Cloud control: managing the risks of engaging and terminating cloud services.

• Author: Boyd, Brian Y.

According to a recent survey of Harvard Business Review readers in large and midsize organizations, 70% said their organizations had adopted cloud computing. Of these, 74% said it provides a competitive advantage. This potential for cost savings and increased business efficiencies helps explain why cloud use is expected to continue its rapid growth. But there are associated risks with cloud use, and they can be summed up in a single word: control.

When an organization utilizes a cloud service, it gives up a measure of control over the security, availability, and quality of the data or service it entrusts to the cloud service provider (CSP), but it remains responsible for the data. When the relationship with a CSP ends, regaining that control can be challenging. Therefore, before an organization engages with a CSP, it should go through the process of gathering requirements, performing due diligence on the prospective CSP, and contractually protecting its expectations and interests.

Classifying Cloud Solutions

First, while the phrase "cloud computing" has burst into the lexicon, its meaning remains as nebulous as clouds themselves. The cloud has spawned "public," "private," and "hybrid" clouds, among others. And from the cloud comes a litany of "as-a-service" offerings, including software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS), and more.

The catchphrases themselves are unimportant, but the conceptual distinctions are important to any organization moving into the cloud. Options range from a blank slate of hardware infrastructure in the cloud that is dedicated to a single business client (IaaS in a private cloud), to niche cloud-based software that serves a narrow function for anyone who purchases the service (SaaS in a public cloud), and many variations in between. In short, not all clouds are alike, and not all cloud services are alike.

Rarely will an organization have all its technological needs satisfied by a single CSP; usually some IT functions and data will be kept in house. So, an organization first must have a clear understanding of its goals in moving some part of its business to the cloud. For what business process or information will the cloud be used? Is cost savings the motivation for leveraging the cloud, or is it the promise of improved data access and transparency, faster system performance, redundancy, or something else? These questions should guide an organization as it progresses through the request for proposal, due diligence, and contract negotiation processes.

Gathering Cloud Solution Requirements

The most common business use for the cloud is simple data storage because the cloud offers space that is low cost, easy to access, and almost infinitely scalable. In other cases, an organization may choose the cloud to gain access to the CSP's powerful data analytic tools, or to run algorithms to define market segments, or to identify emerging product or service demands.

However simple or sophisticated the need might be, the focus should first be on what requirements apply to the data that will be shared with the CSP. This includes data the CSP will store, data the CSP will have access to, and, in some cases, data the CSP will generate itself.

Determine Privacy, Security Requirements

Many data security and privacy laws and regulations apply to businesses, based not only on their industry, but also on the nature of the data at issue and how that data is acquired. For example, personally identifiable information (PII) in the form of 1) medical, 2) credit, or 3) employee records can each implicate different legal requirements.

Some privacy requirements apply to particular industries, such as the Graham-Leach-Bliley Act (financial), the Health Insurance Portability and Accountability Act (HIPAA), and the Defense Federal Acquisition Regulation...