Thoughts on Entering Into Cloud Engagements

Much has been written, including by me, about the risks (and benefits) of cloud engagements.  I think a step back maybe in order – perhaps even two steps back.  That is, I think it is far too easy to lose the forest for the trees in considering the cost-benefit of a proposed cloud engagement.

Recently, the Federal Financial Institutions Examination Council (FFIEC) issued a guidance for financial institutions regarding cloud engagements (http://ithandbook.ffiec.gov/media/153119/06-28-12_-_external_cloud_computing_-_public_statement.pdf).  While directed at businesses in the financial services industry, the guidance provides some very sound advice that every business should consider.  Specifically, the FFIEC’s primary point was:  treat cloud engagements as you would any other outsourced technology engagement.  While that seems overly simple, consider that many businesses do not take that approach.  Rather, in considering a cloud engagement, many businesses start with the premise that they have to expect far less protection than they would receive in a traditional technology transaction.  That is very unfortunate, but highlights the current state of cloud contracting.

I suggest every business start their cost/benefit analysis of a potential cloud engagement by asking the same questions and expecting the same level of protection that it would in a traditional locally hosted transaction or any other form of comparable outsourcing engagement.  Setting expectations low at the outset shouldn’t be the de facto approach to cloud contracts. 

Related:
Cybersecurity market research: Top 15 statistics for 2017