Outsourcing to Public Cloud includes aspects general objectives, establishment of a Outsourcing management with organizational structures and responsibilities. Any company that benefits from the use of a public cloud should first think about a strategy for outsourcing projects. The outsourcing strategy illustrates how an outsourcing project in the whole strategy has to be integrated,especially in the risk strategy. Strategies for outsourcing to Public Cloud demands organizational structures and responsibilities, the definition of acceptable risk and development of fallback strategies.
Introduction to Outsourcing to Public Cloud
For setting the strategies for outsourcing to Public Cloud, it must be clarified which functions should not be outsourced to a public cloud (due to legal requirements, to high risks or other reasons). Furthermore, the outsourcing management must be integrated into the management system of the company. As a minimum requirement, no more outsourcing of a function in a public cloud without having the security concepts, SLAs and contracts with defined, measurable benefits may be realized. It is essential to implement an outsourcing process.
Suggested Reading For Better Understanding of Cloud Computing Models : Cloud Computing Service Models and Deployment
Outsourcing to Public Cloud : How You Should Proceed
First, different alternatives are for cloud computing needs to be developed at gross level and to undertake an initial “Security Analysis”. Distinguishing features of the alternatives include the localities of data centers, options for limiting the public cloud to certain regions, control options for the data flow and the offered service level (Software as a Service, Platform as a Service or Infrastructure as a Service). The alternatives for outsourcing in the public cloud thinking for a safety aspect – and subjected to risk analysis. In addition, it is determined which law (in particular in data protection) apply and organizational requirements for the various alternatives. For all of these information are to be met as “security requirements”. Then it is decided which alternatives can ever be considered. For a catalog of these alternatives is created, which describes in detail the outsourcing and all the required services including all safety requirements. The offers of the providers can be evaluated on the basis of this performance catalog. Deficits can be identified by providers that have not yet included in the safety analysis before. In addition, a due diligence examination of the provider can be performed. After a decision is made there is need for an alternative list of providers.
The aim is, contracts and / or service level agreements ( SLAs to agree on a complete and verifiable specifications to ensure quality and information security in the public cloud). Particular attention when drafting contracts require include the following points:
- Granting audit rights : In general, the provider will want to give their customers no audit rights for its data center. This would be for the provider on the other one hand too costly, on the opposite hand, the level of security would decline, when many foreign auditors of the customers would inspect the data centers. Therefore it makes sense to seek grant audit rights for documents, descriptions and protocols in order to understand about the correct flow of processes. In addition, certifications may be required to ensure a minimum standard for information security (Like ISO 27001 certification). Especially setting the definition of the measurable indicators for confidentiality and integrity protection as goals is not an easy task. Meaningful indicators to be stated by the provider for availability and performance.
- Interface Definition : Particularly important for the correct operation of the outsourced interfaces for security monitoring and incident handling. This process must be defined with clear responsibilities, escalation and communication paths between customer and provider.
- Arrangements for the termination of cloud services : Also arrangements for the termination of services of the public cloud are to be taken in to consideration. In particular, it must also be regulated, as to which data are transferred and the data deleted can not be restored.
Migration After conclusion
Now, the gradual and planned outsourcing of the function begins. Part of planning the creation of security concepts include both the migration as well as the operation and termination of the swap. The basis for their creation are the results of the risk analysis and the selection process of the planning stage. The implementation and testing of outsourcing to the cloud made in accordance with established security policies.
During the operational phase of the outsourced functions under the contract and security concepts are operated by the provider. It is important to have a working security monitoring system to identify any deviations from the required security level quickly. The Security Monitoring also demonstrate the fulfillment of the contracted services, continuously improving.
Termination of the swap
With this step, a controlled termination of cloud services is performed. Also, the termination must be made in accordance with the contractual provisions. The provider must demonstrably clear so that it can not be restored even with sophisticated methods and technologies, particularly data on its systems. These include not only data of the business process, but also operational data such as log data from systems and applications. Outsourcing to Public Cloud can be a difficult phase for the most medium sized companies.