IT organizations migrating to cloud computing often have limited control over third-party incidents that can restrict recovery or continuity options, particularly for SaaS services, according to a new report on cloud-risk mitigation from Toronto-based Info-Tech.

“While some vendors offer resilience options for common SaaS solutions, this is not always the case for all cloud services. A key part of addressing this problem involves defining business process workarounds that require cooperation from business leaders,” according to the report.

The organizations must still actively develop disaster-recovery and business-continuity plans, while assessing the reliability and resilience of cloud vendors and their services, security measures, data protection capabilities, and contingency plans for technology and business operations, the report states.

"The key to developing an effective cloud strategy is to recognize what can be controlled and what actions can be taken to evaluate and mitigate risk," said Frank Trovato, advisory director at the research firm. "At a minimum, IT leaders can ensure senior leadership is aware of the risk and define a plan for responding to an incident, even if it is limited to monitoring and communicating status."

The report recommends the following three actions in meeting the challenge:

* Assess the cloud risk. Review the cloud services to determine the potential impact of downtime/data loss, vendor SLA gaps, and the vendor's current resilience.

* Identify options to mitigate risk. Explore the cloud vendor's resilience offerings, third-party solutions, DIY recovery options, and business workarounds.

* Create an incident response plan. Document the cloud risk mitigation strategy and incident response plan, including a failover strategy, data protection, and business continuity.