The first step in any migration to the cloud is assessing risk, your organization's tolerance for the risks, and having a realistic idea of what you can tolerate before you entrust production systems to the cloud.
The second step in the cloud migration is extending your governance to accommodate the differences between using your own systems and using a cloud service providers (click here to read about the first step).
In some important respects, using external resources—IaaS—can be a step up in the management of service delivery. A lot of instances of public cloud use begin with a business line sidestepping internal IT to get something done. Whether it is more efficient, less expensive, or meets risk management requirements are often not the primary consideration here; responsiveness is usually the key driver. Doing so, though, forces the business line to actually pay for resources used directly – exactly the kind of granular accounting most IT shops still don’t—and can’t—do.
But, meeting risk management and other requirements is actually crucial to the enterprise, long term. So, while IT heads in a private cloud direction to get agility to match business requirements (and along the way gets real usage-based accounting in place finally), it also has to help the business lines use public cloud resources safely. This means extending its governance sight lines into the cloud service provider space, and establishing responsibility in the organization for helping business lines use providers that can meet security requirements—and do so with enough transparency that IT can check up on them as needed.
Getting visibility into cloud security means not just providers documenting SSAE16 compliance (a higher bar than the old SAS 70 standard), or their use of or adherence to security policy standards such as ISO27001 or PCI-DSS or the like. It may also mean providing limited visibility into logging data from their systems, for example, so your IT staff can see what their IT staff do to the systems hosting your virtual servers or data. Standards for that data exchange will be an important consideration.
Also, IT has to accommodate the reality that the systems in question are not theirs, so the data they require from providers must be only what they need. They can’t just by default ask for all the stuff they are used to being able to see on their own systems. In a multi-tenant environment, lots of things will be happening respecting other tenants’ systems that you should not be able to see; and you should be able to verify that other tenants will not being seeing that level of detail about your systems.
Responsibility means, making sure someone in IT (and preferably people outside it too) are tasked with specifying what levels of security and visibility a provider must offer in order to make them a good candidate for use.
Bottom line: IT needs to not be the choke point for using public cloud, but can and should play a role in enabling the business lines to make the best choices among the myriad options available.