Insights | Blog
Cloud Computing – 6 Key Considerations
As cloud-based offerings become mainstream for companies of any size, it is important to ensure the core components of the cloud provider agreement with the company meet the company’s expectations. Often, the provider can deliver a higher level of service, more security, and mitigate/reduce a company’s overall risk and compliance concerns. The following highlight key areas for company executives involved in negotiation of cloud service provider contracts.
The SLA (Service Level Agreement) and SLA Performance
The details of performance, security, data privacy and ownership, compliance, and termination of service procedures are key components of the SLA. The provider should actively seek company input on the company’s needs, experience with cloud environments, other provider relationships, and their key drivers for moving to the cloud. This enables the provider to best provide options that meet the company’s needs. The SLA should also specifically address outages, off-line events, and the credit and or resolution process should the provider not meet the SLA.
Company information and data security as well as any related industry or regulatory requirements should also be covered, e.g. HIPAA, ISO. The company should confirm what access the provider has to company data and applications while the provider gives the company specifics regarding encryption capabilities as required for data at rest and in transit. General risk should also be addressed, and often the provider can offer the company additional current education on these topics – as the landscape changes frequently.
Beyond the general concerns about a company’s specific market and it’s related regulatory environment, the company should also confirm the providers ability to comply with privacy rules based on the provider’s data center location. The provider can also give the company an overview of their privacy impact assessment.
Generally, the key risk measures around data privacy, data movement, data access, data loss, and overall risk components typical of any ‘off-site’, ‘hosted’, ‘cloud’ environment enable the company to properly determine the levels and types of risk involved. The allocation of risk between the company and the provider depends on the company’s overall risk tolerance and the ability of the provider to meet/exceed usually defined risk areas.
The provider should be able to support and validate the information provided to the company via a third-party auditor issued report.
It is common practice for a cloud provider to delete/remove application and data 30 days after the conclusion of a contract to provide sufficient time for migration. Therefore, it is important to include any special or unique needs the company may have over and above usual operating protocol.