KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Good afternoon, ladies and gentlemen, welcome to our Ko cold webinar, the strategic approach to cloud computing from tactics and cows to efficiency. My name is Martin Kuppinger I'm founder and principal Analyst at Ko a Cole. Before we start with this webinar, which will have only me as a speaker today, I wanna just give a quick overview about co and co and some of our services before we then direct to dive into the topic.
Ko and co is Analyst company providing enterprise it research advisory, decision support, and networking for it professionals through our research services, our advisory services and our events. Our main event is the European identity cloud conference, which will be held next time, May 14th to 17th in Munich, all information so available online. It's the conference around. So leadership and best practice digital ID cloud, and G. So don't miss this conference. It's definitely worse to attend. We have also related to this topic. I will talk about today.
We have a series of reports out there, which are related to our topic of today, including our scenario, understanding it service and security management, which sort of outlines the big picture, our scenario, understanding cloud computing, the future of it, organizations, understanding cloud security and advisory note cloud provider assurance.
In addition, that will be soon available scenario or advisory note cloud service provider selection, which then covers exactly the topic I will talk about, but in more depth than I will do and can do within the 45 to 50 minutes, which are remaining for today. This webinar also qualifies for CPE points. So the continuing professional education credits at the learning objectives.
After attending this webinar, you will be able to understand the need for a structured process for selected cloud services, understand that the cloud is trusted deployment model and that selects about make or buy decision, understand the basic concept for efficient selection processes and drive your organizations towards implementing a structural approach on cloud service provider selection. So then quality first for one group internet based CPE. In that case, if you want to earn that CPE point, you will need to take and pass a test. I will also do two polls during the webinar.
If I don't forget to do them. And there will be then after webinar email, which is sent to you once your attends has been confirmed, which has a link to the test so that you can take the test. Once you pass the task, you will, you're left qualified for one group internet based CPE. So guidelines for the webinar you're muted centrally. So you don't have to mute around mute yourself. You're controlling these features. We will record the webinar. The podcast will be available tomorrow. And also the slide text.
The slide tech I use today will be available tomorrow and keep questions and answers will be at the end of the webinar. So you can ask questions at any time using the questions to the right side of your screen, and you go to webinar control panel. Usually I pick them at the end, in some cases I might pick them during the webinar.
Okay, let's start, let's start with one of the slides for the ones who have attended more copy a cold webinars in the recent past. It's probably pretty familiar. So when looking at the bigger pictures, so there are several large trends which are affecting organizations, which are my colleague Berg recently called it the computing Troy car. Another person I've spoke with said, maybe we could also call it the computing, Trinity, what is this? It's about mobile computing. It's about social computing and it's about cloud computing.
And the topic today mainly is around cloud computing because cloud computing is one of these big three trends, which are fundamentally changing the way we are doing it, leading to consumerization and deep parameterization of it. And as I said, cloud computing is one of these challenges. And that's the one I want to talk about today. And from our perspective, we are right now at a point where we really have to change the way we do it.
And this also something I hear a lot from our advisory customers, for example, they're really faced by, by challenges, by the challenge of changing the way they're doing it fundamentally in many areas because they have to onboard partners, they have to onboard Excel. They have to do a lot of things different than they have done before. The reason for this is that there are, from my perspective, three fundamental changes. One is the number of outward facing processes. We are seeing an organization is growing financially.
The number of users we have to deal with is growing is financially, there are more external partners. There are more customers which can access our systems and all these things. And there's a increasing number of external it services used, which is around them, consumerization, deeper ization. And especially if you look at the external it services used, it's about cloud computing and all of these things are growing exponentially. You might say, okay, nothing of this is really new out facing process. Are there for quite a while users great.
A number of users is there for quite a while, external it services. But today I think that's the fundamental shift today. We are in a situation where this, this growth is really exponential and where we are moving from a relatively, let's say small increase in numbers towards a very steep increase. And that's why we really have to change the way we do it. And traditional silo words facing two centric. It will not scale economically. So we have to do it different.
And that includes finding our way to cloud computing and doing it in a way where we really can handle it and where we can scale, where we can manage the cloud and the cloud services we use in an economic And efficient way. So what is cloud computing? The cloud extends spectrum of it, service delivery models beyond managed and hosted services to a standardized firm. So it's more commonization it's me standardization. That's what cloud computing is about. Not really new. And there are a lot of models we have in the cloud.
