Which Methodology Do You Use to Make the Right Decision?
By Zsolt Baranya, Information Security Auditor, Black Cell Ltd.
Numerous organizations are thinking about introducing cloud-based systems or cloud services. The decision is rather difficult and complex because of the advantages and disadvantages. Usually, the decision makers’ main arguments are the higher availability and the reduced IT operations cost compared to an on-premises architecture.
There are legal requirements and recommendations describing the importance of advantage- disadvantage analysis. There is no uniform / formalized methodology to conduct the analysis, which offer a criteria system or decision process.
First, the organization must identify all the legal rules in the cloud service introduction to know the exact requirements. These obligations can vary greatly from country to country. There are mandatory and discretionary requirements, that the organization shall consider. The decision on the cloud implementation shall primarily depend on the mandatory requirements.
There are many organizations – subsidiary/affiliate – which depend on the parent company in the usage of cloud-based services. In this situation the possibilities for implementing a cloud usage depends on the parent organization.
Considering all the circumstances, the organizations need a methodology or a criterion to make the right decision. The following list and criteria may help to your organization. Each question has a score, which is based on the priority of the question. If you finish providing the answers, you gain an aggregated score on the advantage side and the disadvantage side. The aggregated scores can help the decision-makers.
The scores (values) are only recommendations. These can be changed due to the special needs of the organization.
|1||Is management committed to using cloud services? If not, the whole project can fail.||Yes||No||2|
|2||Organizational cloud service usage rules sholud implemented easily? In case of the procedures and/or the rules of the organization are overly different form the procedures and rules of the cloud service (provider) can make the implementation inapplicable.||Yes||No||1,9|
|3||Is the information security policy of the organization allowing the usage of cloud services? This is a relatively easy decision to change the policy, if the first questions answer is yes.||Yes||No||1,5|
|4||Does a contract prohibit the use of the cloud service? If yes, do you have a possibility to negotiate with the partner to change it? If the contract’s content can not be changed, the value of the disadvantage is as follows.||No||Yes||1,9|
|5||Is the cloud service appropriate to handle business needs? It is an important question, but the business has to understand the operation and functionality of the service provided by the cloud service provider.||Yes||No||1,8|
|6||Is the cloud service suitable for the efficient implementation of organizational cost allocation? Many organization have a cost allocation system. If the cloud can not handle (or not capable to handle) the needs, the answer is no.||Yes||No||2|
|7||Does the IT experts possess specific knowledge to operate cloud services? There are many cloud trainings available, if the IT staff requires further education, therefore this part of the introduction is manageable.||Yes||No||1,7|
|8||Are there any legal or other legislative obligation, which can limit the using of cloud services? If yes, the organization have take into account the legislative actions.||No||Yes||2|
|9||Is the data migration relatively easy and securely feasible? If it’s not, you have the possibility to establish a full back plan, or other plans if some confusion appears.||Yes||No||1,8|
|10||Is the cloud solution compatible with organizational architecture elements? If it’s not, to handle this will be more expensive.||Yes||No||1,9|
|11||Is it possible to establish an Exit strategy or not (in case of unique cloud solution)? The establishment of a good Exit strategy is very complicated. There are many possible scenario which the organization can not anticipate.||Yes||No||1,9|
|12||Could the service implementation costs be cheaper than the operational costs of the on premise solution? The exact amounts are required to answer properly.||Yes||No||2|
|13||Do you need to further develop the cloud service or it is available as a compact service?||Compact Yes||Developing No||1,8|
|14||Can the cloud service’s technical implementation be considered risky (interfaces, encription etc.)? With the help of a qualified risk management team, the risk mitigation process will cover all difficulties.||No||Yes||1,7|
|15||Does the cloud provider and service have relevant certificates? Without certification, you have to make sure that it complies with your information security and data protection standards by conducting audit.||Yes||No||1,7|
|16||Does the reporting function available that the cloud service use support the deceision making process? It is important for the managers but not exactly relevant for the operators. If the answer is no, you have to find the work-around solution to handle the problem.||Yes||No||1,5|
|17||The cloud service provider that you want to deploy recently published an incident? It is a good indicator, if the cloud service provider publish incidents, but it should be considered what was the incident and what kind of failure could cause it.||No||Yes||1,6|
|18||Could the management of a cloud service take more time than operating an on premise system? More estimated time, more money.||No||Yes||1,8|
|19||Will the usage of the cloud service be based on a contract or placed under general terms and conditions? If it based on contract, than the answer is yes. Therefore you have a possibility to include individual needs in the contract.||Yes||No||1,6|
The methodology represented above promulgates the pre-implementation assessment process by providing a solution to analyze the advantages and disadvantages of cloud service implementation. In practice, many organization-specific situations could occur, that cannot be divided along the lines of a yes/no answer. If a situation like this arises, it is advisable to collect the arguments from both sides.
To utilize the methodology in the best way possible, determining the scores in advance of providing the answers for the questionnaire is crucial. If the aggregated scores come up equally at the end of the analysis, the decision makers could rely on the unique results and debates of each question above.
I hope this methodology can help to make the right decision!
About the Author
Zsolt Baranya is an Information Security Auditor and head of compliance of Black Cell Ltd. in Hungary. Formerly, he has been in information security officer and data protection officer roles at a local governmental organization. He also worked as a senior desk officer at National Directorate General for Disaster Management, Department for Critical Infrastructure Coordination, where he was responsible for the Hungarian critical infrastructures’ information security compliance. Zsolt can be reached at firstname.lastname@example.org and at his company’s website https://blackcell.io/