Identifying and involving the relevant stakeholders from the commencement of any cloud computing discussions are of utmost importance.
Failure to do so can lead to segregation or a fractured approach to cloud decision making, as well as non-standardization across the organization about how cloud services are procured, reviewed, managed, and maintained.
To objectively assess within what areas of the business it may be appropriate to utilize cloud-based services, it is a key requirement to have visibility on what services are currently provided, how these are delivered, and on what platforms, systems, architectures, and inter-dependencies they are operating.
The determination of the key stakeholders should form the blueprint to identify potential impacts on current services, operations, and delivery models.
Note that where a business impact analysis (BIA) or related continuity and recovery plans exist, these should typically list or capture the technical components, related inter-dependencies, and order of restoration.
Depending on who is acting as the lead or primary driver behind potential cloud computing services, an understanding of the current state and potential or desired future state is required.
Once the information is collated, you need to consider the impact on the service, people, cost, infrastructure, and stakeholders.
Stakeholders in cloud computing and its challenges
This phase has several key challenges:
- Defining the enterprise architecture, which can be a sizeable task if it’s not currently in place
- Independently and objectively viewing potential options and solutions, where individuals may be conflicted due to roles or functions
- Objectively selecting the appropriate service and provider
- Engaging with the users and IT personnel who will be impacted, particularly if their job is being altered or removed
- Identifying direct and indirect costs, such as training, up skilling, reallocating, new tasks, and responsibilities
- Extending risk management and enterprise risk management
Following are the key challenges faced in this phase:
- Define audit requirements and extension of additional audit activities.
- Verify that all regulatory and legal obligations will be satisfied as part of the nondisclosure agreement (NDA) or contract.
- Establish reporting and communication lines both internal to the organization and for CSPs.
- Ensure that where operational procedures and processes are changed due to the use of cloud services, all documentation and evidence are updated accordingly.
- Ensure that all business continuity, incident management, and response, and disaster recovery plans (DRPs) are updated to reflect changes and inter-dependencies.
Conscious that these components may be handled by several individuals or teams across the organization, there needs to be a genuine desire to effect changes.
Although many references the finance departments as key supporters of cloud computing for the countless financial benefits, the operational, strategic, and enablement capabilities of the cloud can easily surpass and trump the financial savings if they are reviewed and communicated accordingly.
Communication and coordination with business units should include each of these areas:
- Information security
- Vendor management
- Data protection and privacy
- The executive committee and directors
The levels of interest and appetite will vary significantly depending on the individuals and their roles, but given cloud computing’s rising popularity and emergence as an established technology offering, it will continue to attract the discussion and thoughts of many executives and business professionals.
✔ Specialized Compliance Requirements for Highly Regulated Industries
Organizations operating within highly regulated industries must be cognizant of any specific industry regulatory requirements (that is, HIPAA for healthcare, PCI for finance, and FedRAMP for the U.S. government).
Although risk management in a cloud computing environment is a joint provider and customer activity, full accountability remains with the customer.
Organizations need to consider current requirements, their current level of compliance, and any geographic- or jurisdiction-specific restrictions that will make leveraging true cloud-scale difficult.