So in fact, the cloud is not something which is sort of a, a big fundamental step. It's more sort of something within, in a continuum we had outsourcing for, for a long, long time, right now we have on premise it. And then we have sort of everything in between. If you look at the different types of clouds, which are discussed private clouds, public clouds, then they are somewhere in this continuum. And in tend, not always inhouse might be more functional, not necessarily, but at least in many cases, it is more flexible.
Wasn't necessarily on the other hand, speed of deployment, elasticity of supply. Those are things which are more pro arguments for arguments for the cloud. And then the cost factor seems to, to favor clouds, deployment model. That's something which I will talk about today, which kind always is true. So when we talk about this cloud service provider selection then becomes very clear that not necessarily the lowest cost is the only factor we should look at. And within this, we have a lot of groups of services. So we have our in-house services. We have the commercial services we are using.
We have software service and all these things in a broad range. So that's what we are talking about. And from my perspective, this picture pretty clearly shows that it's not about black and white, but it's sort of about, are we more to the left or more to the right side? And we will have most of these deployment models for the foreseeable time. So we will remain in hybrid infrastructure. So everything we do from my perspective has to be done with focus on there will be different types of service providers, not only cloud, not only in house, on premise.
And we have to be able to manage all this in a consistent way. And we have to select the best way to deliver a service, which then is not only about delivering a cloud service, but about delivering the best or finding the best way to provide service result in inhouse or from the cloud, which risk in the cloud concern you reasons are. We did assess that cloud security issues and cloud privacy and compliance issues are the major inhibitors, preventing organizations from moving to private cloud. And we have a set of these cloud risks over here.
So if you look at a cloud risk there, policy and organization risks, which are discussed, there are technical risks, they are legal risks. So these risks are from a study from the ESA, the repeat data security or information security agency. We have compliance, lots of governance, reputation login. We have a lot of technical risks in outside app use management interface, compromise, and others. We have legal risks around all these things we have to take into account. And some of them are in fact, nonfunctional aspects, nonfunctional requirements. We always have to keep in mind.
So when moving forward to, from, from this, let's say basic retraction around what does the cloud and what does it mean to us towards how do we deal with this? Then I wanna start just a, just a simple point of what does, what does business really want from my fee? So what is the expectation of business? And one thing is clear. I think they don't want technology. What they really want are from my perspective, two things. They want the services, they need to do their job, and they want to keep their corporate information protected equit.
The second part became more prominent over the course of the last year is because information security right now is not only a concern of some, some nerds in the it security department or something like that. It's, it's really a concern of the CEO and all of all the others, it's also public concern. So these things definitely have changed over time. And what does it mean? It means we have to think about how we do it best.
What do propose directly is to the service delivery or the cloud service provider selection process way to the question, how can we select the most appropriate service delivery model? That's what we put together in our future. It paradigm equipping a call. So the guideline for the future of it model consists of several layers.
In fact, in the middle area, there's three main layers. One is business service delivery. That's about what do we provide to the business business has specific needs. And here we talk about what to provide to the business. We have this layer in the middle, or let's start lower layer, the lower layers around it, service, production, and procurement. And here we have two elements. One is on premise. One is cloud. We could argue, okay, there are different types of clouds, but let's say with these two things, we can't do it ourselves. Or we can procure the service.
And from the management perspective, at the end of the day, it's about delivering a or having a consistent view on all these services. So when we look at what the business needs, we have to understand, okay, how can we provide this business service by purchasing, by producing one specific service or by combining, by orchestrating a series of services. And then it's becomes very clear that many of these business services consist of more than one technical service.
And we this a standard layer, the service and information management layer we have in the middle, which allows us to manage all the services in a consistent way to manage all the information in a consistent way. That's where these things really nailed down this, the middle layer. This is the real important layer where we have to improve the capability and the ability of our organizations to manage services regardless of the deployment model.
That also means in consequence that it's not about saying we do everything from the cloud, it's about saying if business needs to service, what is our best way to deliver that business service and which services do we have to produce or procure, and what is the best way to do it. And that means, in fact, the decision about a cloud service is not a strategic decision. It's a fact, the tactical decision it's about deciding about the best deployment model. We also then in this model, have it governance and it security and management in place. I will skip this right now.
The, the fundamental point around this picture is it's not about saying we do cloud for the sake of the cloud. The cloud is a deployment model, and we have to manage the cloud in a consistent way, in the same way we do on premise services. So we have to have selection process for, for example, when we say, okay, we need a new service for, to, to, to provide new business services. We need new service. Then it just means we are able to pick the best deployment model there. And that's what I will focus on in the, the next few, by the way, that also means we have to change our it organization.
