What risk does this present to you or the organization? How can you address these risks with the view to understanding the risk posture? The following should form the basis in understanding the exposure (prior to any services engagement):
- Is the provider an established technology provider?
- Is this cloud service a core business of the provider?
- Where is the provider located?
- Is the company financially stable?
- Is the company subject to any takeover bids or significant sales of business units?
- Is the company outsourcing any aspect of the service to a third party?
- Are there contingencies where key third-party dependencies are concerned?
- Does the company conform or is it certified against relevant security and professional standards/frameworks?
- How will the provider satisfy relevant regulatory, legal, and other compliance requirements?
- How will the provider ensure the ongoing confidentiality, integrity, and availability of your information assets if placed in the cloud environment (where relevant)?
- Are adequate business continuity/disaster recovery processes in place?
- Are reports or statistics available from any recent events or incidents affecting cloud services availability?
- Is interoperability a key component to facilitate ease of transition or movement between cloud providers?
The above queries should directly influence your decision in terms of cloud services and cloud service providers. Additionally, efforts made to determine the requirements upfront will directly reduce the efforts in defining and selecting the appropriate cloud providers, negotiation time(s), along with ensuring that the required security controls are in place to meet the organization’s needs.