Author: Martin Dvorak

Cloud Computing: Benefits and Risks Assessment

Based on the Cloud Adoption Framework, the vendor selection process with the corresponding SLA’s, you can now conclude the potential benefits and risks assessment. Each of the risk and benefit items should be addressed as what if scenarios with the vendor and can be done as a second evaluation workshop with the vendors who remained after the first vendors selection workshops.

Risk Benefit Conclusion
Security Risk, confidentially, integrity,  accountability Secure, stable and modern infrastructure and data transfer Assessment needed for theft of sensitive data, loss of intellectual property, unauthorized access to customer and business data, vulnerability, malware attacks, data manipulation, data leaks, data transfer, security risks at the vendor, security defects in the new technology used. Are software interfaces and API’s still secure when data is exchanged via the cloud, i.e. phishing attacks?
Downtime Disaster assistance Potential downtime, backup and restore services (from the cloud and to the cloud). If the internet connection fails, either at customer or vendor side, data is not accessible. Data recovery can become time consuming.
Availability Access everywhere Productivity anywhere, real time reporting and analysis of data. Dependent on network and internet connectivity
Wrong configuration Best practice architecture A misconfigured cloud architecture and lack of change control leads to a significant security risk exposure. With the increase of different stakeholders such as in-house and vendor IT staff, Identity Access Management, policies, third party applications, API’s and interfaces, the architecture and cloud configuration needs to be properly planned.
Integration and low performance Scalable and elastic, flexibility and high performance Agree on KPI’s on application and system performance.

Assess data availability risks and if the backend systems can scale the same speed as the users enter and transfer data into the applications. Assess concurrent user scenarios when users interact more heavily with the cloud applications.  Assess the required internet connections in your countries and affiliates to ensure sufficient capacity to manage the high volume and secure storage of data. Assess potential costly re-architecture efforts for adoption and integration with the new technology.
Loss of control Pervasive Vendor business continuity and disaster recovery readiness, inability to track or troubleshoot data once it is in the cloud. When data is run on multiple and remote servers in the cloud, it takes more effort to take control over these servers when not on premises.
Increased costs Cost effective Finding the hidden costs in cloud contracts, break down into simple billing models, create cost estimates for running cloud workloads for both up and down scaling, agree what is a resource and what is a consumption to mitigate unpredictable costs, billing functions at different rates, create costs thresholds and cloud storage costs. Costs for data recovery need to be considered. Be aware it there are any storage availability limits due to cost bandwidths agreed.  Automate the control process to begin or end services when they are not used to save costs.
Vendor lock-in Adaptive Expensive exit clause when ending the SLA.

