165
Security
Transparency
Scalability
Controlling
Ease and extent of operational integration
Flexibility
Economy
Compliance
The requirements can be viewed differently, depending on the business use,
and risk category of the data to be managed. It is advisable to develop a
scorecard for each applicable IT service to be procured in the Cloud, and to
use the card to assess the potential problems. Business requirements can be
very different and can vary greatly between Cloud services.
The assessment must not be monolithic within these fields, but must also
investigate coherencies. For example, the promise of 99.9 % availability for a
SaaS application is not of much value, if the infrastructure provider only
guarantees 99.5 % availability, and has not implemented suitable
redundancy measures.
Auditing
The requirement to audit an external IT provider will increasingly lead to
problems in the field of Cloud computing. Some data protection provisions,
in particular, stipulate on‐site checks of the provider. However, the question
is where exactly is "on‐site"? At the office of the company with which you
signed a contract? At the datacentre service provider's facility? or At the
headquarters of the company providing the software?
Even if you decide on the location where the data will be stored, you must
still ask yourself, what kind of information you can glean from a personal
visit to a datacentre? Without intensive scrutiny by personnel trained in
data protection, data security, operations, and possibly software
development, any impression will be subjective at best. That is, unless, you
will know if you were left with a good impression, but this will offer no basis
for a qualitative estimate about the technical or organisational measures
that are implemented.