Why certification is critical when selecting a cloud service provider

Motivated by the promise of reduced operational costs, improved efficiency and better scalability, many organisations are shifting more of their IT infrastructure to cloud platforms.

Taking such a move makes sense. Cloud providers are almost certainly better at running IT infrastructure than in-house IT teams and can provide a level of redundancy and security that is difficult to achieve with on-premise systems.

Shifting to a cloud platform also makes sense at a time when the complexity of IT infrastructures continues to climb. Technology is evolving so quickly that it has become almost impossible for an individual or small team to have all the knowledge and skills required to keep it operational. Shifting to the cloud can reduce the pressure and free up internal resources.

The importance of certification

Once an organisation makes a decision to shift some (or all) of its IT infrastructure or software to the cloud, a selection must be made of which service to use – and not all cloud providers are created equally.

To be confident of selecting a cloud provider that has appropriate infrastructure, performance and security, it’s vital to select one that has achieved industry certification. This means they have undergone an independent assessment process that confirms the service levels they can provide.

One example of certification is the Australian Signals Directorate’s Certified Cloud Services List (CCSL). This list details all cloud providers that have been able to demonstrate they have the levels of cloud performance and security required by public-sector organisations.

While the list contains a range of approved service providers, there are many others in the market that have not achieved any certification of their platforms. Some offer cloud hosting resources while others provide Software as a Service (SaaS) products.

Making use of such providers can be a risky proposition. While their services may operate well and support an organisation’s day-to-day operations, they may also cause disruption and financial loss if problems occur.

Such problems may come in the form of degraded performance. When critical IT systems are migrated to a cloud platform, any outages experienced by that platform can have a significant impact on productivity.

Maintaining responsibility

When an organisation signs an agreement with a cloud provider, it is essentially outsourcing much of the heavy lifting associated with running its back-end IT infrastructure. However, this in no way means that the organisation can also outsource responsibility and accountability for the data that is placed on that platform.

The provider may provide a certain level of data security as part of its offering, but it won’t cover every facet. Issues such as weak passwords or poor internal security will mean information can still be compromised.

If a breach or data loss occurs, responsibility will ultimately end up with the organisation using the service rather than the cloud provider.

The importance of effective governance

The issue of effective data governance has been on corporate watch lists for years, and this doesn’t change when cloud platforms are added to the IT mix. In fact, if an organisation can spend less time and fewer resources on maintaining its infrastructure, it should in reality have more to focus on this important area.

This is important because robust data governance has never been more important. With an increasing proportion of business conducted electronically, ensuring the integrity of files and stores regardless of their location is vital.

A key component of this process is the careful review of agreements put in place with cloud providers. Their responsibility when it comes to maintaining a secure platform must be clearly understood and documented. Of course, this process doesn’t conclude when the agreement is signed. Ongoing monitoring must be carried out to ensure the agreed standards are maintained over time.

Internally, an organisation must also carefully monitor all the cloud platforms that are being used. It is all too easy for a business unit or team to make used of a cloud platform to support a project. If the governance framework doesn’t cover these activities, the organisation could face significant challenges if data is lost or stolen. Investing less in system administrators and more in audit capabilities is a sound approach.

Adopt a framework

To ensure an IT infrastructure that incorporates cloud resources is as secure as possible, an organisation should also adopt an appropriate framework to guide its internal activities. Part of this framework needs to be a checklist of requirements by which any prospective providers can be measured.

To hep in this process, the Australian Signals Directorate has developed a number of guidance documents that can help guide an organisation through the process of developing and implementing an effective framework.

Through careful selection of a certified cloud provider, the implementation of a suitable framework, and ongoing monitoring, organisations can enjoy the significant benefits of cloud adoption while also minimising associated risks.