Inability to set and enforce security policy in cloud service provider environment. Business viability of vendor, risk when provider will fail or going bankrupt. Companies should check the degree of cross vendor compatibilities. For example, Google Cloud Storage (GCS) optionally offers access via an S3-compatible API. This makes it easy to switch backend storage from Amazon S3 to GCS.
On premises On demand and pay per use, subscription fees The capital costs per user are lower and better matched to actual consumption. No hardware or software installations are required. Applying patches, upgrades, performance tuning and maintenance is with the cloud service provider. Cloud based IT infrastructure provides customers with rapid access to systems and applications whenever it is needed. However, cloud services have risks that are unique to the cloud providers own operating environment and other risks associated with the customer. Any data in the cloud can still be attacked from the outside.
Lack of skills Cloud skills Storing, managing, and accessing data stored in the cloud require a new set of skills because your team needs to understand how different cloud services providers work. Cloud vendors are difficult by exposing their technology, policies and implementation approaches. This complexity requires IT and business team members to learn new ways of working and handling information. A bigger complexity (new technologies, cloud management tools, SLA, activity split, segregation of duties, shared responsibilities) leads to risk of data breaches. Amongst knowing how cloud service providers work (i.e. AWS, GCP, Alibaba) additional cloud skills required are automation (i.e. Terraform, Ansible, Gitlab), Hosting, Connectivity, Storage, Networking, Virtualization, Linux, Database languages like SQL, MySQL, MongoDB, and Hadoop, Data Center Infrastructure Management cloud tools (DCIMaaS), Security and Disaster Recovery, Web Services and API’s, DevOps, Containers (i.e. OpenShift), programming skills (SQL, Python, XML and .net), open source standards (i.e. OpenStack, FINOS). Budget cuts have a negative impact on the required skills and increase gaps in the overall protection, especially when companies cut security resources. The lack of investing into skills to set up automation across the cloud security landscape is a time bomb regarding undetected misconfigurations and an unknown risk exposure.
Incompatibility Self-Service Self-service access is dynamically scalable and elastic but policies and controls are the essence to assist management in protecting and safeguarding systems and data. The ability to use self-service needs to ensure compatibility and a secure cloud computing environment. With the cloud allowing users with more access to more resources, there is a bigger risk of abuse and damage of sensitive data.
Compliance Risk Respond to increased regulations Assessment of data under regulative and customer identity aspects, authentication systems, resource exploitation due to user error or misconfigurations, dangers and risks of data sharing. Lack of auditing. Negative impact of laws and regulations.
US Cloud Act Legally safe Legal assessment for US based vendors to understand implications towards data sovereignty and changes in US cloud act violating European law or related Gaia-X initiative and vice versa. Data centers in high risk countries suffering from local data control, trade wars and political risks.
Loss of features Modern, flexible Maturity of technology, standardization takes precedence due to adoption to the cloud applications, less customizations.

If customizations are needed and the vendor gets involved, it takes longer to develop, test and deploy. Flexibility in the offers can get limited.
Lack of tools Innovative The tools should meet specific requirements, such as performance, security, cost management, governance, automation, and disaster recovering. With the cloud adoption, companies deploy a wide range of security tools without aligning their cloud strategy with a comprehensive security strategy. Those tools lack a full integration and produce a risk between security and operations. As a result, we can see by simply deploying more technology companies suffer from the opposite effect and still lacking the right tools. The network still remains open to outside threats. Companies need to identify the scope and entities of coverage before deploying a new tool. The various areas of the infrastructure need to be understood such as network, wireless, physical and virtual environments, user identities, applications, compatibility, monitoring and access controls. Avoid data leaks caused by misconfigured clouds because security teams lack appropriate automation and integration tools.

A benefits and risks assessment helps to effectively mitigate the risks brought by using the cloud.  You can follow this approach to ensure nothing is forgotten before starting with the design phase.

To address information and technology goals, you need to align business goals against stability and reliability with agility and flexibility. This means findings the right balance between cost savings, efficiency, agility, speed and time to market.

Companies need to understand that their data is now uploaded to cloud servers and it is vital to know who uploads and downloads what data. The cloud storage and sharing services require a balance of the risks posed by using these services.

A final conclusion after the second vendor evaluation workshop should be done by the business decision makers and the IT managers.

How to build an unbeatable cloud team

To translate the cloud strategy into actions, you need to build a high skilled team with key roles and stakeholders from both business and IT and not just from IT.

The program manager should be familiar with the companies’ enterprise architecture and is supported by the Project Management Office. The team consists of IT, functional and business unit leaders. Depending on the line of business the company operates in, the business unit leaders may vary. The minimum requirements are stated below.

Program Manager and Strategic Excellence Panel (SEP)
IT Leaders Functional Leaders Business Leaders, MD’s, cluster heads
Cloud Architects Finance Head of B2C
Application Architects HR Head of B2B
Cyber Security Experts Legal Business Line 1, 2 … n
Infrastructure Experts Procurement Cluster / Country MD’s
Operations Managers Risk Managers
Application key users

IT Leaders should consist of both internal IT and IT experts from the cloud service provider.

The SEP consists of the Program Manager and a member from the IT, Functional Leads and Business Leads. This is a cross-business horizontal team. The IT leaders build a vertical center of excellence with the required support from project team members, project and transition managers.

The horizontal and vertical approach ensures that the cloud strategy team includes IT, business and functional representatives. In the past, the cloud strategy was a pure IT exercise whereas today, the audience is broader.

