The appetite for risk varies from business to business and from industry to industry, but there is perhaps one golden rule
when considering a cloud service: it is your responsibility to ensure that the service provider can look after your data
and systems at least as well as you can.
Regardless of the potential benefits and cost savings that may be had with a particular service you must first attempt to calculate the risk associated with that service before making a decision about using it for a particular project. Firstly, how forthcoming is the provider regarding their systems and operations, do they address satisfactorily the risks identified in this chapter, and are they inspected regularly and thoroughly by independent specialists? Secondly, how critical is your project to your business and how sensitive is any data that may be stored or processed in the cloud? These two questions can be represented, respectively, as provider transparency and business importance in a simple risk calculator represented by a quadrant chart – see Figure 3.1.
If your project has low business importance then you may decide to spend little time performing due diligence checks,
leaving you with unknown risk, which may eventually become a problem if your project is a success and its importance
increases; but if you do perform adequate checks of provider transparency then your ‘unimportant’ cloud use has low risk, which is the safest position to be in. If, however, your project has high business importance then you will have high risk, too, if you are not assured of provider transparency, but managed risk if you do your due diligence.