Leveling The Playing Field
With the decrease in consumer purchases, companies often turn to IT to offer innovative goals for either cost reduction or more attractive services. This is an excellent opportunity for the CIO to demonstrate the value of IT. Unfortunately, the rapid demand for creative changes outpace the abilities of IT’s infrastructure to react, plan, purchase, implement and test before moving these services into production, thus enter cloud-based services. CIOs know that storage, platforms, infrastructure and variations of specific software are readily available as a service from multitudes of providers at a fraction of the cost and as quick as you can enter a credit card number or issue a PO. This of course sounds like a win-win solution. However, these ‘As a Service’ providers such as Saas, PaaS and IaaS seldom meet the service level agreements that you as the IT department are held to; therefore, when they fail, you and your IT department fail. Also, the CISO of your company has been adamantly opposed to offloading the enterprise’s data to another location outside of his or her area of influence.
CISOs will traditionally focus on three areas when it comes to data protection, C.I.A. (Confidentiality, Integrity and Availability). These three areas sound very limited in scope but, in reality those are my basic concerns when addressing on premise data services and that of cloud-based ‘As a Service’ providers. The government and industry regulations we must abide by are regular specifications of C.I.A. and assurances that we address each area in the manner framed by a particular regulation or standard. These regulations are also applicable even when data are located within cloud services; unfortunately, enforcing requirements upon a separate entity is not easily done especially after the services have been purchased.
CIOs often affirm the cost benefits of 'As a Service' resources however; many if not most CISOs cringe at the thought of allowing the enterprise data being placed in the hands of companies that may not meet the strict security requirements held for data within the company’s own infrastructure. After all when data are compromised or the CRM is down the institution’s CEO and board may not understand or care if the mom-and-pop SaaS provider was the root cause behind the incident, they often simply want to know how the situation was allowed to happen and who is going to be held accountable. This is not to say that all service providers do not provide secure services in fact many do but, when almost every software purchase you make today is also offered to customers as a hosted solution at a greatly reduced cost we should ask "how are they recovering these costs and are the services comparable to those IT would offer on premise."
When considering cloud solutions, I recommend that you begin by creating a list from your own SLA (Service Level Agreement) that you offer to the departments within your own company. Commitments such as 98 percent database uptime, 8-5 Monday - Friday telephone technical support, four hour recovery time, six month data archiving and other services that are real IT service commitments that your company employees have come to expect. If you do not have formal agreements then begin with your company’s expectations of your IT department’s services such as uptime, backups and appropriate access. Include in this list the regulations and standards your IT department must abide by such as acceptable server patch time, anti-virus signatures, encryption of sensitive and confidential data while at rest and in transit and other regulations that you are responsible for. If you are uncertain of the regulations applicable to your company contact your CISO. Most likely he or she has a lengthy list of regulations such as SOX, GLBA, HIPAA or PCI/DSS.
Another item to add to your list is assurances that your company’s data remains the property of your company. Your company most likely does not want their research information to become part of the public domain or sold to other companies simply because your data was stored in the cloud as part of cloudbased services. You should also ensure that if you terminate your cloud-based services your company receives all of their data back in a usable format. Imagine receiving a single text file of all of your contract management data that was a hosted relational database.
By requiring SOC3, PCI-DSS and other certifications from your suppliers you are preparing for your own audits. Now you are equipped with a list of standards, regulations and company requirements that your company is responsible for and that the CIO or CISO is held accountable for ensuring the company is abiding by. It is now time for the CIO and CISO to meet with Legal Affairs and the Purchasing Office. Your goal now is to incorporate this list of needs and requirements into all of your future and renewal ‘As a Service’ contracts.
My institution is at the infancy stage of this process and, I elected to create a checklist of requirements as comparison during contract review. While this has been widely accepted and recognized as benefiting or protecting the data owners, we are discovering that many of the companies we have been working with are resistant to committing to these requirements in their proposed contracts. Some service providers whom have offered their services for several years are more mature and already incorporate many of our needs and requirements as standard operating procedures. It has become easier to identify those software providers that simply also offer their services as a hosted solution and those providers that are committed to offering their services as a solution. By requiring the same services and commitments from all providers, I believe we are leveling the playing field for all 'As a Service’ providers and providing more comparable services to those our own IT department is measured against. Ultimately though, our institution and our customers are consistently receiving the resources and services they have come to expect which is the baseline we will begin to improve from.