as COVID, I ISO 27, etcetera. The major frameworks are things which are for information security for it in general. So not specific to the cloud, but usually very well able to cover a lot of things in the cloud. We have standards and the bad thing there is we have more than 35 cloud standards initiatives as of now, plus some industry specific standards, which is a little bit of nightmare, sort of causing a chaos here.
We have various sources for advisory clouds, security Alliance ANDAs or European network security agency determine BSI Analyst. And, and, and we have various types of independent assessment, which we can use to different types of assessments that a cloud service provider can use. I won't go, as I've said into every detail on that, but I think which is, what is important to understand is that there are some major frameworks which are used by a lot of organizations. So the according to numbers from the, the two major ones are ISO 27,000 and Itel.
So these are really the two, two major ones which are in use in most organizations. And it might be a good idea, even when looking at a cloud to start with these standards. There's also good reason for that, because in contrast to the pure cloud assurance, cloud governance, cloud security standards, both ISO and it, from my perspective is a little bit too technical, but a works well for both areas and it works for on-premise in the cloud. And then we go back to the future.
It paradigm, the must do thing from my perspective is to handle services consistently regardless of their procurement model. And that we clearly means that a approach which works well for on-premise and the cloud is probably the better choice here. So COVID having a quick look at this, it's it control objective. And these are also objectives you can use for cloud computing.
So they also have their it control objectives for cloud computing out for domains plan and organized, acquire, and implement, deliver, and support monitor, and evaluate, and 34 processes there where various control objectives are defined and mapped to cloud service models, mapped to cloud delivery models. So there's a lot of things out there and why not rely on things which we already have, which already do a good job in many organizations.
There's also the CSA cloud controls metrics, which has a lot of controls to related to the service model, to delivers model the provider and, or, and tenant sec segregation, which can be mapped and are mapped to other standards. And this, again, shows that there's a good relation between between COVID or between ISO 27 south etcetera, to the Cassa controls. And so if you really, the other way around, it's also says, if you start with ISO or something else, you will end up with a lot of controls, which you always already also find in, in the CSA cloud controls, Maverick.
So you can again start with, with standards and you will see, okay, most of the things are there. You might extend it. You might use some other controls here, but basically this is a good starting point. There's an procedure as well. I will skip the slide because I have so many other slides out there and there are various certifications. So for instance, there are various CSPs slot service providers, which have it 20,000, 27,001 certificates.
However, the certificates might be fairly different than what they exactly do. So you should make sure you understand the scope of the certification. Nevertheless, there, there are a lot of things.
There, there are various standards for both on premise and the cloud. There are mappings of various standards. There are certifications part of the, the, the cloud maturity program you should implement your organization is to understand which to rely internally, to ask for which types of certifications and assessments to do it. As I've said, there are other webinar recordings, which go deeper into the cloud assurance stuff. And there are also call reports out there on cloud assurance, etcetera.
So I have a look at these for more details on that, and you need to understand that there are metrics that you should measure. This is a key thing to do to be successful. There are various things you can do. So there just looking at, at some of the controls, ISO 20,007, defines how to deal with data returns. So a contract needs to specify ownership of data, time and cost to return data and termination in data return and usable format. So there are things, if you just look at the ISO 27,000, there are things in which are very clear to check where you can build your checklist and measurements.
Do do you fulfill these requirements, etcetera? The same is true for data processing. So if you look at data processing stuff there, the right questions sort of answered asked, and you should be able to answer these questions.
And again, it's true for business continuity. So there are standards, there's a lot of things here, which you can help to, to move to a more mature approach on cloud computing to, to a mature cloud and not everything just is really new. A lot of these things, this is really very important from my perspective are probably already in use in your organization and the overall, I think it's a good idea not to reinvent the wheel, not to rely on what you have and to expand it by the cloud specific things.
Instead of having them sort of a cloud governance and an on premise governance splitting up to things is not the best idea, but because at the end of the day, your world will be hybrid in most organizations for many, many years. And so your entire way of dealing with it should be focused on a hybrid world, which you manage consistently. So how to increase your cloud maturity. There are a lot of things. And I think I've touched a lot of points around, into increasing the cloud maturity.
I'll start with 10 tips for cloud assurance because this is one important part of the maturity, good governance is, is essential to assure cloud services. So you need to have a consistent governance approach and it should be ideally a governance approach, which is for it or information management in general, not only for services, business needs, dictate assurance requirements.
Yes, but it's about finding the balance. So the art of doing this is clearly not to end up in the role of the notorious naysayer, but as a business enabler who shows alternatives. So the business still can use cloud service, but understands, takes risks or mitigates ideally the risk before doing it select relevant best practices for you and your cloud service provider. The letter might be more difficult depending on the size of the cloud service provider.
And there are a lot of best practices out does not need to be reinvented in all areas, adopt the standard process for selecting cloud service. This is I think a, a very important thing. So you need the standard process to select cloud services. And this process has run through a central organization.
Again, that's where I've talked about our future it paradigm trying to share the assessment program. Good idea they are. And there's an increasing number of assessment programs, which assess to service providers make sense to work there, ified data and applications for sensitivity and compliance, encrypt what you need to encrypt by the way, understand and agree. Who's responsible, maybe also accountable for what matter performance against business needs, require independent certification, understand what the certification means. So having a certificate is not sufficient.
You need to understand what is it exactly about, especially for certifications, which might end up at various levels various means and understand this really fits your needs. Some more tips on this when it comes to, to increasing cloud maturity team, really find your it and information security organization to a service and information management organization, show the show the benefits of, of what you're doing of this organization and show the benefits when you're saying, okay, when you're saying, okay, it's better to do it that way or that way, these are the risks. These are the benefits.