Cloud Legal Aspects: US Cloud Act and Swiss Cloud: Solid as a bunker in the Swiss Alps?

Legal Aspects regarding US Cloud Act and Gaia-X

Companies moving their systems to the cloud have concerns regarding access to their data through the US authorities enforcing the US Cloud Act when using American cloud service providers. Alternatively, European CIO’s call for a European cloud infrastructure like Gaia-X.

Gaia-X is a project for the development of an efficient and competitive, secure and trustworthy data infrastructure for Europe, which is supported by representatives of the German Federal Government, business and science. The goals of the project are to maintain European data sovereignty against oligopolistic tendencies in the platform economy, to reduce dependence on international providers, to make cloud services on a broad scale more attractive through more trustworthy service offerings and to create an ecosystem for innovation so that those who drive innovation are also those who benefit economically from it.

The project objectives are to be achieved by networking existing central and decentralized infrastructures to form a system, which together form a digital ecosystem. Features of this ecosystem are the use of secure, open technologies (for example Open Source, Open Hardware), independent, uniquely identifiable network nodes, software components from a common repository, services that are generally implemented as functions and a central function directory service (for example App Store) to make the service offerings in the system transparent and securely identifiable.

The success of the Gaia-X initiative is largely viewed skeptically because it needs cooperation between government, politics and business to increase Europe’s digital sovereignty.

The power of the US cloud companies in particular arouses suspicion because European companies fear access to their data by the US Cloud Act. Since moving to the cloud is increasing in Europe too, companies are concerned about the dependencies on providers from abroad and they fear the loss of control over their data due to the market power of foreign cloud platforms such as Microsoft, Oracle, Amazon/AWS, Google or Alibaba. They also see that sensitive data such as customer and employee data may not be sufficiently protected and from public administration authorities, the fear is regarding citizen’s data.

The US Cloud Act allows American authorities to access data in clouds of US providers – even if the data belongs to their customers and is stored outside the US.

This is a difficult situation since the cloud market is dominated by US based companies.

However, even if join forces with companies, government and politicians will eventually set up an European cloud, there is no guarantee that the European Union will be able to remain digitally independent. The potential collapse of the European Union is another risk and countries are planning for decentralized scenarios.

Swiss Clouds – solid as a bunker in the Alps?

When it comes to legal aspects in the cloud, data location, data storage and data protection became a hot topic. Sensitive data processed in the cloud, distributed systems as well as contract, consumer, competition and copyright law is also affected.

This is especially the case since the US Cloud Act and the European data protection regulation (GDPR) are not compatible plus it adds additional complexity from the Privacy Shield.  

But how about Switzerland, which is not part of the European Union, where Swiss hosting and cloud providers promote their “Swissness” as a competitive advantage?

The “Swiss Hosting” label is aimed at Swiss SaaS and hosting providers and promises that there will be no data export, neither directly nor indirectly. This is relevant for cloud providers and cloud customers.

As of today, data can be exported from Switzerland to other countries when they have an adequate level of data protection. This is for example the case in the EU with the strict GDPR rules.

The Swiss Federal Data Protection and Information Commissioner keeps an overview of the countries with an adequate level of data protection. If a country does not meet the requirements, a contract must be drawn up between the companies involved to remedy the deficits in national legislation.

However, following standard contracts where these clauses are included, unfortunately does not have an effective protection against access by foreign governments.

Until recently, the so called Privacy Shield of 2016, an agreement between the USA and the EU, applied to the processing of exported data. There is a parallel agreement between the USA and Switzerland. The aim of the Privacy Shield was the responsible handling of data abroad and the protection of the privacy of citizens of the EU and Switzerland.

From the beginning, however, there were considerable doubts about its effectiveness. Now the European Court of Justice has officially confirmed that the Privacy Shield is not sufficient. Despite Switzerland is not in the EU, it is still expected that the Swiss version of the agreement will fall.

But at the same time, the ruling says that it is still possible to do business via standard clauses. But whether the USA is interested in contracts between two private companies in this context is a matter for each individual party to decide.

