One of the biggest barriers to growth in the cloud services marketplace is uncertainty about the risks. In their latest white paper, Evaluating Cloud Computing Risk for the Enterprise, BITS, which manages the Shared Assessments Program — a vendor risk management standard, has provided a framework for assessing cloud risks and determining the appropriate controls. To start with, BITS differentiates the controls for traditional IT services models from those required to address cloud risks:
1. Common Cloud Controls: These are mature control areas associated with traditional IT
services environments that are also applicable to cloud-based services, and whose audit
mechanisms are considered mature.
2. Delta Cloud Controls: These are higher-risk control areas that have particular relevance to
cloud environments, and whose cloud audit mechanisms are less mature.
In the new guidance, BITS also provides assessment considerations for Delta Cloud Controls in 12 categories:
1. Multi-Tenant Platforms
2. Multi-Client Prioritization
3. Agile Delivery
5. Data Location, Cloud Layers and Cloud Providers
6. Cloud Management: Roles and Division of Responsibilities
7. Contracts, Data Privacy and Jurisdictional Issues
8. Identity and Log Management
9. Web Application Security
10. Cloud Vendor Interdependence and Governance
11. Data Retention, Management, Recovery and Destruction Cycles
12. E-Discovery and Forensics
This work by BITS complements the Shared Assessments Program which provides overall guidance for evaluating risks of traditional and cloud service providers. It should go a long way to enabling effective risk assessments of cloud services, thus beginning to lower the biggest market barrier for cloud providers. BITS makes no claims that this new cloud risk evaluation guidance is exhaustive, but it’s a good start, and enterprises should use this new guidance as an element of their cloud strategies and vendor risk management efforts.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.