Widgetized Section

Go to Admin » Appearance » Widgets » and move Gabfire Widget: Social into that MastheadOverlay zone

Managing Your Cloud Services Vendor

A note for our readers: the views reflected by the authors do not reflect the views of ASPA.

By Iriana Chizek

chizek mayIn the ever-evolving technology space, moving to the cloud presents great benefits for government entities: increased software updates, disaster recovery capabilities and reduced staffing and infrastructure costs to name a few. While there are many positives that make the move to a cloud environment enticing, as with any technology there are risk factors to be considered as they relate to your data and how it’s being protected in the cloud.

It is important to understand what it means to “move to the cloud.” Moving to the cloud suggests that the entity is acquiring software as a service (SaaS) and additionally that software (and data) is distributed over the Internet from a third party provider’s site(s). As a result, the government entity is placing reliance on a vendor to maintain the software and the government entity’s data outside of the government entity’s domain of control.

So what are some of the considerations to effectively protect and manage the information technology (IT) components you place with a cloud service provider?

1)       Establish Cloud IT Governance

Similar to internal technology deployments, strategic alignment, value delivery, risk management, resource management and performance management all need to be considered when moving to a cloud provider. These components (IT Governance) need to be addressed and typically begin with:

  1. Policies related to how relationships with cloud providers will be managed in collaboration with the IT Department.
  2. Determine who will be responsible for identifying IT functions to move to the cloud and the necessary development of business cases for presentation to executive management for approval.
  3. Responsibilities for the development of contractual requirements (meaningful metrics and reporting) based on best practices and a vision that ensures future technology needs and investments are, and will be met.
  4. Oversight responsibilities related to the monitoring of the established contractual agreements (and metrics).

Anecdotal evidence indicates that most cloud customer/provider relationships start with little or no IT Governance, which result in problematic situations (as described in item 2 below). Furthermore, effective IT Governance requires entities to consider what regulatory compliance standards to uphold internally as well as require their cloud service providers to uphold. These requirements must address how failures/potential breaches will be addressed and communicated should they arise, while establishing a platform to address risk management and performance.

2)       Understand the Security Around Your Data

Agreements between cloud providers and entities tend to be vague to reduce the liability for the cloud provider in the event of a data security breach. The risk is always greater when you store your data remotely and can’t control it fully. According to a recent Gartner study, 80 percent of IT procurement professionals will remain dissatisfied with SaaS contract language and protections that relate to security.

It is essential that the contract use specific language to address information security. Terminology like “industry standard” and “best practices” should be avoided. While these are shortcut phrases, they are open to interpretation. For example, to avoid confusion, a better way to address this is “security management must comply with ISO 27001 and be certified through an ISO/IEC certifying body.” Another avenue would be, “the provider must obtain at its cost an annual independent SOC 2 report in compliance with the security and availability principles.”

Additionally, to mitigate some of the risks, clear metrics and requirements should be defined for:

  • Availability. Define the requirements related to when the system must work during a defined period over the length of the contract. In simple terms, if the defined period is a month (730 hours assuming 24 hour needed availability) a metric of 95 percent required uptime, allows 36.5 hours a month for scheduled maintenance downtime.
  • Storage. Cloud storage is generally based on consumption. It is important for you to state the absolute minimum storage requirements allowing for (generous) projected growth over the contract period.
  • Customer Support. Clearly define the expectations for response time related to questions and/or trouble tickets. Expected response time is critically important for issues involving potential security breaches. In general, setting expectations related to customer support is crucial to not disrupting operations.
  • Maintenance. Related to availability, the maintenance windows should be defined when activity will be at a minimum i.e., weekend nights. The contract should define key times that are not disruptive to day to day operations.

Another important aspect to consider when thinking about security in the cloud is “shared environments” versus “private environments.” In a shared environment, the entity’s data will be placed on the same storage device as that of the other patrons, bringing to light concerns about backup and security. In a shared environment, the entity’s data are backed-up right along with all other customers. Human error can occur and backups can be restored to wrong customers/environments. Moreover, it is difficult to destroy the data when terminating the relationship with the cloud provider (as described in the exit strategy below). Public sector entities will not want to place information in a shared environment.

While there are many options when it comes to cloud providers, competiveness in price and service delivery, find someone that matches your risk comfort to best safeguard your information.

3)       Develop and Agree to an Exit Strategy

Standard cloud provider contracts will always allow the cloud provider’s right to suspend or terminate the service. However, the entity must be protected to assure that enough time is provided to migrate to another solution. Data must continue to be available, in a usable format, for at least as long as necessary to facilitate the replacement solution.

In addition, from the government entities side, should the relationship with the cloud provider be terminated, contract provisions should stipulate the “return of data” to the entity. Return of data should be narrowly defined within the contract as: all entity data being transferred to a location specified by the government entity though secure and agreed-upon means, and the destruction of all data at the cloud provider for all storage devices including tapes and backup devices at an agreed-to date.

Cloud services are still new, and the majority of entities are still addressing governance, security and transition. It is important to expand vendor management policies to address cloud providers and that entities are considering how to their contracts will address cloud providers along with the entity’s needs. Standard cloud provider contracts need to be scrutinized to make sure the entity is not giving up the any rights to dictate how their systems and data are managed. Prior to signing a cloud provider agreement, consider the entity’s security strategy, risk management posture, deliverables, performance requirements and business needs and verify that the contract considers all of them.

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)


The American Society for Public Administration is the largest and most prominent professional association for public administration. It is dedicated to advancing the art, science, teaching and practice of public and non-profit administration.

Leave a Reply

Your email address will not be published. Required fields are marked *