This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
2. - BYOD, cloud use complicate data risk: Read more in this section
- Corporate mobility, cloud use complicate data risk management
- Use BYOD policy to alleviate mobility's information security risks
- Maintaining information security in a hybrid RM environment
- Retention schedules boost risk-management processes, bottom line
- Use cloud service-level agreements to reduce risk, improve data recovery
Explore other sections in this guide:
- 1. - Information governance in the big data era
- 3. - E-discovery's expanding records management role
- 4. - 'Information governance' and other need-to-know terms
When a business acquires a cloud service, its first line of risk defense is the cloud contract's service-level agreement – and rightly so, as a strong cloud SLA will become increasingly vital to business operations in coming years.
Fifty-five percent of CIOs believe they will cloud source all of their critical applications and operations by 2020, according to a recent survey by Stamford, Conn.-based consultancy Gartner Inc. That will have major implications in many business areas, and force IT to manage the risks associated with cloud SLAs.
"The reason we want to buy into cloud computing is because its flexible, it's scalable, it's on demand, it's less expensive," said Gartner Research vice president Jay Heiser at the Gartner Security and Risk Management Summit in National Harbor, Md., in June. "How is that provisioned? By having access to appropriate levels of processing and storage when they are needed and as available."
Heiser was part of a presentation on cloud service provider risk management during the Gartner Summit. Despite growing business criticality of certain cloud applications, the presenters said they have seen numerous cloud contracts that omit serious considerations, such as performance service-level guarantees.
I don't think the data protection issue gets the attention it deserves-- it's assumed as a given, but that may not be the case.
John Morency, Research vice president, Gartner Inc.
Gartner researchers suggested that businesses develop a unique framework outlining how the company manages cloud services, as well as how the business governs the contracts and business relationships with cloud vendors. For example, a company needs to determine where its biggest data risks lie when moving operations to the cloud, and take these risks into consideration when developing the cloud SLA.
"Just like you do a business impact assessment to rank the most business critical processes so that you spend the right money on recovery, we recommend you seek a framework for your [cloud] contracts," Heiser said.
There are several factors a company must consider when developing cloud SLAs. Specific questions to ask the cloud provider include the following:
- When and how much planned downtime is expected by the cloud provider?
- How does the provider measure service availability, and what is the maximum number of service outages allowed during a specific time period?
- What is the support/mean time to restore service in case of an outage?
- What are the communications procedures and mechanisms between the provider and the customer?
Perhaps most important is determining exactly who is responsible for what when data is being stored in the cloud.
"It really gets down to how you are going to define shared responsibility for triage," said Gartner Research vice president John Morency. "When something breaks, when an inquiry tanks, when something aborts, what are the steps that have to be done by the IT operations team? What steps have to be taken by the provider?"
In addition to determining details of the triage process, enterprise cloud customers need to ensure that the overall service level is consistent with what's been reported in the contract. For the cloud SLAs to truly steer the behavior of the service provider, they must be accompanied by financial penalties that will provide an economic incentive to meet contract stipulations, summit presenters said.
The provider's data protection and recovery capability is critical as well. How long will it take for the provider to recover data if it’s corrupted or lost? Can it be recovered with integrity? These are important questions that must be delineated in the cloud SLA.
"I don't think the data protection issue gets the attention it deserves -- it's assumed as a given, but that may not be the case," Morency said.
More on cloud risk management
Cloud, mobility complicate data risk for businesses
ERM frameworks assist cloud security
The relatively nascent state of the cloud market contributes to the importance of disaster recovery and business continuity in cloud SLAs. Vendor viability needs to be taken into consideration, as do clear steps that outline what will happen if the vendor goes out of business.
These business continuity and recovery plans will be especially important if the cloud service is key to business operations, said Donna Scott, a Gartner vice president and analyst.
"If [data stored in the cloud] is really mission-critical, you are going to want contingency plans on how you are going to move from where you are at to somewhere else, very quickly," Scott said.
Overall, companies should seek "predictable and sustainable" management of cloud applications when developing an SLA, Gartner presenters said. The cloud SLA should ensure that data recovery and other service levels are consistent to reduce risk.
This consistency can be an obstacle when developing cloud SLA, especially as cloud technology continues to evolve. As a result, businesses will have to actively monitor the agreement and make adjustments accordingly.
"All cloud providers want to expand and grow business rapidly -- service levels could change rapidly during these expansions," Morency said.