We have to move from siloed it organizations towards a far better structure of it organization, which aligns with this basic model I've described before. When we done look at cloud governance, which is a topic that has been widely discussed over the last few months, when we look at cloud governance, the point is that it mainly focuses on existing services. So for sure, in a good governance approach, we would start with identifying this requirements specific, identifying the services, assess the risk probability. And so on clarify the responsible and the sure delivery of cloud service.
However, if you look at what has, what has been done is all the cloud governance approaches. There are a lot of standards out there, Then it looks pretty different from that. If you look at this, then we have my colleague, Mike Small recently counted it. We have 35 cloud standard initiatives out there. We have a lot of major frameworks and assessment approaches and so on, but, and that leads to confusion, first of all.
But the, the even more important point, the even worse aspect around this is none of these approaches really focuses on cloud service provider selection. So literally all of them focus on, we have a cloud service provider and does he deliver what we expect him to deliver, but let's start off the, the second part of the question. It's not the first thing. First of all, we need to understand when to select the cloud service. And when is the cloud service provided the better provided in on premise and which one to select, and then we can start this governance.
So we need something in addition to these approaches, which is really about cloud service provider selection. And when we do it right, then we might also end up with some, some hidden TCO, which are frequently ignored when comes to selecting pro cloud service providers. So integration costs, for example, is one of these areas where we frequently observe that these costs are ignored at the beginning.
And then from one or two years later, the business department, which directional procured the service, not the best way to do it, but if they have done it, then they come to the it department say, Hey, we need an integration for that cloud service to our existing on-prem applications, migration costs are changing the cloud service provider that could, can be a, a pretty difficult task security management costs.
So how do we manage security for the cloud service that can be far more complex and, and on-prem environments where we are relatively good with our identity and access manage management and our aspects of security management. What about the governance costs? So what about this? So we have some things to consider, and if you have a good selection process from the very beginning, we should be able to avoid most of that costs we should be, or we at least should know that this cost exists and take it into account for making a decision. So for cloud service provider selection, what do we need?
So what are the RFD attributes of such a process? From my perspective, these are fast, simple, reliable, standardized risk aware and comprehensive fast, because we need to be able to quickly make a decision about what is the best service provider. It's not like in the days of outsourcing where we set together with the outsourcing provider for 18 months and discuss all the SLAs it's about making decisions in weeks, days, or even minutes, especially with the, the more granular the services become. The fast we have to be. The second part is simplicity. If you want to be fast, it has to be simple.
On the other hand, it still has to be reliable. So we have to build a, an approach in a way that it works reliable, consistent, and ensures that we don't make, let's say super mistakes and selecting cloud service providers. It needs to be standardized to be fast and simple. It needs to be a risk awareness. So we need to focus on the major risks in this process and comprehensive. I think that's a little bit redundant, reliability.
In fact, it needs to be comprehensive enough to cover the major aspects, which especially also means covering functional and nonfunctional aspect. And when looking at this functional and nonfunctional aspects, one, one of the things we have to, to keep in mind is that functional requirements are always scope, regardless of who selects cloud service. They are always looking at the functional requirements, but when we look at the nonfunctional requirements, then we observe that they are frequently, at least actually ignored.
So I've talked about the integration costs, the capability to integrate with existing on premise services with potentially future cloud services is a key requirement. You could say, it's, it's average rated more in the nonfunctional area because it's not a key function of the service. And it's one of the things which are, which is frequently ignored. And so we have to meet those areas. That's a very important aspect. We have developed over the last year, more or less a model, which consists of five basic steps for selecting cloud service provider, or also make the decision cloud or not.
So in fact, selecting your service provider, one is that we need to understand the information protection requirements. So given that we have a, a service request, then it's about understanding which information is affected and what are the protection requirements of the service. We have to map these protection requirements through service features. We have to have a questionnaire which then should be pretty much standardized, but we always need to have some, some slide adoption within this questionnaire. We have to make a decision and then we can define and apply the controls.
So then we can start with the governance part, which is sort of better analyzed than the selection part. So evaluation means a standardized lean or granula enough approach for analyzes of information protection requirements. And I think it's very important to understand this is not about a system view is a view on information on process governance. That'll talk about with my next slide or in my next slide, or we're talking about my next slide. Then we have to map the protector requirements to service features.
Like I've said, we need a standardized questionnaire based on a complete set of questions for selection, decision metrics. And then we need to understand what we, where we have to put our emphasis when we do governance. And we go much more into detail on this later on, I've talked about this, this different approaches on, on governance. And I think a very important aspect is that when we look at governance, we have different areas of governance. We can look at the service or system governance.
