In the last blog (Blog 2 in the series), we explored the first four elements of the Cloud Readiness Domain Model. This blog will explore the last four pieces of the Cloud Readiness Domain Model.
Cloud Security Readiness
Cloud security readiness focuses on the various policy and guidance, security controls and enforcement/oversight and assurance processes, security architecture and overall Cloud security readiness that exists.
The following types of Cloud Security Readiness questions help explore this readiness domain:
- Overall Security posture and process as defined by CISO and Chief Security Architect(s)
- Security strategy, principles, polices and guidance are defined
- Security architecture developed and used to guide implementations
- Physical security for data centers
- Security governance, compliance and risk controls defined
- Data security and privacy controls in force
- Is your enterprise security infrastructure ready for Cloud computing?
- Do you have security incident response plans developed?
- Do you have policy and technologies for Identify and Access Management (IAM) capabilities?
Security readiness, while tightly coupled with the Information Technology (IT) readiness and Governance, Compliance and Risk readiness, touches nearly all of the Cloud Readiness domains due to its criticality in ensuring a security posture that protects the enterprise from security challenges.
Governance, Procurement and Legal Readiness
The Governance, procurement and legal readiness needs are very important in support of a Cloud transformation. Collectively, these provide the oversight and ability to onboard new Cloud Service providers and vendors to provide necessary capabilities that underpin the Cloud strategy.
The following types of questions will help capture the organization’s readiness in these three areas:
Governance, Compliance and Risk:
- Have all the aspects of Cloud governance and policy been considered across the Cloud governance lifecycle?
- How will IT governance address Cloud computing across the IT value chain?
- Self-service to Cloud resources within pre-defined purchasing and consumption limits?
- What are the compliance issues that pertain to Cloud, e.g. data security and privacy (PII), regulatory compliance issues, global compliance requirements for storing data?
- What other regulatory requirements may be impacted by Cloud computing?
- What are the risks associated with Cloud computing for your enterprise, and do you have a risk framework to identify and mitigate risks?
- Are all audit requirements understood relative to Cloud computing, e.g. data storage in various regions and location, cloud security policies, data privacy and PII, HIPAA, PCI and others?
The governance, compliance and risk requirements of Cloud computing are significant areas to address, and often become major hurdles unless the compliance and risk stakeholders are engaged early and involved in ensuring the Cloud computing initiative will meet the policy, oversight and audit requirements of the organization.
- Are SLAs defined to support contract negotiations and performance monitoring of service levels per the contractual obligations?
- Are contract templates developed specific to Cloud service providers and all Cloud services, e.g. SaaS, PaaS, IaaS, IoTaaS, et al?
- Purchasing limits, pre-arranged self-service limits
- Are procurement professionals trained on Cloud computing?
- Are vendor management and provider relationship management processes in place to manage the ongoing relationships with various Cloud providers?
- Do you have an approach for CSP vendor due diligence?
- Have you planned for the termination (end of term or abnormal) of services, and retrieving your data (See Data Ownership)
- Have you considered migrating your data and workloads to other Cloud providers?
The procurement requirements for Cloud computing readiness are very important ones. The connection of procurement processes to governance, compliance and risk, as well as with legal, is very close. Procurement processes will only succeed if procurement readiness is in alignment with governance and legal readiness.
- Are the appropriate data protection measures included in the contract and SLA?
- Is data encryption for data in motion and at rest called out?
- Do you have the right to audit security procedures and data centers and/or relevant facilities?
- Will you be notified immediately of any security breach?
- Can you ensure the ability of an outside auditor to assess controls and procedures for storing, handling, and transmitting data?
- Have data ownership issues been specified, such that all data are owned by the client and contain a provision that, at the termination of the contract, the provider should agree to deliver a copy of client data and permanently destroy all copies of the data in its possession?
- Have limit of liability provisions been considered?
- Have Force Majeure or “acts of god” been considered? For example, your Cloud contract might only allow a force majeure clause to apply if the provider is in compliance with its backup obligations.
- How will you be compensated for interruptions of specified durations, including a right to terminate the contract for long outages?