This is the way to do it. So beyond large assurance is really, I think, very important to adopt your organization and your processes to, to do this thinking risks, talking risks, align to common language for the business risk is really sort of the common language for the business business thinks at risks. And you have to show them what are the risks regarding information security, cost, availability, time to market cetera, and allow them to make informed decisions, instead of just saying, no, we can't do it. And as I've said, this is a foundation. It's our critical future.
It paradigm I've talked about is more intensively before. So it's trust out of the reminder.
Finally, when we, when we look at cloud maturity, it's also about understanding where are you? So how to measure cloud maturity. We do maturity assessments for, for various areas within the information in the it space, mainly in the information security space.
However, cloud maturity in fact is very much about information. So security. So it's clearly our scope when measuring cloud maturity or in general, doing maturity assessment. I think it's important to understand what it really needs for maturity and assessment. It requires an indepth knowledge of the status of the technology or service market segment. The brokers are related to. It should not be today. It should be to, so what is the current status? What are we really looking at? You can also say talk about maturity, but you know, what, what maturity really means.
So how does a real mature organization look like a really mature service provider, et cetera, knowledge about the status of other organizations, both in the industry of the organization and in other industries. So to measure maturity, you also need to understand where others are and it requires a good understanding of trends and evolutions that will have an impact in the programs and investments. So what are the things which, which you should look, think about today when you are thinking about maturities, are it good or not?
This is not only based on the history also based on what's likely to happen in the future. That's I think where makes a lot of sense to have external parties, such as Analyst doing the, the way we are doing this for, for all types of services, use six, six technical criteria. All of them are sort of collapsed criteria where we look at things such as visibility, acceptance, or organizational structure, or the risk awareness in auditing.
When we look at the organizational points, or when we look at technology, the overall information security achieved the encryption and protection, how to handle business continuity, data return aspects, compliance, controlled. We compare it with maturity levels. We have defined, we compare it with best in glass, was good and glass, and was the current average. So good and glass usually clearly is below best in glass, but best in glass might not be your, your, your, your, your target. So you might say I'm, it's okay if I'm good in glass, I don't need to be best in glass.
And good in glass usually is above average. So you can compare yourself to marry levels and you can do it in other ways as well for showing here, for instance, an example of arise or image or good and class level. So when we look at cloud maturity, it's really about that. That a lot of organizations are that also the Gooding glass is not very high. So Gooding glass is not really good.
It means, but only that the better ones are at least not horribly weak in most areas and organizations that might be better in some areas might be worse than others. And thus are able to identify where to invest. For instance, in that area, technical master plan, risk awareness, auditing, scope, coverage, or organizational structure, or compliance controls. Whereas in business continuity, they might be better than then the good and glass they might decide on not investing that much. So this is the way we are approaching this. And the way we, we deal with the topic of LA maturity.
So understanding of how much we, your Latis is a, not that simple task. So there are various elements going in. And what you already should do is looking at it from these various angles and, and looking at where you are doing to yourself or, or, or support from others, how to apply what you learned today, or what I've talked about today.
I think the next three months look at identifying one other cloud service that you are using, or plan to use, look at a business requirements, try to understand, and what really causes this list, the risks associated and compare these risks to assurances being offered by the provider. So check what is being monitored and how, and will not learn to understand this extended to other services and move forward to drive a project, check to set up a standard process for acquiring cloud services to meet the risk appetite of the organization.
So really make it a standard process for cloud service provider selection and set up a standard governance process for the entire cloud. This is the key thing for maturity. So if you have a process for selecting and the good governance process, then you are very likely to end up a Rosa mature cloud. If you have neither of these, your cloud, most likely will be very, and one of the longer term things is reorganize, reorganize your it, think about how does your it have to look like to meet the requirements of the cloud, for sure we can help.
But I think there's also a lot of things in which you can do by yourself. So this is currently with my part of the presentation. If there are any questions, please answer these questions right of now, right now, so that I can pick them the questions. So they wanna run business continuity, tweet, continuity management. I've already answered. There's another question around the star certification program from the cloud service security Alliance and BSI, how useful are external certifications schemes for cloud assurance? I think first of all, in general, such programs are useful.
I think there's a, a good value in, in, in doing such things, because it really helps you to understand a little bit better. What your, how, how good your cloud service provider is rated.
However, you need to understand what this certification scheme is about and how is how it is done. So not just saying, this is a checklist thing where I say, okay, it has that rating, that certification, cetera, understand what specifically has been done, how it maps to your specific requirements, your risks. So does it really help you or not? What is left open? What is addressed by this? And I think this is really the point when it comes to these certification programs, go out and try to understand what is behind us.
Any other questions, as long as I wait for the questions, again, the hint on our upcoming events, I think it's very worse. Attend our IRS summit. And clearly it's very, very worse to attend our European identity conference. I've also added and you'll be able to download the presentation. I've added several information sources around areas of these new standards that around this also around several reports are far more, have a look at our website. Still. There's a lot of information available around this.
And when looking at, at the cloud and how much you cloud is look at what is the remaining risk. Do you have a process in place to understand risk, to select cloud services, to protect cloud services, to govern all this stuff, to manage this thing at run time consistently, or it organization?
If yes, you're more mature depending on how you did it. If no, if there are bigger gaps on that, then you should start really working on your cloud maturity. I hope I could give you some valuable information on this Friday. So for Europeans, I can already wish you a happy and calm and relaxed weekend for the ones from other time zones. It might be a little bit more of a working day, but anyway, have a last weekend and hope to have you back in one of the upcoming call webinars too. Thank you.