164
4
PART
IV: S
ELECTION AND
C
ERTIFICATION OF
C
LOUD
S
ERVICES
Choosing a Provider
Considering the huge choice of Cloud services, it is an enormous challenge
to choose the right provider. For classical IT outsourcing, you could either
base your choice on the provider's long‐term reputation, direct contact with
the provider, or in many cases, the regional accessibility of the provider's IT
facilities. However, none of these criteria are readily applicable for Cloud
computing. A customer primarily rents a service and the way the provider
delivers that service can be very complex and totally abstracted from
regional considerations.
64
It is, for example, necessary to check whether a national software service
provider procures parts of its services (e.g. servers and storage) abroad, thus
requiring special considerations regarding data privacy and tax law. A variety
of services are now available the marketplaces and on portals, even as a
private label. In these cases, it is necessary to find out who the actual service
provider is.
Compliance Requirements
We understand the term compliance to mean observing legal and enterprise
provisions to ensure orderly business operations. In the field of Cloud
computing, one can only achieve auditability of compliance requirements by
sufficient transparency in external service provision; concrete determination
of the data location, the service provider, their functions, and contractual
verification of all required performance guarantees. In addition to this, there
is a duty to disclose any changes in provision of performance, which must
then lead to an entitlement to terminate the agreement for good cause, and
where an orderly return of the data to the user must be taken into
consideration at an early stage.
General Requirements
There are a number of auditing schemas for IT outsourcing, however, all of
them focus to a great extent on the issues of security and correct
transaction handling. However, for the complex field of Cloud computing, all
critical areas must be examined with regard to compliance requirements.
It is very useful to start by classifying one's own requirements and the
required degree of fulfilment as a ranking for each service. These are
primarily:
64
An expanded version of this chapter can be found under