A CIO or other C-level should be involved in the relationship with the cloud broker in order to forge the necessary strategic alignment necessary to derive value from the broker by driving and directing the consumption of cloud services, explains Gordon. "You can find real world practical examples of success with cloud brokers in the Government sector at the Federal and State levels. The state of Texas has been using a cloud brokerage model since 2011, as have many Federal agencies," Gordon adds.
Preparing to leave: Contract language, cloud portability
"For organizations that do not have the resources to employ a cloud broker, the Cloud Security Alliance recommends that enterprises address the issue of discontinuation of service in the contract language," says Howie. Contract clauses and provisions should ensure sufficient notice of termination of service and tools and assistance in moving data out of the cloud in a timely manner and in a format that enables the enterprise to use the data in another service, Howie explains.
According to Howie, cloud contract language can require many assurances including that the provider set aside money in an escrow account for third-party assistance in extracting the data. These agreements can also establish that storage and processing equipment must be accessible by the enterprise customer in case of business failure. The language can further include references to third-party warranties or insurance. Finally, Howie closes, the contract can compel the provider to disclose its financial situation on a quarterly basis with an option for the enterprise customer to break its contract if the financials show the provider is in trouble.
But, contract language will not be enough to mitigate using a private company or start-up cloud provider. Enterprises will have to weigh carefully whether they can justify the risk that such a company may suddenly stop offering the service. "Enterprises should always have an exit strategy in place as part of a business continuity management plan," says Howie.
Domain 6 of the Cloud Security Alliance's Security Guidance for Critical Areas of Focus in Cloud Computing V3 includes recommendations that enterprises consider a scenario for how they will move data out of the cloud provider's service. "In section 6.2, An Introduction to Portability, we say portability is a key aspect to consider when selecting cloud providers. We specifically mention disaster recovery," says Howie.
The business failure of a cloud provider is a business disaster and something that an enterprise's business continuity management planning should cover. "Sections 6.3.2, Portability Recommendations and 6.3.3, Recommendations for Different Cloud Models provide specific, concrete guidance and high-level considerations," says Howie, speaking of the Cloud Security Alliance's aforementioned Security Guidance.
In Section 6.3.2, the Cloud Security Alliance's Security Guidance recommends that enterprises be aware of the differing service and platform dependencies of different cloud architectures. When an enterprise's applications and data are tied to and entangled in the dependencies existent in one platform, this can present technical challenges to moving to a provider using a different architecture.
Sign up for CIO Asia eNewsletters.