As technologists, we all know that organizations are increasingly making use of the cloud. More and more IT professionals are also now realizing that much of that adoption can happen outside the walls and strictures of IT. For example, individual business units might engage directly with third-party cloud providers to initiate customer relationships without involving IT directly.
As a result, it's possible that a single organization could have multiple relationships with different cloud service providers for a range of purposes. These service providers might be engaged to do everything from infrastructure services (IaaS) IT consumes (e.g., disaster recovery, on-demand capacity improvement through bursting, virtual platforms for testing, and so on), to application support services (PaaS) that in-house developers deploy for application and component development, to externally hosted applications (SaaS) different business units bring in to support business needs directly.
From the business unit's point of view, there might be some perceived advantages of this, such as timeliness of service delivery, but from a technology governance standpoint it can create challenges. One such challenge is that individual business units seldom coordinate with each other (or, as mentioned, IT) to make sure they're buying similar services from the same provider. From a security and compliance standpoint, it can be challenging to ensure that each vendor is appropriately vetted and managed, that compliance concerns are addressed for each one and that sensitive or regulated data is only sent to organizations that have been approved for such a relationship or that implement appropriate security controls.
The value of a service inventory
While some well-equipped organizations are prepared to deal with managing the multiple service providers they do business with, many others are not. Since many of those relationships involve storing regulated or sensitive information -- or data that may be critical for the business from a continuity standpoint -- potential security and compliance consequences of not governing those multiple relationships appropriately can be severe. Additionally, because these relationships might arise from outside IT (from multiple different sources), there are often logistical complexities that arise because relationships might not fit cleanly into a pre-existing governance model.
Constructing an inventory around service provider relationships can help both better manage potential risks and lay the groundwork for a more strategic cloud computing adoption planning down the road. First and foremost, it helps enterprises take steps to identify and document the different service providers that are in use. This is helpful because the services themselves are not static -- and neither is how they're used in an organization. Keep in mind that service providers, just like organizations, make continual changes to the services they offer -- they may update security controls, incur downtime or become a victim of a breach, or an organization could decide to expand the scope of what the provider is being used for. To manage this, some type of central oversight is necessary.
Keeping a map -- or a structured inventory -- of service provider relationships does a few things. It helps ensure a specific owner for each relationship -- someone who can be contacted about the relationship itself to answer questions about usage, for example. It also assists in keeping abreast of changes to the service provider's offering (either usage-related, control-related or otherwise) and helps to locate areas of potential consolidation. For example, an organization can apply increased leverage to a service provider should it seek to negotiate with them, or compare effectiveness of different offerings. In short, keeping track of cloud service provider relationships has the same value to organizations that keeping track of any other third party relationship does.
Building the inventory
Before putting together this structured inventory, it's important to recognize that the effort to discover the full scope of cloud service usage within a large organization can be extraordinarily challenging. It might be tempting to simply approach whatever group has been historically chartered with maintaining lists of vendor relationships (like purchasing or legal) to help compile a list of current vendor relationships. However, doing so is likely to net only a subset of the whole. This is because many cloud service providers have products accessible to any consumer with a bank account -- products that can be acquired using credit card transactions, PayPal or other methods that can be challenging to track down. Some might even be free for certain uses.
The best way to initiate the cloud service discovery process is to query all the various business, technical and support groups within the organization to determine what their usage looks like, including what services they are using and how they are using them. This can be done as a one-off endeavor, although generally it might be more productive to align this effort with other information-gathering activities.
For example, if business impact analysis exercises are periodically conducted for business continuity planning (BCP) purposes, collecting data about the use of cloud services as a tack-on effort can help both streamline the process (since the conductor is answering usage-based questions already) and reduce the frustration stakeholders sometimes feel when asked to answer questionnaires. Alternatively, targeted questions can be asked during application risk reviews that might be periodically conducted as new initiatives and business processes are reviewed.
When collecting the data from individuals, keep in mind that many users won't have any idea what "cloud" is. For example, if you ask a question like "Do you use cloud services?" they may not understand that a service like SalesForce (or any other SaaS application) is such a tool, and hence they may not provide the data you're looking for. Instead, try to frame questions in such a way that users can answer with confidence, such as, "Who manages and hosts XYZ application?" If they don't know the answer, at least you'll know you need to keep digging.
The bottom line
Putting together an inventory of cloud service providers within an enterprise is a productive exercise; it allows managers to compare what relationships they've vetted and approved, what relationships have been evaluated for specifics types of usage (like storing, processing, or transmitting sensitive or regulated data) and what environments are subject to certain types of compliance requirements. Additionally, in the context of an incident or breach investigation, a reliable inventory can be extremely useful. Making it happen isn't difficult; it just takes some forethought, planning and organization.
About the author:
Ed Moyle is currently director of emerging business and technology for ISACA. Moyle previously worked as senior security strategist for Savvis and as senior manager with CTG, and prior to that he served as a vice president and information security officer at Merrill Lynch Investment Managers.
What it takes to monitor cloud services
How to securely manage the cloud with cloud management consoles