Yesterday I posted feedback on Marsh & McLennan´s and FireEye's study that found that "companies in the European Union take three times longer than the global average to detect a cyber intrusion" and stated that this issue should also be taken into account in the financial sector outsourcing, e.g., due to diminishing control arising out of cloud infrastructure.
Today I read about cloud strategies and vendor lock-in which actually gives an interesting angle to the above topic, and therefore I decided to write about this. The issue is topical also because Gartner forecasts that worldwide public cloud revenue will grow 21.4 percent in 2018 (see here). So to the main question: is it possible to retain more control and avoid vendor lock-in with cloud solutions? Here it should be noted that term "control" is multi-faceted and in the financial sector this term also relates to the control exercised by financial supervisory authorities (FSAs) over their regulatory subjects. Here we do not address control from that perspective, but think generally about customer-purchased cloud services.
There are at least five main issues one should consider:
- Due diligence, like in any case involving business-critical vendors: create a process for the selection of the cloud service provider and most importantly determine your goals;
- Consider a multi-cloud strategy to avoid a single vendor scenario (read more from here);
- Require an exit plan and check out potential costs;
- Pay attention to data portability and ensure that you have an easy way of extracting the data;
- Consider container technology or configuration tools (read more here)
From the contractual perspective we see more and more clauses of the type "no vendor lock-in" that naturally also serve their purpose. These are slowly becoming a standard in diligently drafted ICT acquisition templates (although surprisingly many Finnish companies have not yet implemented this as a standard models). It might be an issue for a prudent drafter to consider updating. However, as we all know, most popular cloud agreements are still heavily beneficial for the cloud service providers and the reality for having this kind of additional clause in your company agreement may turn out to be impossible task. One could address this issue when dealing with managed service vendors or similar cloud brokers implementing your solution.
Splendid continuation for you cloudy day in Finland! Personally I head to Rome to enjoy IBA's 2018 conference and hopefully seeing many of you there as well!