Implementing Outsourced Cloud Monitoring

This blog was originally published by Weaver here.

Written by David Friedenberg, Senior Manager, IT Advisory Services, Weaver.

If your organization has decided to hire an outsourced cloud monitoring service, it is important to consider how you will ensure that the services are delivered in the right way. The key to long-term success is establishing an oversight system early on and maintaining it for the duration of the relationship.

To ensure transparency, here are some areas to consider during the initial negotiation and contracting stage:

• What service level agreements (SLAs) are in place? Are they spelled out in binding documents (e.g. contract, statement of work, etc.)? What information will be made available to your organization to determine if SLAs are being met?
• What is each organization's role or responsibility for facilitating and maintaining oversight? Has this been clearly documented in formal agreements to ensure it is enforceable? Who within your organization will be specifically responsible for maintaining oversight, even if individual tasks are delegated?
• What avenues are in place to discuss any possible SLA concerns you may have with the monitoring provider?
• Will the monitoring service commit to periodic meetings to discuss trend analyses detected in your environment?
• Does the contract specify which third party compliance reports (e.g. International Organization for Standardization (ISO), Payment Card Industry (PCI) or Service Organization Control (SOC), etc.) the provider will provide and how frequently? Will this be sufficient to meet your organization's contractual and regulatory compliance obligations?
• Who will own the data sent to the monitoring service?

Once legal and procurement documents are squared away, it's time to architect the system interactions and plan for the implementation. This is a complex process and it is important to involve the appropriate personnel. At a minimum, consider including system owners, IT architects, IT security, internal audit, project management , and legal representatives on the implementation team.

Once you have your team assembled, consider the following:

• What information will be logged and transmitted to the monitoring service? Will transmission require installation of additional tools or opening paths through existing network defenses? What transmitting encryption will be used?
• What access to the environment must be granted to the service provider? How can this be implemented through the principle of least privilege, while maintaining your organization's obligations? How and when will your organization monitor and periodically reevaluate that access?
• Will your data be stored after it is received by the monitoring service? How is data eventually disposed of and at what interval? Will it be validated internally or addressed through third party compliance testing?
• What events will be monitored and thresholds set to trigger communications back to your organization? These items will need to be fine-tuned over time, but it's important to ensure you receive sufficient information to know when key events occur. It is better to err slightly on the side of too much information than miss something important. A service provider 's experience with similar customer environments can offer insight, but it should be considered in tandem with your organization's unique needs.

The next step is implementation . To ensure that your organization continues to get what it needs over time from the monitoring service, make sure you have taken the steps described above before implementation begins.

Think through these items to help ensure oversight is maintained at an acceptable level throughout the engagement:

• Who has overall responsibility for oversight of the monitoring service? This should ideally be someone on the management team who will be accountable and will oversee obtaining, reviewing , and actioning SLA-related information and third party compliance reports. The tasks may be delegated, but accountability should remain with one central person within the organization.
• Your IT networking, server, and security teams are likely to handle day-to-day interactions with the monitoring provider. Introductions between these personnel and the monitoring provider, and open communication channels, will help ensure a sufficient, timely exchange of information.
• Stay apprised of changes to cloud technology. The cloud services environment continues to grow at a rapid pace, with new products and services being offered frequently. Before adopting new technology, make sure your internal teams and monitoring provider are able to manage and maintain these products and services in an acceptable manner.