Mar 9th 2012
Our sister site, BusinessCloud9.com, recently posted this report from global nonprofit IT association ISACA. The association has prepared a useful guide, Guiding Principles for Cloud Computing Adoption and Use, which features six key Cloud Computing principles to ensure - or at least improve the chances of - successful adoption.
The Enablement Principle
Plan for Cloud Computing as a strategic enabler, rather than as an outsourcing arrangement or technical platform. To plan strategically for Cloud adoption and use, enterprises need to:
- Treat Cloud Computing adoption and use as a strategic business decision.
- Make informed decisions, considering both business and operational needs and the benefits that can be provided by Cloud Computing.
- Communicate Cloud Computing arrangements and agreements to internal parties to ensure proper alignment and consistent oversight.
- Periodically review organizational strategies and the contribution of IT to ensure that Cloud initiatives maximize value delivery, risk management and resource utilization.
The Cost/Benefit Principle
Evaluate the benefits of Cloud acquisition based on a full understanding of the costs of Cloud compared with the costs of other technology platform business solutions. To properly evaluate the costs and benefits of Cloud Computing, enterprises need to:
- Clearly document expected benefits in terms of rapid resource provisioning, scalability, capacity, continuity and the cost reductions that the Cloud services offer.
- Define the true life-cycle cost of IT services provided internally or through a provider to have a basis for comparing expected and received value.
- Balance cost with functionality, resilience, resource utilization and business value.
- Look beyond cost savings by considering the full benefits of what Cloud services and support can provide.
- Periodically evaluate performance against expectations.
The Enterprise Risk Principle
Take an enterprise risk management (ERM) perspective to manage the adoption and use of cloud. To understand the risk implications of Cloud Computing, enterprises need to:
- Consider the privacy implications of co-mingling data within the virtualized computing environment.
- Evaluate privacy requirements and legal restrictions, considering client needs as well as provider restrictions and capabilities.
- Determine the accountability addressed in SLAs, the ability to monitor performance and available remedies.
The Capability Principle
Integrate the full extent of capabilities that Cloud providers offer with internal resources to provide a comprehensive technical support and delivery solution. To leverage both internal and Cloud provider resources effectively, enterprises need to:
- Understand the human and technical resource capabilities that exist in the current infrastructure and how a Cloud strategy will impact the need for these or other resources.
- Define the capabilities that a Cloud provider will make available as well as constraints on these resources, including periods of unavailability or priority of use.
- Consider emergency situations and resource requirements necessary to determine causes, stabilize the environment, protect sensitive and private information, and restore service levels.
- Determine how policies, practices and processes currently support the use of technology; how transitioning to a Cloud solution will require policy, practice and process changes; and the impact these changes will have on capabilities.
- Ensure that service providers can demonstrate that personnel understand information security requirements and are capable of discharging their protection responsibilities.
- Ensure that internal staff have the skill and expertise to coordinate activities with Cloud providers and that they are engaged in Cloud service acquisition and ongoing management.
- Ensure that effective channels of communication are provided with provider management and key specialists, particularly for problem identification and resolution.
The Accountability Principle
Manage accountabilities by clearly defining internal and provider responsibilities. To ensure that responsibilities are clearly understood and individuals and groups can be held accountable, enterprises need to:
- Understand how traditional responsibilities are assigned and implemented within the existing organizational structure and as a part of policies and practices to determine how these are addressed within Cloud solutions.
- Determine how responsibilities between tenant and provider organizations for Cloud solutions are assigned and how communications between accountable individuals and groups will be facilitated.
- Ensure that processes and procedures provide a mechanism to ensure that responsibilities are accepted and accountabilities are clearly assigned.
- Maintain within the governance structure a means of reviewing performance and enforcing accountabilities.
- Consider the risk to the enterprise as part of the enterprise risk management program, the impact of potential lapses in assigned responsibilities, or the impact of not being able to assign accountabilities.
The Trust Principle
Make trust an essential part of Cloud solutions, building trust into all business processes that depend on Cloud Computing. To ensure that business processes that depend on Cloud Computing can be trusted, enterprises need to:
- Clearly define confidentiality, integrity and availability requirements for information and business processes.
- Understand how reliance on Cloud Computing solutions may impact trust requirements.
- Structure the efforts of security, risk management and assurance professionals within both tenant and provider organizations to ensure that trust requirements are known and satisfied.
- Monitor changes in business use of Cloud Computing, vulnerabilities associated with Cloud solutions, and implementations across tenant and supplier environments to ensure that threats to trust can be identified and resolved.
- Ensure that Cloud infrastructure, platform and software service providers understand the importance of trust and create solutions that can be trusted.
- Provide ongoing assurance that information and information systems can be trusted.
ISACA's Guiding Principles for Cloud Computing Adoption and Use is available as a free download .