The question is whether the ruling applies to data that US companies hold outside the USA?

This gap was closed in 2018 by the Cloud Act. Before its introduction, an American company could refuse to release data held by a subsidiary abroad.

The Cloud Act clearly states that every American company must release data – regardless of whose territory it is located in.

The Cloud Act stipulates that bilateral agreements with other countries are possible to restrict this right of access, however no country has ever negotiated anything like this and it also applies to data stored by subsidiaries of international corporations on Swiss territory.

For example, if the Swiss Federal Data Protection and Information Commissioner attests India and China insufficient protection, the standard clauses are needed and on top of that, companies are obliged to make sure that the promised measures actually exist.

If you take the legal aspect of data export, companies are obliged, at least according to the basic European data protection regulation (GDPR), to have a data protection declaration stating whether data is being exported and customers are informed. However, an explicit consent is not required.

This is where Swiss hosting jumps in. Only Swiss law applies. For customers from the European area, the GDPR, which is even stricter than Swiss law, also applies.

Countries outside of the European area are allowed to access data on an official level through a secure evidence via mutual legal assistance and only according to the principle of dual criminality. This means that the offence must not only be punishable in the third country, but must also be a crime in Switzerland.

As a conclusion, can foreign authorities access the data?

First of all, the Swiss authorities will have access. However, the use of confiscated data does not mean that they are automatically available in a trial. A defendant can defend himself by means of various legal remedies. In addition to these legal remedies, a defendant is above all aware that access is available and can act accordingly. From a legal perspective, these are clear advantages as it prevents foreign authorities just to retrieve the data on the first attempt.

Cloud Adoption Framework

There are several steps required to take up and follow before operating in a cloud environment. The prerequisites consists of different evaluations and scenarios before starting with the implementation.

The cloud adoption rates have different perceptions based on functions. The lowest estimates come from the business, followed by IT and the highest come from the top management. Awareness raising activities are necessary to achieve a common view.

The cloud adoption looks at factors which enable digital business success such as

  • New IT and Business capabilities.
  • Optimize business models and using IT capabilities.
  • Enable cloud models by embracing cloud first or replace legacy systems with cloud services.
  • Align cloud to the business strategy by embracing cloud best approach.
  • Ramp up workloads to the cloud appropriately to meet both existing and new requirements.

Companies use the public cloud to enable digital business transformation and optimization. Digital business models enable and support new revenue streams and enhance existing practices through data analytics. Infrastructure and operations leaders can use the public cloud’s ability to improve cost optimization, agility and innovation as a foundation for their digital business initiatives. Cloud brings dynamic capabilities.

Companies want measurable outcomes from their digital transformation initiatives. They should look at

  • Economy of scale – how can digital transformation support high volumes of transactions?
  • Where can agility be adapted most effective?
  • Which infrastructure can be easily automated?
  • Which applications have the biggest impact to enable digital business?

The cloud is not at the first place. CIO’s focus on digital initiatives, business and revenue growth. The role of Artificial Intelligence (AI) and Data Analytics has precedence over the cloud.

Success Factors

Cloud adoption success factors cover the 3 different areas (business, IT, top management) mentioned above. What are these? The following listing should help.

  1. Create and manage the inventory of systems and applications to assess readiness for the cloud.
  2. Cloud vendor selection per cloud layer. Conduct cloud layer evaluation workshops with different vendors and concrete showcases to demonstrate for IaaS, PaaS and SaaS.
  3. Build the required skills for IT and business team members to be part of the cloud team.
  4. As part of the vendor selection process, create different architecture scenarios for the private, public, hybrid and multi cloud solutions. An architecture based on open source helps you avoiding vendor lock-in in proprietary implementations.
  5. For each scenario create risk mitigations, security assessments, business continuity and exit scenarios to avoid vendor lock-ins.
  6. Ensure the scenarios meet legal and compliance requirements. Consider GDPR and location, external regulations an internal compliance.
  7. Estimate the costs and benefits based on future SLA’s with the vendors, define policies and procedures to have a governance in place.
  8. Before you order the first cloud services create scenarios with the vendors which cloud services are automated and how cloud workloads are managed. This is also a part of the SLA’s.
  9. Go through a future state when the cloud environments are in the operational mode. How are cloud deployments managed? How are the services consumed monitored and measured? This is also a part of the SLA’s with your vendors.

