Top 3 Considerations for Moving ITSM to the Cloud

 

Unless you’ve been living under a rock for the past several years, you’ll already know traditional IT services have been flocking to the cloud for some time.

And if you’ve been following the hype, you’ll also know there are some significant benefits associated with cloud computing, such as flexibility, reduced capital expenditure, and the ability to access important systems from anywhere.

It might seem a natural choice, then, to move your ITSM operations into the cloud. After all, there seem to be so many advantages, and very few negatives to balance the scales.

But before you do, there are three important factors that you need to consider in order to avoid legal or operational difficulties down the line.

1) Is it Legal?

The first (and most important) thing to consider when moving ITSM to the cloud is the nature of the information involved. For your ITSM solution to function, it will need access to considerable amounts of data relating to your customers, contracts, suppliers, assets and CIs, processes, and more. And aside from your processes, all of that data is stored within other toolsets.

In order for your ITSM function to be fully migrated to the cloud, then, all of the additional toolset data will also need to be moved. That’s a huge amount of sensitive data, and the first thing you’ll need to identify is whether you’ll actually be allowed to move it to an external server. Apart from anything else, your HR department may not want personnel records to be moved, and it’s easy to understand their perspective.

The more pressing factor, however, is legality. Many industries are subject to strict security compliance frameworks, which may dictate how and where sensitive information can be stored, particularly if it relates to customers or contains personally identifiable data (PID). Serious time and thought will need to be put into ascertaining whether moving ITSM to the cloud is actually feasible in light of your origination’s specific legal obligations.

But it doesn’t stop there.

The upcoming EU General Data Protection Regulation (GDPR) will take a much tougher stance on information security than existing legislation, and should be closely considered prior to making any decision that could impact information security.

Now, you might be thinking, “Brexit means the GDPR won’t affect my organisation.

Wrong. First, the GDPR affects any organisation that holds, or has the potential to hold, information on any citizen of the EU. And even if your organisation is one of the few that can honestly say they have no such data, there’s a second problem. Article 50 was triggered on the 29th March 2017, meaning that the UK will (most likely) formally leave the EU in early 2019. Meanwhile, the GDPR will be enforceable as of 2018, meaning that for at least a full year all organisations and citizens of the UK will also be considered part of the EU.

Now, the GDPR contains all sorts of rules and regulations for how and where data can be stored, and you’ll need to check how it impacts your organisation specifically. With that said, there is one aspect of the GDPR in particular that you’ll need to consider: EU companies will not be permitted to store personal information elating to EU citizens outside the EU.

Simply put, if you do decide to go ahead and move your ITSM to the cloud, you’ll need to ensure the servers involved are physically located within the EU.

2) Data Security

Once the legal obligations are out of the way, you might think you’re home and dry. Unfortunately, that just isn’t the case.

There’s a saying in the cyber security world: Compliance does not equal security.

Ultimately, the fact that you’re compliant with the GDPR and industry specific frameworks does not mean your data is necessarily secure. So once you have identified that you’re allowed to move your ITSM to the cloud, you’ll also need to determine whether it is genuinely safe to do so.

Here’s a case in point. Many prominent cloud-based ITSM providers offer encryption at the point where data is transferred between a client and the database. Unfortunately, many do not offer encryption when the same data is at rest on the server, and even when this option is available it’s often a chargeable extra.

Now imagine your cloud ITSM provider is compromised in some way, and data is stolen. Think about what you’ve potentially lost: Not just personally identifiable information, which you may well be liable for, but also your firewall details, software versions, asset IP addresses, and much, much more.

Now imagine you’re a prospective hacker. How attractive might an ITSM provider be as a target, considering the data they keep includes all the information you’d need to hack dozens of other high value targets?

Of course, this is the nature of cloud hosting. As soon as you outsource responsibility for data storage, you’re also outsourcing responsibility for securing that data.

All of this isn’t to say that moving ITSM to the cloud is necessarily a bad thing. Just make sure to select an ITSM vendor who you genuinely believe is capable of securely holding extremely sensitive data on your behalf, and check what is (and isn’t) included in the service they provide.

3) Don’t Forget about Performance

For obvious reasons, the decision to move ITSM to the cloud is usually made by personnel at head office.

And it seems such a wonderful idea. After all, Internet speeds are so good now, and having ITSM in the cloud means it can be accessed everywhere it’s needed.

But what people who work at head office tend to forget is that smaller satellite offices often don’t have strong Internet connections. In fact, in the worst cases, remote offices might have connections that barely outperform dial-up speeds of the 1990s.

Naturally, under these circumstances, cloud-based ITSM isn’t going to function nearly as well as you might have hoped.

So before you go ahead and make the move, just check the quality of Internet connections at each of your offices. Again, this isn’t necessarily going to scupper your project, but it would make sense to upgrade old lines before you start the actual migration.

Usability Isn’t the Only Factor

The trouble with ITSM is that most of the time its users only consider usability.

And that makes sense. After all, it’s such a complex area, and for many organisations it has proven a perpetual source of frustration for many years.

But while the cloud appears, on the face of it, to be the solution to all your woes, don’t let that distract you from other, equally important considerations. Security and compliance are serious considerations for any organisation, and the nature of ITSM data is such that a lot of thought and planning will need to go into any potential migration.

But if ITSM routinely has you pulling your hair out, and you just can’t seem to find the right solution, we’d love to help.

For the past 6 months, we’ve been running a free workshop each month to help organisations work through their most frustrating ITSM problems. To date these have been focused ondesigning and implementing a CMDB and service catalogue. We’ve helped dozens of organisations already, and we’d love for you to join that number.

Due to the poplarity of these workshops we’re now adding a Security workshop that will cover security implications for ITSM in the Cloud and GDPR subjects as well as subjects such ISO27001.

What we don’t want is for this to be just another workshop that doesn’t bring you any closer to your ITSM goals.

For that reason, if you’d like to attend you must bring at least three interesting security and cloud challenges that you’ve faced… and our fearless consultants will help you solve them on the spot.

Our next CMDB and Service Catalogue workshop is:
LONDON – 21st June, 2017

Our Security and the Cloud workshop is:

LONDON – 5th July, 2017

WARNING: These workshops are filling up fast, and we allow a maximum of eight attendees per session. If you’d like some help with your ITSM challenges, or any other service design problem, register now to avoid disappointment.