Based on the Cloud Adoption Framework, the vendor selection process with the corresponding SLA’s, you can now conclude the potential benefits and risks assessment. Each of the risk and benefit items should be addressed as what if scenarios with the vendor and can be done as a second evaluation workshop with the vendors who remained after the first vendors selection workshops.
| Risk | Benefit | Conclusion |
| Security Risk, confidentially, integrity, accountability | Secure, stable and modern infrastructure and data transfer | Assessment needed for theft of sensitive data, loss of intellectual property, unauthorized access to customer and business data, vulnerability, malware attacks, data manipulation, data leaks, data transfer, security risks at the vendor, security defects in the new technology used. Are software interfaces and API’s still secure when data is exchanged via the cloud, i.e. phishing attacks? |
| Downtime | Disaster assistance | Potential downtime, backup and restore services (from the cloud and to the cloud). If the internet connection fails, either at customer or vendor side, data is not accessible. Data recovery can become time consuming. |
| Availability | Access everywhere | Productivity anywhere, real time reporting and analysis of data. Dependent on network and internet connectivity |
| Wrong configuration | Best practice architecture | A misconfigured cloud architecture and lack of change control leads to a significant security risk exposure. With the increase of different stakeholders such as in-house and vendor IT staff, Identity Access Management, policies, third party applications, API’s and interfaces, the architecture and cloud configuration needs to be properly planned. |
| Integration and low performance | Scalable and elastic, flexibility and high performance | Agree on KPI’s on application and system performance.
Assess data availability risks and if the backend systems can scale the same speed as the users enter and transfer data into the applications. Assess concurrent user scenarios when users interact more heavily with the cloud applications. Assess the required internet connections in your countries and affiliates to ensure sufficient capacity to manage the high volume and secure storage of data. Assess potential costly re-architecture efforts for adoption and integration with the new technology. |
| Loss of control | Pervasive | Vendor business continuity and disaster recovery readiness, inability to track or troubleshoot data once it is in the cloud. When data is run on multiple and remote servers in the cloud, it takes more effort to take control over these servers when not on premises. |
| Increased costs | Cost effective | Finding the hidden costs in cloud contracts, break down into simple billing models, create cost estimates for running cloud workloads for both up and down scaling, agree what is a resource and what is a consumption to mitigate unpredictable costs, billing functions at different rates, create costs thresholds and cloud storage costs. Costs for data recovery need to be considered. Be aware it there are any storage availability limits due to cost bandwidths agreed. Automate the control process to begin or end services when they are not used to save costs. |
| Vendor lock-in | Adaptive | Expensive exit clause when ending the SLA.
Inability to set and enforce security policy in cloud service provider environment. Business viability of vendor, risk when provider will fail or going bankrupt. Companies should check the degree of cross vendor compatibilities. For example, Google Cloud Storage (GCS) optionally offers access via an S3-compatible API. This makes it easy to switch backend storage from Amazon S3 to GCS. |
| On premises | On demand and pay per use, subscription fees | The capital costs per user are lower and better matched to actual consumption. No hardware or software installations are required. Applying patches, upgrades, performance tuning and maintenance is with the cloud service provider. Cloud based IT infrastructure provides customers with rapid access to systems and applications whenever it is needed. However, cloud services have risks that are unique to the cloud providers own operating environment and other risks associated with the customer. Any data in the cloud can still be attacked from the outside. |
| Lack of skills | Cloud skills | Storing, managing, and accessing data stored in the cloud require a new set of skills because your team needs to understand how different cloud services providers work. Cloud vendors are difficult by exposing their technology, policies and implementation approaches. This complexity requires IT and business team members to learn new ways of working and handling information. A bigger complexity (new technologies, cloud management tools, SLA, activity split, segregation of duties, shared responsibilities) leads to risk of data breaches. Amongst knowing how cloud service providers work (i.e. AWS, GCP, Alibaba) additional cloud skills required are automation (i.e. Terraform, Ansible, Gitlab), Hosting, Connectivity, Storage, Networking, Virtualization, Linux, Database languages like SQL, MySQL, MongoDB, and Hadoop, Data Center Infrastructure Management cloud tools (DCIMaaS), Security and Disaster Recovery, Web Services and API’s, DevOps, Containers (i.e. OpenShift), programming skills (SQL, Python, XML and .net), open source standards (i.e. OpenStack, FINOS). Budget cuts have a negative impact on the required skills and increase gaps in the overall protection, especially when companies cut security resources. The lack of investing into skills to set up automation across the cloud security landscape is a time bomb regarding undetected misconfigurations and an unknown risk exposure. |
| Incompatibility | Self-Service | Self-service access is dynamically scalable and elastic but policies and controls are the essence to assist management in protecting and safeguarding systems and data. The ability to use self-service needs to ensure compatibility and a secure cloud computing environment. With the cloud allowing users with more access to more resources, there is a bigger risk of abuse and damage of sensitive data. |
| Compliance Risk | Respond to increased regulations | Assessment of data under regulative and customer identity aspects, authentication systems, resource exploitation due to user error or misconfigurations, dangers and risks of data sharing. Lack of auditing. Negative impact of laws and regulations. |
| US Cloud Act | Legally safe | Legal assessment for US based vendors to understand implications towards data sovereignty and changes in US cloud act violating European law or related Gaia-X initiative and vice versa. Data centers in high risk countries suffering from local data control, trade wars and political risks. |
| Loss of features | Modern, flexible | Maturity of technology, standardization takes precedence due to adoption to the cloud applications, less customizations.
If customizations are needed and the vendor gets involved, it takes longer to develop, test and deploy. Flexibility in the offers can get limited. |
| Lack of tools | Innovative | The tools should meet specific requirements, such as performance, security, cost management, governance, automation, and disaster recovering. With the cloud adoption, companies deploy a wide range of security tools without aligning their cloud strategy with a comprehensive security strategy. Those tools lack a full integration and produce a risk between security and operations. As a result, we can see by simply deploying more technology companies suffer from the opposite effect and still lacking the right tools. The network still remains open to outside threats. Companies need to identify the scope and entities of coverage before deploying a new tool. The various areas of the infrastructure need to be understood such as network, wireless, physical and virtual environments, user identities, applications, compatibility, monitoring and access controls. Avoid data leaks caused by misconfigured clouds because security teams lack appropriate automation and integration tools. |
A benefits and risks assessment helps to effectively mitigate the risks brought by using the cloud. You can follow this approach to ensure nothing is forgotten before starting with the design phase.
To address information and technology goals, you need to align business goals against stability and reliability with agility and flexibility. This means findings the right balance between cost savings, efficiency, agility, speed and time to market.
Companies need to understand that their data is now uploaded to cloud servers and it is vital to know who uploads and downloads what data. The cloud storage and sharing services require a balance of the risks posed by using these services.
A final conclusion after the second vendor evaluation workshop should be done by the business decision makers and the IT managers.
How to build an unbeatable cloud team
To translate the cloud strategy into actions, you need to build a high skilled team with key roles and stakeholders from both business and IT and not just from IT.
The program manager should be familiar with the companies’ enterprise architecture and is supported by the Project Management Office. The team consists of IT, functional and business unit leaders. Depending on the line of business the company operates in, the business unit leaders may vary. The minimum requirements are stated below.
| Program Manager and Strategic Excellence Panel (SEP) | ||
| IT Leaders | Functional Leaders | Business Leaders, MD’s, cluster heads |
| Cloud Architects | Finance | Head of B2C |
| Application Architects | HR | Head of B2B |
| Cyber Security Experts | Legal | Business Line 1, 2 … n |
| Infrastructure Experts | Procurement | Cluster / Country MD’s |
| Operations Managers | Risk Managers | |
| Application key users | ||
IT Leaders should consist of both internal IT and IT experts from the cloud service provider.
The SEP consists of the Program Manager and a member from the IT, Functional Leads and Business Leads. This is a cross-business horizontal team. The IT leaders build a vertical center of excellence with the required support from project team members, project and transition managers.
The horizontal and vertical approach ensures that the cloud strategy team includes IT, business and functional representatives. In the past, the cloud strategy was a pure IT exercise whereas today, the audience is broader.