by: Greg Stone, Chief Technology Officer, Microsoft Australia
Fear can be a useful servant but makes for a terrible master and it’s fair to say that the confused recent history of cloud computing has provided a text book case of how not to approach the unfamiliar based on fear.
About two years ago I was coming out of yet another customer meeting where a cloud solution had been eagerly reviewed but failed to advance because it was “perceived” to be too risky. When pushed the CIO’s team cited Patriot Act, possible privacy issues and security but couldn’t actually point to anything specific. It was a leap into the unknown they just were not prepared to make.
I decided then and there to do something about it. And with the help of our own Microsoft global risk and compliance teams, together with input from external consultants – and some guidance from Australia’s APRA about what they expected from principles and risk-based decision making, we developed a first edition of a Cloud Risk Assessment Framework.
For the first time this allowed our account teams to work with customers using a formal, but non-technical, process based on ISO 31000 to build up a business case for one or more cloud-based solutions and compare them based on cost, value and risk. It worked well for us and we have seen major breakthroughs with Office365 sales into government and health sectors that we felt were impossible two years ago.
We learned a lot over those two years of use. And customers have grown in sophistication along with the cloud offerings they can chose from. So much in fact that I felt we needed to completely re-write the initial edition – which I can now announce is freely available to the public under a Creative Commons BY-NC license.
What is new?
We have separated out compliance requirements (the things you have to comply with and cant avoid) from the actual risk analysis. We have made the steps simpler and provide a high level risk dashboard so that the analysis can be discussed with business stakeholders outside of IT department. This is increasingly important and a highly valued component of the Field Guide.
So how can Microsoft’s partners benefit from this?
First of all, this is a pre-sales tool and not another standard consulting engagement. It allows our partners to open up discussions with customers about how cloud solutions can work for them. It builds trust and informs solution architecture. It allows out partners to work iteratively alongside customers to develop solutions that address any identified risks – and this often leads to “hybrid” deployments where the Microsoft platform shines.
What does the new edition Cloud Risk Assessment Field Guide look like?
Well, it’s fairly flash compared to the previous edition. We focused heavily on making sure it was very clear, simple language and step-by-step. It is literally a paint by numbers approach.
There are 3 parts to it – 1/ a step-by-step Guidebook 2/a separate worked example and 3/ a useful excel based set of templates for actually dong a risk assessment. See the diagram below:
Lastly, we at Microsoft REALLY want our partners to use this tool so we have scheduled a Webinar on Wednesday October 22nd, 1pm – 2pm AEDT that will dig deeper into just how the Cloud Risk Assessment Field Guide works. So sign up for it here: