The promise of improved agility and lower costs is leading organizations to consider broad adoption of cloud computing. But, a majority of CIO & CISOs see significant risk in the deployment of the different cloud computing services. The security for mission critical applications like Oracle EBS, JD Edwards, SAP or any custom built onprem application, too becomes paramount. IT Decision makers will not want to take any risks in migration, which might hamper critical business running on these applications.
The below migration risks checklist, can be used to evaluate whether a project is suitable for a cloud computing environment and understand vendor capabilities and security provisions
Cloud Migration Risks Categories
- Data Evaluation Risks
- Data Protection Risks
- Vendor Assessment Risks
Data Evaluation Risks
1. The loss of or temporary unavailability of data / application (data classification)
2. We will not be adversely impacted if:
- The data became public and distributed
- The process or function were manipulated by an outsider
- An employee of the cloud provider accessed the data
- The data suddenly changes
Data Protection Risks
3. The vendor does not have
- Comprehensive policies and procedures for data backup
- Documented procedures for exporting data from the cloud
- Interoperable export formats for data stored in the cloud
4. We have a challenge:
- With the compartmentalization technique not used by the vendor
- More than one data owner who decides access controls
- More than one data owner who decides data retention and destruction schedules
5. Data is not commingled with other customers’ data while in use or storage
6. We will always know the geographical location of data storage, and will be consulted before the vendor decides to move our data outside national borders
7. The vendors’ data retention and destruction policy match with the organizational policy
8. Data encryption process (storage and transit) is satisfactory – what is the key system? (individual keys for individual members)?
9. Does the vendor have a response system in place if customers lose their passwords or are unable to keep their passwords secure?
10. The vendor meets all the regulatory requirements associated with the data we will process or store in the cloud
11. The vendor has certified host and network controls to protect the systems hosting our applications and information (ISO 27001)
Vendor Assessment Risks
12. The cloud vendor’s SLAs do not match our internal SLAs & does not have either a track record of performance against SLAs, or provides resources for performance monitoring
13. The vendor does not have clear, available channels for communication regarding service and performance issues
14. The vendor does not provide migration support or have enough trained partners for migration.
15. The vendor’s security governance processes and capabilities are not sufficient, mature and consistent with our information security management process
16. Vendor is likely unstable in a highly competitive and recessionary market
17. The vendor will not be able to compensate our organization appropriately for performance shortfalls
18. The vendor has not clearly defined the security related services that are outsourced or subcontracted
19. The vendor does not audits any outsourcers and sub-contracts periodically
20. The SLA provisions guaranteed by outsourcers are not at par than those of the primary vendor
21. Measures taken by the vendor to ensure third party service levels are not satisfactory
22. The vendor does not have a sound change control procedure and policy
23. The vendor does not have a process used to re-assess risks as a result of changes
24. No effective controls to protect against malicious code available with vendor
25. No security configurations that only allow the execution of authorized code and functionality
26. Does not provide details on audit logs (Integrity, data-retention time-period, confidentiality etc.)
27. Vendor does not give an estimate of space availability to avoid issues with resource exhaustion
28. The vendor does not offer periodic disaster recovery and business continuity plans
29. Vendor does not have a long-term business plan and the commitment of their financial backers
30. The cloud vendor does not have either a track record of performance against SLAs, or provides resources for performance monitoring
Conclusion
There are really no cloud migration risks/challenges that can’t be prevented. For that, you’ll certainly need some professional help. IT Convergence certified experts have been focusing on delivering first time right Cloud migration for all Oracle solutions and ensure you overcome any roadblocks on this migration journey. We are an Oracle certified cloud MSE with 20 years expertise in Oracle solutions. Contact us and we’ll handle any cloud migration issues you’re struggling with, no matter the level of complexity.