Old World Risk Practice Stays True for Cloud

Using the cloud to improve business agility is de rigueur but how can IT become more agile without sacrificing the information assurance holy trinity of confidentiality, integrity and availability?

My answer to this perceived quandary is based on the oldest risk management principle of all – one of ‘don't keep all your eggs in one basket’, or more accurately, having two cloud vendors is better than having just one.

This question seems to have been at the root of a recent V3 Agile Business Roundtable.

Moving large workloads and services to the cloud is a major part of most agile business strategies but participants across a wide range of industries shared concerns about the security, reliability and adoption path to cloud computing. BSkyB enterprise architect Trevor Hackett also made the point that “When using a cloud service provider you have a vested interest in the company as if they go bust you face disaster.”

Before trusting sensitive assets to a cloud service provider, decision makers within an organization need a sound basis on which to evaluate the merits of a service offering. This should include an assessment of each Cloud Service Provider’s (CSP’s) service level agreement (SLA) terms, operational framework, architectural model, organizational history, stature within the industry, and the assurances granted to customers.

We have said many times before; reputable cloud service providers will be only too happy to help you understand how they serve and protect you and your data, and the importance of your own due diligence prior to purchase.

Office 365 adoption is a great example of the opportunity to improve agility and reduced cost of ownership with cloud services. But often CIOs don’t want to run the risk of critical business systems like core email services being outside of their immediate control. Email users have zero tolerance for downtime, and demand their connectivity be restored as quickly and painlessly as possible.

With on-premises Exchange, IT managers have choices about how they deal with planned or unplanned outages, and often put in place full disaster recovery and high availability solutions on-site. But with Office 365 that option no longer exists, and for many organizations, the fact that Office 365 is a single point of failure for such a mission critical service is a major concern, and a common roadblock for cloud migration.

But moving to the cloud doesn't mean you should do away with a multi-vendor, multi-layered security strategy. A blended-cloud approach allows businesses to distribute important data between multiple vendors. It's a truism to say all clouds have outages, we must accept that fact, this strategy offers recovery options and alternative ways to continue communicating if the primary cloud provider isn't available. This exercise in risk management also supports smarter procurement by reducing the possibility of vendor lock-in. In short, you would be replicating the multi-point business continuity strategy you’ve built on the LAN, but in the cloud—a concept often overlooked during a cloud migration.

So in the end, a pragmatic approach to risk management on-premises and in the cloud will allow businesses to avoid the greatest risk of all – inaction and stagnation in increasingly agile business practices.