Seite 165 - Cloud Migration Version 2012 english

165 
Security 
Transparency 
Scalability 
Controlling 
Ease and extent of operational integration  
Flexibility 
Economy 
Compliance 
The requirements can be viewed differently, depending on the business use, 
and risk category of the data to be managed. It is advisable to develop a 
scorecard for each applicable IT service to be procured in the Cloud, and to 
use the card to assess the potential problems. Business requirements can be 
very different and can vary greatly between Cloud services.  
The assessment must not be monolithic within these fields, but must also 
investigate coherencies. For example, the promise of 99.9 % availability for a 
SaaS application is not of much value, if the infrastructure provider only 
guarantees 99.5 % availability, and has not implemented suitable 
redundancy measures. 
Auditing 
The requirement to audit an external IT provider will increasingly lead to 
problems in the field of Cloud computing. Some data protection provisions, 
in particular, stipulate on‐site checks of the provider. However, the question 
is where exactly is "on‐site"? At the office of the company with which you 
signed a contract? At the datacentre service provider's facility? or At the 
headquarters of the company providing the software?  
Even if you decide on the location where the data will be stored, you must 
still ask yourself, what kind of information you can glean from a personal 
visit to a datacentre? Without intensive scrutiny by personnel trained in 
data protection, data security, operations, and possibly software 
development, any impression will be subjective at best. That is, unless, you 
will know if you were left with a good impression, but this will offer no basis 
for a qualitative estimate about the technical or organisational measures 
that are implemented.