"Cloud services" have arrived. Enterprises have either subscribed to cloud services or are seriously considering moving some of their IT infrastructure to the cloud. From an IT point of view, however, the cloud is not as new as it seems.
In fact, most CEOs already know quite a bit about the potential benefits and pitfalls of cloud services. Consider an application service provider (ASP) transaction circa 2000. Even back then, cost, flexibility and the promise of eliminating at least some of a company's IT infrastructure argued in favor of the ASP solution. Service level agreements (SLAs) were entering our lexicon. Information security was nascent. One of the overarching concerns was relinquishing control to the vendor, especially for mission-critical applications. That general concern, however, probably found its genesis in the mid-1980s, with the advent of outsourcing arrangements.
Fast forward to 2012, to the world of:
the public cloud (infrastructure furnished to general public);
the private cloud (infrastructure operated for specific customers);
the hybrid cloud (a combination of public and private clouds);
and the various cloud services models: software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS).
To be sure, the technologies (such as virtualization) have advanced, but in the end, a private cloud is still a remote data center, and SaaS is but an ASP under a different name. With a few exceptions, the conversation today between a CEO and CIO regarding a particular cloud service should not be terribly different from the conversation held in 2000 about an ASP solution. With cloud services, there is no reason to reinvent the wheel when it comes to helping your CEO understand the business implications of the solutions you're recommending.
While a standard framework to assess each cloud service should be used, by definition each assessment should be different, as no two use cases, or prototypical data sets, will be the same. Email is not ERP, which is not CRM. Whether your company operates in a heavily regulated industry, such as financial services or health care, should weigh on the advisability of selecting a particular cloud service.
My suggested framework consists of three parts:
understanding all facets of the current solution;
conducting due diligence (technological, organizational and financial) about the proposed cloud service/provider; and
ensuring risk mitigation by negotiating certain protective provisions and remedies into the services agreement, if possible, and taking certain preventive measures, regardless of whether such an agreement adequately addresses the underlying concerns.
Understanding every aspect of the current solution is obvious enough, but its importance cannot be overstated. Consider information security, which continues to be viewed as one of the biggest impediments to the adoption of cloud services. At a minimum, your assessment should show not only the security measures available to protect the company's IT infrastructure, but also how well those measures have, in fact, been implemented. Put simply, know your baseline and current risk profile.
Due diligence requires slightly more explanation. While a request for proposal is generally not necessary, care should be taken to understand whether the cloud service is in fact a "composite service" (meaning that it leverages the services of other cloud vendors, thus amplifying risk) and to request the SLA (if one is not readily provided). Your company should understand the vendor's approach to data privacy and information security -- including the tools used, historical breaches and root causes, if available, and remediation -- as well as the vendor's willingness to assist your company in its efforts to comply with statutory or regulatory requirements.
In fact, it is this focus on data privacy, information security and compliance that will most distinguish between the process of assessing a particular cloud service in 2012 and evaluating an ASP solution back in 2000.