A guest article of Ernst Sybon, Internal Audit at Schmitz Cargobull AG
The trend towards the use of cloud services is developing rapidly.
According to the BSI (German Federal Office for Information Security), cloud providers’ sales have increased by 70% over the last 5 years and will continue to grow.
Trend towards multiple cloud providers
In addition, the trend of many companies is to not only obtain one service from the cloud, but to obtain several different cloud services from different cloud providers through the company. Therefore, the following or similar constellation of Cloud Computing in companies will not be a rarity in the future, or already are:
- SAP as a Software as a Service by SAP
- Office 365 as a Software as a Service by Microsoft
- Datenbank as a Platform as a Service by Oracle
- Data Center as a Infrastructure, as a Service by IBM
In this or a comparable combination, companies will purchase different services from different suppliers. The challenge for the company will be to manage these different suppliers in such a way that the purchased and necessary services are provided profitably.
Establishment of a company-wide multi-vendor cloud strategy
In my view, it is essential to develop and establish a company-wide multi-vendor cloud strategy (MVCS) for the use of cloud computing that has been approved by the company management.
When defining and establishing such a multi-vendor cloud strategy, the following points, among others, should be considered:
- Why are we going into the cloud – What are our goals?
- Build and define an internal cloud competence team with clearly agreed competencies
- Establishment of communication channels with the various cloud providers
- Implementation of a two-step risk analysis
- Overarching risks from the multi-vendor cloud strategy
- Risk analysis per cloud vendor
- Business continuity management involving all cloud providers
- Define and perform regular emergency tests
- Ensure that all cloud vendors meet minimum internal and external privacy and information security requirements
For the risk analysis of the individual cloud providers I refer to the 5 C’s of the BSI. In this document, the BSI specifies in great detail which requirements a cloud provider should meet. However, the BSI does not address the specific requirements and risks of a multi-vendor cloud strategy.
What are the special requirements that a company must meet in a multi-vendor cloud strategy?
First and foremost, there is the extremely high complexity of collaboration between the various cloud providers. What was managed in the past in an own house (own IT department) must now be managed in a “cloud house”.
Before I go into the risks, I would like to briefly outline what I understand by a multi-vendor cloud house:
The multi-vendor cloud strategy is under the roof of the cloud house. The MVCS is based on three pillars, which represent the generally known services (IaaS, PaaS, SaaS) of classic cloud computing Depending on the company, further services can be listed, such as Security as a Service, Process as a Service, etc.
For all services used, minimum requirements should be defined overall and per service provider in order to meet external as well as internal expectations. In addition, suitable security measures should be implemented for the “generally known risks” (security risks; compliance risks; contract risks; performance risks). The security measures can be designed differently from company to company. The basis for the security measures implemented should always be the underlying risk analysis.
The foundation consists of the internal cloud competence team that controls all cloud providers and ensures that all systems are coordinated with each other. It also ensures effective business continuity management, taking into account all cloud providers and internal IT services.
Specific risks of a multi-vendor cloud strategy
Finally, in addition to the “generally known risks”, I would like to mention the specific risks associated with an MVCS that have already been mentioned:
- Cloud providers are not compatible with each other
Interactions: Failure of one cloud provider affects other cloud services - Interface problems with data transmissions between cloud providers
- Lack of internal IT know-how to understand the complexity of the various providers
- Consistent across all cloud providers Understanding and compliance with privacy and information protection
- reliance on external audits (difficulty in conducting own audits of external service providers).
This small overview illustrates the future problem of operating an MVCS. These risks must be considered in advance and should be recorded in an MVCS.
If these strategic preliminary considerations are missing, the problems and disruptions will increase with the growth of cloud services.
I cordially invite you to discuss this and other exciting topics regarding Cloud Computing with me.
You already have the opportunity to do so in the seminar “Test Field Cloud Computing” in cooperation with Jürgen Kreuz on August 17th/18th, 2020 in Cologne.