10/11/2011

Matt Lovell, CTO, Lumison

Organisations of all shapes and sizes are entering into deals with cloud providers to benefit from the highly publicised cost savings and operational advantages that a virtualised environment can provide. As business leaders drive IT departments to push critical business applications and data into the cloud, very real security concerns exist and can’t be ignored if operations are to run without a hitch.

Literature detailing what businesses need to know before moving their resources into the cloud is plentiful. But once organisations have made the leap, IT staff and risk managers should continue to work with their cloud providers to maintain a robust service.

Organisations need to consider every aspect of the virtualisation process including the business criticality of resources to be moved onto a cloud platform, and how service will be recovered should a component fail. Risk managers also need to bear in mind the peak load capacity of data in the cloud, so that sudden bursts of information can be accommodated. Should capacity be stretched too far, the service should be set up so that it can be transferred to an alternative provider without delay.

Additionally, with compliance concerns and legislative requirements being a major factor for businesses choosing to move to the cloud, it is vital that rigour is applied to ensure that data integrity and security is maintained. This is particularly true where the cloud is used as an active platform for data that is moved, copied or stored in multiple locations.

To ensure a seamless, risk-free experience there are a number of measures that risk managers should take:

Form a checklist of resources
Form a checklist, prioritise the workloads, forecast the capacity requirements and select appropriate service providers to support your goals. Ensure the separation of business service levels and outcomes are closely aligned to what the business has purchased. It will require a cultural change to your business in terms of forecasting discipline, and monitoring and managing the end outcome. After all, the infrastructure is not yours anymore.

Monitor network connectivity
Your dependency on connectivity to centralised resources and transmission of data increases significantly, so it is important to monitor and manage the performance of the network; capacity, performance and service levels should be closely observed. Understand that if connectivity were to fail, so will your ability to access data and applications that are vital to running the business.

Maintain relationships
Forge a strong relationship with connectivity providers to avoid disruption to services and improve speed of incident resolution should things go wrong. Cloud providers can help by collating different service providers together into a single outcome and managing agreed service levels.

Ask the right questions
Ask about your cloud provider’s infrastructure set up, road map, service assurances, service management and incident resolution times. Demand that faults are made visible as soon as possible. Ask for assurance that when data is duplicated and moved, data security and compliance requirements are managed and audited. Also ask for customer references. If a supplier does not have these readily available, then questions should be asked.

Always have a plan B
To control the outcome, emphasis should be placed on careful and close management of all the suppliers involved in delivering the service, (e.g., those providing the business applications), not just your cloud provider. Ensure that all suppliers support open standards, so that should services or solutions need to be moved, they can be done so quickly, effectively and in a controlled manner.

Make sure each has clear roles and responsibilities and you have scoped out how they are going to integrate with one another.

Continually review
There should be continual review of the components which make both the packaged and non-packaged cloud offerings to ensure the changing needs of the business are met.

Virtualisation has fundamentally challenged the traditional principles for managing the risk associated with IT. It continues to open up new possibilities in terms of replicating and generating fault tolerance and service availability across multi-locations without the need for significant capital investments and projects. Likewise, the approach and attitude to managing risk must also adapt.

Join us on