When you begin the planning phases of a cloud implementation, it is critical that you begin the discussion with your business/mission users and leaders ensure that they are part of the process from project initiation.
There are unique risks that present themselves as part of a cloud implementation, and you must ensure that your business organizations are willing to accept these risks. These risks include:
- Unauthorized access to organizational data:
- Modern cloud service providers do an excellent job at operations and have developed an excellent arsenal of information security tools
- However, there is a risk that a cloud service provider will be attacked either over the internet or through employee collusion because of the sheer volume of intellectual property they contain
- CSP information security risks:
- There is an inherent trust that you place in the cloud provider when you entrust them with your organizational assets
- Any information security risk that the cloud service provider has immediately becomes your information security risk as soon as you transition operations to the vendor
- Organizational legal and compliance risks:
- Does your organization have any specific legal and compliance requirements that make it difficult or impossible for you to use the cloud service provider?
- Does the CSP provide you with the access and control necessary to ensure that you are meeting your organizational obligations?
- CSP management risks:
- Your organization has no control over whether the cloud service provider pays their bills or ensures that the equipment hosting your environment is well maintained and in good working order.
- How does the cloud service provider communicate changes such as upgrades and feature updates?
- Cloud service availability
- Your organization will no longer be able to plan for your information systems availability.
- This will be fully managed by your cloud service provider. Is this acceptable to your business leaders?