You’ve heard over and over about the benefits of moving to the cloud, and you’re ready (or not quite ready but being pressured) move technology to the cloud (or other hosted services model). Now what? There are so many options out there, but a “one size fits all” approach does not work for many services. Our 2-part series (part 1, part 2) on hosted services basics was so popular, we decided to dig deeper into identifying, procuring, adopting and managing hosted services. To guide you through the initial step of this process, we offer some considerations to help you select the right service, deployment model, and service provider for your organization. As you think through these issues, we encourage you to engage a multi-disciplinary team comprised of procurement, IT, information security, risk management, regulatory and legal experts. Your choice of service will affect multiple aspects of your operations, so it is important that all stakeholders are consulted.
Ask certain threshold questions. Considering and answering certain threshold questions ahead of identifying solutions and providers can be key in making the right decision for your organization and for developing your contracting roadmap. Think about the following:
-
What is your intended use of the service? Are you buying raw computing resources (data processing and storage) or complex software applications (email system, CRM system, HR system)?
-
Are you moving data off-site? Is it confidential (proprietary data, trade secrets, third-party confidential data) or regulated data (PHI, PII, etc.)? What are your data portability and interoperability requirements? What are your data rights requirements (ownership, access, use)? Remember that “data” is not just data you put into the services, but also data that is generated by the provider in the form of results, reports, analyses and usage information.
-
Will you need any complementary support services, such as assistance in creating and migrating application or assistance in migrating data in a form required by a provider?
-
Do you have an exit strategy? How will you get the data back (consider both format and cost)?
Determine the appropriate type of service and deployment model. It is very important to understand that not all hosted services are the same; a private or hybrid deployment model may be more appropriate for mission-critical functions and highly sensitive data. The degree of control, responsibility, and flexibility that a user retains over data, security measures, and resources (storage, applications, etc.) will depend on the type of service and deployment model selected.
Conduct market research. Once you have determined your intended use and the type of service and deployment model that suits your organization, do some research on providers. Look at the reputation and reliability of the various providers, assess their financial viability, and talk to current customers of the providers about their experience. Pay attention to the source of your research, however; some analyses published on cloud economics are generated or paid for by providers.
Do your diligence! Transparency is key. Once you have selected a provider, you should have a clear understanding of the provider’s processing operations (where your data is stored, who has access to the data, how the data is used, and how the data is protected) and identify all the players in the supply chain and ensure accountability. Layering cloud services – where one cloud solution is dependent on other cloud solutions – is a common practice in the cloud services industry and the cloud supply chain can be very complex. Keep in mind that even a private cloud may run on top of a core, shared infrastructure. With that in mind, and especially if you will be relying on a hosted solution to store sensitive business data or confidential information, you should:
-
Review the provider’s written information security policies and procedures as well as audit reports and security assessment performed by third-parties, such as SOC reports and ISO 27001 certification and statement of applicability to verify the scope of coverage and applicability to the services that you are actually purchasing and to ensure that the provider has implemented robust security and privacy controls. Conduct a site visit to the vendor’s data center(s) to ensure you are comfortable with the security measures.
-
Review the provider’s insurance policies, especially the provider’s cybersecurity coverage to ensure that the provider can mitigate losses resulting from information cybersecurity incidents, such as data breaches, business interruption, and network damage.
-
Review the provider’s data back-up, archiving, and recovery practices and understand data destruction practices after termination of the relationship.
-
Review the provider’s disaster recovery and business continuity plans to ensure a business disruption event will not impact your business. Keep in mind that the location of the disaster recovery site(s) has important regulatory implications (e.g., personal information of EU residents may only be transferred outside of the EU if certain requirements are met).
-
Review the provider’s standard contracting documents (terms of service, acceptable use policy, service level agreement and privacy policy). If the terms are not acceptable, be sure they are negotiable before deciding to engage the provider.
-
Ensure the provider has the capacity to provide other services you may require, such as assistance in migrating your applications and/or data offsite, implementation services, legal support services (e-discovery), and post-termination transition assistance services. Also ensure that such services are available at a reasonable cost.
Understand how hosted services affect your legal and regulatory compliance obligations. You should have a clear understanding of the various laws and regulations that may be implicated by having your data processed or stored offsite (e.g., U.S. privacy/data security laws, international data protection and data transfer laws, tax laws, export laws, etc.). Mapping the data that will be moved to the offsite ahead of time and having a clear understanding of the location where your data will be hosted will allow you to determine your legal and regulatory compliance obligations.