Managing cloud services risk throughout a supplier lifecycle relationship
Today, the focus is on the service outcome
BT provides network consulting services for which thecloud is often a delivery option. We have noticed that
many cloud programs are directed at a specic problem
that can be solved by a widget or service provided by a
CSP. The good news is that if the widget ts, the result is
generally of high quality. The bad news is, far too oftenthere is very little:
Oversight of the CSP relationship,
Operational and business continuityassurance, and / or
Integrated change management.While not as egregious as buying a “Rolex” watch from aNew York street vendor, there are similarities: the watchdoes tell the time, for a while anyway, the credentials of the supplier are assumed adequate, and the purchasecomes with no warranty. Urgency, responsiveness and theshort-term nature of the vendor relationship are the
justication for risk management shortcuts.
Reality check – CSP selection is risky business
The more sensitive the data and / or the more criticalthe process, the more important supplier selectiontactics and trust management become to the success of the relationship and the value it provides. A successfulrelationship will be grounded in a shared understanding of accountabilities and expectations. The choice will not besolely whether someone else can provide a service withindesired cost and time parameters. Rather, the choice
will conrm that they will do it with the same care you
provide when doing it yourself as well. As the relationshipdevelops from prospect to partner, risk mitigation mustchange from assessment to in-life control. The focal pointmust change from ‘me’ to ‘we’.
looks at the various stages of a providerrelationship lifecycle. At each point, a share of the activityshould include risk management activities.
must declare the relative riskassociated with data sensitivity and processcriticality - the service is to support.
must build trust based on a verication
that the service provider provides adequate security
controls for the use case, the business benets, and
the cost of entry.
should summarize the human andsecurity controls aligned with use case risk,document the technical and process integrationwith the CSP, and provide the quality controlframework to manage the in-life operation.
must include the termsunder which the use case and service aremanaged to contain risk including SLAs,roles/responsibilities, and terms that could beinvoked upon service failure such as informationdisclosure and service interruption.
includes the required levelof joint management and control.
is the unavoidable but mutuallyagreed end of the relationship.
: Cloud Services Relationship Lifecycle