- Does the physical security of its datacenters meet your legal, regulatory and business needs?
- Are its business continuity and disaster recovery plans consistent with your business needs?
- Does the provider offer any indemnification?
The legal readiness for Cloud computing is necessary to help ensure that the contractual obligations for both the providers and the enterprise can be defined, negotiated and monitored for compliance. The legal readiness must work in lockstep with governance and procurement readiness, as these are all the gatekeepers for ensuring the success of Cloud computing, as well as the ability to address any performance or legal issues that may arise. While these are not that prevalent, they must be planned for.
A key facet of Cloud readiness is the analysis of your legacy application portfolio to determine the appropriate candidate workloads to move to the Cloud. This analysis is an essential component of a Cloud computing strategy and roadmap, and provides the basis for the cost and benefit analysis, payback period and other business case metrics for Cloud computing.
The following questions are typically asked in the Portfolio Readiness domain assessment:
- Have you completed an application portfolio inventory?
- Have you confirmed its accuracy?
- Has the application portfolio analysis been completed and preliminary Cloud migration decisions been made, e.g.:
- Move immediately to Cloud
- Move to Cloud with some work, e.g. virtualization, patching/upgrades
- Move to Cloud after replatforming, refactoring, microservices enablement, rehosting et al
- Has the Cloud migration plan been completed?
- Have you completed the analysis of costs, resources and estimates for Cloud migration?
- Do you have a Cost-Benefit-Payback model for Cloud migration execution?
- Have you completed a Risk analysis for Cloud migration?
- Have key business and IT stakeholders been involved in the decision-making process?
The portfolio readiness dimension of the 360 Cloud Readiness model is essential for realizing the value and benefits of Cloud computing. While many of the Cloud initiatives will be new greenfield efforts, the fact is that 70-80% of the IT budget is locked into keep the lights on (KLO) for existing operational systems, or the legacy portfolio. Migrating a subset of the legacy portfolio to the Cloud will enable a consolidation and streamlining of the IT support for these applications, which will then allow the organization to deal with the more complex and dependency-ridden legacy applications that will require more analysis and effort to replatform, refactor or microservice-enable.
Establishing the Cloud Ecosystem
Before transitioning to the Cloud deployment and migration activities, you must establish the Cloud Ecosystem. The Cloud Ecosystem consists of the organization, personnel, processes and enabling technologies that, once implemented, collectively create the environment that enables Cloud consumers to find and consume a variety of Cloud services, provided by internal or external Cloud service providers (CSPs), via a self-service portal. The Cloud Ecosystem creates the overall environment whereby Cloud computing value can be realized through the access to, provision of, and consumption of Cloud services.
If you are deploying a hybrid multi-cloud environment, you must implement the necessary Cloud management and enablement tools and capabilities, such as a Cloud portal, a Cloud service catalog, Cloud management and full-stack monitoring tools, Cloud pricing and bill of material comparisons, and more. Of course, you must have completed the Cloud Service Provider (CSP) negotiations and contracts, and be ready to begin consuming cloud services and migrating workloads to the target Cloud environment. All of these activities are essential to have a Cloud ecosystem ready to support the interactions of Cloud consumers (internal business and IT consumers) and Cloud providers (internal IT resources and external CSPs).
In the next blog, we will describe the Cloud Readiness engagement model and process flow, and describe the activities, deliverables and benefits of the Cloud Readiness Framework.
About Cloud Spectator
Cloud Spectator is a cloud benchmarking and consulting agency focused on cloud Infrastructure-as-a-Service (IaaS). The company actively monitors several of the largest IaaS providers in the world, comparing VM performance (i.e., CPU, RAM, disk, internal network, and workloads) and pricing to achieve transparency in the cloud market. The company helps cloud providers understand their market position and helps businesses make intelligent decisions related to cloud strategy, cloud readiness, cost reduction and vendor analysis. The firm was founded in early 2011 and is located in Boston, MA.
For questions about this report, to request a custom report, or if you have general inquiries about our products and services, please contact Cloud Spectator (www.cloudspectator.com) at +1 (617) 300-0711 or [email protected].