The promise of improved agility and lower costs is leading organizations to consider broad adoption of cloud computing. But, a majority of CIO & CISOs see significant risk in the deployment of the different cloud computing services. The security for mission critical applications like Oracle EBS, JD Edwards, SAP or any custom built onprem application, too becomes paramount. IT Decision makers will not want to take any risks in cloud migration, which might hamper critical business running on these applications.
The below cloud migration risks checklist, can be used to evaluate whether a project is suitable for a cloud computing environment and understand vendor capabilities and security provisions
Cloud Migration Risks Categories
1. Data Evaluation Risks
- The loss of or temporary unavailability of data / application (data classification)
- We will not be adversely impacted if:
- The data became public and distributed
- The process or function were manipulated by an outsider
- An employee of the cloud provider accessed the data
- The data suddenly changes
2. Data Protection Risks
- The vendor does not have
- Comprehensive policies and procedures for data backup
- Documented procedures for exporting data from the cloud
- Interoperable export formats for data stored in the cloud
- We have a challenge:
- With the compartmentalization technique not used by the vendor
- More than one data owner who decides access controls
- More than one data owner who decides data retention and destruction schedules
- Data is not commingled with other customers’ data while in use or storage
- We will always know the geographical location of data storage, and will be consulted before the vendor decides to move our data outside national borders
- The vendors’ data retention and destruction policy match with the organizational policy
- Data encryption process (storage and transit) is satisfactory – what is the key system? (individual keys for individual members)?
- Does the vendor have a response system in place if customers lose their passwords or are unable to keep their passwords secure?
- The vendor meets all the regulatory requirements associated with the data we will process or store in the cloud
- The vendor has certified host and network controls to protect the systems hosting our applications and information (ISO 27001)
3. Cloud Migration Vendor Assessment Risks
- The cloud vendor’s SLAs do not match our internal SLAs & does not have either a track record of performance against SLAs, or provides resources for performance monitoring
- The vendor does not have clear, available channels for communication regarding service and performance issues
- The vendor does not provide migration support or have enough trained partners for migration.
- The vendor’s security governance processes and capabilities are not sufficient, mature and consistent with our information security management process
- Vendor is likely unstable in a highly competitive and recessionary market
- The vendor will not be able to compensate our organization appropriately for performance shortfalls
- The vendor has not clearly defined the security related services that are outsourced or subcontracted
- The vendor does not audits any outsourcers and sub-contracts periodically
- The SLA provisions guaranteed by outsourcers are not at par than those of the primary vendor
- Measures taken by the vendor to ensure third party service levels are not satisfactory
- The vendor does not have a sound change control procedure and policy
- The vendor does not have a process used to re-assess risks as a result of changes
- No effective controls to protect against malicious code available with vendor
- No security configurations that only allow the execution of authorized code and functionality
- Does not provide details on audit logs (Integrity, data-retention time-period, confidentiality etc.)
- Vendor does not give an estimate of space availability to avoid issues with resource exhaustion
- The vendor does not offer periodic disaster recovery and business continuity plans
- Vendor does not have a long-term business plan and the commitment of their financial backers
- The cloud vendor does not have either a track record of performance against SLAs, or provides resources for performance monitoring