Cloud Service Providers Evaluation

Who are the top cloud service providers? Gartner’s 2020 magic quadrant shows the following ranking:

  1. Amazon Web Services (AWS)
  2. Microsoft Azure
  3. Google Cloud
  4. Alibaba Cloud
  5. Oracle
  6. IBM Cloud
  7. Tencent Cloud

Other key players in the cloud world are:

  • Salesforce
  • SAP
  • Rackspace Cloud
  • VMWare
  • Hewlett Packard Enterprise (HPE)
  • Cisco
  • Workday
  • Adobe

Expecting Changes in use of Cloud Service Providers

Regarding cloud vendor selection criteria, the leading cloud SaaS vendors are expecting changes based on Flexera’s 2020 State of Tech Spend Report:

What is a Cloud Strategy?

Cloud Strategy interrelations

In a recent commissioned study conducted by Forrester Consulting on behalf of Virtustream, cloud adoption was done either in an ad hoc manner or planned from the ground up. 727 cloud strategy and application management decision makers using the multi cloud in the US, EMEA and AP were asked

“Which of the following best describes how your firm came to adopt its current cloud deployment model”?

  • 52% created an international, holistic strategy before deploying it
  • 47% took an ad hoc approach, adapting our model to fit specific needs over time
  • 1% do not know or does not apply

From an overall perspective, the cloud strategy is embedded in the long, mid and short term corporate strategy. The cloud strategy should be formulated in the context of the overall strategy.

The corporate strategy looks at a long term planning horizon and relates to the business strategy, data centers, development, procurement, security and other strategic plans.

The breakdown from the corporate strategy looks at the midterm planning horizon and consists of strategic plans for the cloud such as cloud adoption, implementations, migrations and operating plans.

Every business requires a cloud strategy, regardless of where it is in its cloud journey. It is also good to define which workloads are not moved or which applications are not going to migrate to the cloud at all.

CIOs should align the cloud strategy efforts within the context of overall strategic planning efforts which consists of

  • Stakeholders
  • Processes
  • Governance (clarify goals, roles, risks and deadlines)
  • Communication
  • Cultural Change Management
  • Adaptability (to remain flexible)

You need to engage the context in a collaborative and ongoing strategic planning process before breaking down into a cloud strategy.

First of all, you need to define what the cloud strategy is and what it is not. It is not defined by IT or business, it must be a group effort. Beyond the strategy, implementation is the next step.

Most organizations do not have a real cloud strategy, therefore you need to separate the cloud strategy from the implementation and the data center strategy.

What is a cloud strategy?

A cloud strategy is a short and concise analysis on the cloud and its role in your enterprise. The goal is to identify issues for a further analysis.

  • It should be a scope and road map document, maximal 20-30 pages.
  • It is a living document. Recognize that not all proof of concepts will succeed, regardless how exciting they sound in theory. Be open to adjust.
  • It is a breakdown from your corporate and business strategy.
  • Should be broad and cover IaaS, PaaS, SaaS, public, private, hybrid and multi cloud options.
  • Principles orientated.
  • It is a group effort, managed by IT and Business together.

What is a not a cloud strategy?

The cloud strategy is not a plan to migrate everything to the cloud as it was often misunderstood in the past when cloud strategies followed a “me – too” approach.

  • Not a huge, detailed and long plan such as
    • Vendor selection
    • Different checklists
    • Data migration plans
  • It is not a replacement for any existing security strategies.
  • It is not a development of IaaS, PaaS, SaaS, public, private, hybrid and multi cloud options.
  • It is not a data center strategy.
  • IT is not driven by IT or business, from one person or one group.
  • It does not have the attempt to solve everything upfront.
  • It is not an executive mandate.