The trend towards the use of cloud services is developing rapidly.
According to the BSI (German Federal Office for Information Security), cloud providers’ sales have increased by 70% over the last 5 years and will continue to grow.
In addition, the trend of many companies is to not only obtain one service from the cloud, but to obtain several different cloud services from different cloud providers through the company. Therefore, the following or similar constellation of Cloud Computing in companies will not be a rarity in the future, or already are:
In this or a comparable combination, companies will purchase different services from different suppliers. The challenge for the company will be to manage these different suppliers in such a way that the purchased and necessary services are provided profitably.
In my view, it is essential to develop and establish a company-wide multi-vendor cloud strategy (MVCS) for the use of cloud computing that has been approved by the company management.
When defining and establishing such a multi-vendor cloud strategy, the following points, among others, should be considered:
For the risk analysis of the individual cloud providers I refer to the 5 C’s of the BSI. In this document, the BSI specifies in great detail which requirements a cloud provider should meet. However, the BSI does not address the specific requirements and risks of a multi-vendor cloud strategy.
First and foremost, there is the extremely high complexity of collaboration between the various cloud providers. What was managed in the past in an own house (own IT department) must now be managed in a “cloud house”.
Before I go into the risks, I would like to briefly outline what I understand by a multi-vendor cloud house:
The multi-vendor cloud strategy is under the roof of the cloud house. The MVCS is based on three pillars, which represent the generally known services (IaaS, PaaS, SaaS) of classic cloud computing Depending on the company, further services can be listed, such as Security as a Service, Process as a Service, etc.
For all services used, minimum requirements should be defined overall and per service provider in order to meet external as well as internal expectations. In addition, suitable security measures should be implemented for the “generally known risks” (security risks; compliance risks; contract risks; performance risks). The security measures can be designed differently from company to company. The basis for the security measures implemented should always be the underlying risk analysis.
The foundation consists of the internal cloud competence team that controls all cloud providers and ensures that all systems are coordinated with each other. It also ensures effective business continuity management, taking into account all cloud providers and internal IT services.
Finally, in addition to the “generally known risks”, I would like to mention the specific risks associated with an MVCS that have already been mentioned:
This small overview illustrates the future problem of operating an MVCS. These risks must be considered in advance and should be recorded in an MVCS.
If these strategic preliminary considerations are missing, the problems and disruptions will increase with the growth of cloud services.
I cordially invite you to discuss this and other exciting topics regarding Cloud Computing with me.
You already have the opportunity to do so in the seminar “Test Field Cloud Computing” in cooperation with Jürgen Kreuz on August 17th/18th, 2020 in Cologne.