ISACA, a global non-profit IT association has published "Guiding Principles for Cloud Computing Adoption and Use" to help companies manage the challenges faced when adopting cloud computing.
1. The enablement principle
Plan for cloud computing as a strategic enabler, rather than as an outsourcing arrangement or technical platform. To plan strategically for cloud adoption and use, enterprises need to:
- Treat cloud computing adoption and use as a strategic business decision.
- Make informed decisions, considering both business and operational needs and the benefits that can be provided by cloud computing.
- Communicate cloud computing arrangements and agreements to internal parties to ensure proper alignment and consistent oversight.
- Periodically review organizational strategies and the contribution of IT to ensure that cloud initiatives maximize value delivery, risk management and resource utilization.
2. The cost/benefit principle
Evaluate the benefits of cloud acquisition based on a full understanding of the costs of cloud compared with the costs of other technology platform business solutions. To properly evaluate the costs and benefits of cloud computing, enterprises need to:
- Clearly document expected benefits in terms of rapid resource provisioning, scalability, capacity, continuity and the cost reductions that the cloud services offer.
- Define the true life-cycle cost of IT services provided internally or through a provider to have a basis for comparing expected and received value.
- Balance cost with functionality, resilience, resource utilization and business value.
- Look beyond cost savings by considering the full benefits of what cloud services and support can provide.
- Periodically evaluate performance against expectations.
3. The enterprise risk principle
Take an enterprise risk management (ERM) perspective to manage the adoption and use of cloud. To understand the risk implications of cloud computing, enterprises need to:
- Consider the privacy implications of comingling data within the virtualized computing environment.
- Evaluate privacy requirements and legal restrictions, considering client needs as well as provider restrictions and capabilities.
- Determine the accountability addressed in SLAs, the ability to monitor performance and available remedies.
- Understand current risk identification and management practices and how they need to be adapted to address risk management for cloud computing.
- Integrate scenario analysis into business risk management decision making.
- Consider exit strategy and the implications of not being able to render data as enterprise applications are sunset or unavailable.