choosing your cloud provider - Interactive

0 downloads 199 Views 800KB Size Report
strategies for baseline privacy compliance such as user identity, access management, data protection and incident respon
CHOOSING YOUR CLOUD PROVIDER

2

Choosing your Cloud Partner is the most important IT decision you’ll make You need a cloud provider that you trust, has similar values and will stop at nothing to enhance your business. When you evaluate cloud partners, start by looking for sound practices and strategies for baseline privacy compliance such as user identity, access management, data protection and incident response. Then, as you map specific compliance requirements to your prospective cloud provider’s controls, you’ll likely face some cloud-specific challenges such as data location.

3 Cloud Partner Checklist Here’s what you should look out for when selecting a partner:

1

2

Governance Framework

Will the partner apply a governance model in line with you own governance and business rules?

Risk Assessment

Are risks clearly outlined and managed throughout the process in conjunction with the key stakeholders?

3

Security Framework Assessment How will the provider perform due diligence to ensure a deep understanding of the security requirement for all parts of the solution? If required, additional services should be applied such as Intrusion Detection and Prevention, Penetration Testing, Firewalling and Application Firewalling.

4 4

Platform Design

5

Data protection levels and disaster recovery levels

Are the platform requirements of each material and non-material system assessed with differing levels of secure dedicated and shared models applied to suit any configuration?

Are the data protection levels designed to meet all business and compliance requirements? Business continuity services should also be considered as part of a holistic solution.

6

Management requirement

What is the cloud provider’s capability to manage above the platform, including database systems, OS, DRaaS, BaaS and application layer management? This is a key consideration if your business priority is not to run your own IT. Your chosen provider should assess each system against security and risk levels, and allocate the appropriate level of management. Managed and unmanaged solutions to suit business needs and compliance need to be available.

5 7

Transition Approach

How low risk will the entire end to end transition process be? A lift and shift of the existing “as-is” services into the new environment prior to any transformation work is a pragmatic approach. This ensures your business is operating within a high speed environment and rollback through any stage is immediate if required. We encourage a staged and hybrid approach with assessment of performance and functionality throughout each stage prior to the next being commenced.

8

Regulator access and transparency Every step of the way your chosen provider needs be willing to collaborate with consultants and regulators to ensure your business can meet the needs of your compliance landscape.

9

Devil is in the detail Transparency around cost and a granular view of what you’re actually paying for and their associated T/Cs is key. Don’t let your provider hide behind SLAs where the service isn’t described with clarity. Ask yourself, what is the minimum service requirement to meet your business expectations? How confident are you that the service levels you pay for won’t expose your business through lack of compliance?

Get a cloud quote

6

Data protection & security Risk is usually associated with security, however this is only a part of the issue, with data privacy also critically important as it encompasses data protection, data breach notification and access management – all highly significant in a regulated industry. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the “physical, logical and personnel controls” IT shops exert over in-house programs. Ensure your sensitive data is processed and stored on dedicated equipment that meets your data privacy requirements and safeguards the privacy and security of your data from internal and external threats.

7

Risk assessment Interactive takes time to assess the risk levels defined by the customer and regulator, understanding the need for compliance of the infrastructure platform and support structure. We separate each solution into material and non-material systems, allowing us to move material (business critical) systems onto highly secure, dedicated infrastructure that meet or exceed the regulator’s standards. This allows us to host less critical (or nonmaterial) systems on lower cost infrastructure that still guarantees the required service levels. The approach is measured and staged every step of the way, with clear “go/no go” criteria for each stage prior any cutover.

8

About Interactive Interactive is an Australian grown, wholly Australian owned and operated IT services company. More than 2000 customers trust Interactive’s team of over 450 Australian staff to deliver the best customer experience. We welcome the opportunity to talk to you about helping transform your regulated business.

www.interactive.com.au Get a cloud quote