In many cases, organizations today are, are really focused on, on something, which I would call system governance today. If they look at how sensitive is this system, so what is the risk for this system? And that is usually not the best way to do it, especially not in a way where we thinking services, where we think in cloud services, where we need models, where we can orchestrate services.
Then we have to really look at services and at least to have a service governance where we understand the risk of this service, or even the risk of this method, this property of the service is debt, or that we also have to understand that there's another level or layer, which is information governance. And this is sort of, this is in, it's pretty much different from, from, from service governance, because information might be used by a lot of services, same type of information, or the same piece of information might be used by a lot of services.
So this is more orthogonally to the service governance. And if you have a little bit more advanced approach in governance, and we at least understand how services and information are related, that would be something where, which we would call a basic cloud governance level. If we first and more understand that all this is to related to business process or take process governance into account, we are even a step further.
But the, the main point I want to make here is that we, that for, for a cloud service provider selection, we have to at least make the step away from a pure system or service, especially pure system oriented approach on identifying our information protection requirements. And unfortunately, most of the standards which are, are looking at how can I identify the, the protection requirements like the trauma so-called Schutze and they are very, are high and very, very old in, in the sense of really looking at at systems and not at a, the relationship at least of services and information.
So going, going further I've said before that there's a difference between cloud service provider selection, 100 cloud service provider go governance. So when we look at the requirement of speed, then on one hand, it's about short periods, very short periods of time for selection. Whereas governance is not time critical simplicity, focus on major functional and nonfunctional criteria versus it. Death analyzes of some things of probes in the other area, reliability. I think it's not about looking at all those specs, but finding a balance between speed and risk mitigation in governance.
We might more use probes where we really go into detail for some specific things standardization. We need a standard tool set on one hand, a comprehensive governance approach probably derived from one of the biggest standards on the other side, risk awareness, key requirements imposing the biggest risks for selection, complete risk analyzes the mitigation for the governance comprehensiveness.
It's really about decision about service, deliver remodels and optimal service providers comprehensiveness in the sense of governance, it's about comprehensive analyzes for a specific service, but only groups across all services, typical approach we got because we can't do it in, in all the detail for all of the services. Okay. So when selecting right now, our cloud service providers, then there, from my perspective, two phases, one is readiness, and one is provider selection. So the first phase it's about understanding it's the requested services service we want to provide to the business.
This is a service which we can provide from the cloud. So then our services where we for, for legal requirements are not able to provide them as a cloud service. We need first to understand, can we start selecting a cloud service provider is trust impossible to do it. The second step is then to still to select the best provider we have. And that's the, the second part of what we are doing here, which is then really about understanding, should we make the service or buy it, and also looking at the, doing nothing alternative.
And when we look at cloud service providers than understanding which one is the one who best fits our requirements. So the basic process looks a little bit like this it's process, which consists of a service request. We then check the cloud readiness. We look at the service provider selection, and we look at the governance. I just wanna quickly interrupt for, for a quick poll, which is around, do you have such a process in place? So do you have a standard process for cloud service provider selection in place?
As I've said, from our perspective, it's counterpart to governance, which then is the next step. And we, first of all, really have to understand, can we go to the cloud? And if yes, then we can do the next step, which means, which is the best service, right? And even in the second step, that's very important to keep in mind, even in the second step, it could happen that we say, okay, we could do it as a cloud service, but on premise, it's the better deployment model when then go to more into detail for the first stage of this. So it looks a little bit more complex right now.
Then we have this service request. We need to understand what are our information protection requirements based on something I I've used the term cloud SBA for Schutze. And so the cloud protection analyzes analyzes protection requirements. We need based on this to understand what our major service features.
So based on the protection requirements, we can look at what are our major service features here, and then we should have a standard mapping available, which says, okay, depending on our requirements, we have a specific level of features, a specific set of features, which needs to be available. That's something we can prepare very well. So that's sort of a standard metrics we can provide. And a result we end up with the specific requirements for service features.
So based on the protection environments, based on our sort of standard approach on mapping this to technical features, etc, where we can end up a specific require specific requirements for service features, and then we can do the rating of the service. So we know the features, we have our specific requirements. We have also some standard minimal requirements for cloud readiness. So what are things which always have to be in place, and then we can rate a service and have a review by the legal department, ideally, and then we can decide on cloud ready or not.
If not, then that depends a little. I talk about this a little bit later. You can optimize this process. You can extend this process and say, okay, depending on what happens, it might be only on premise. It might be only private cloud. It might be that type of private cloud, whatever. So you can become more granular in your results here. I kept it relatively simple in the area. We need a decision protocol and then we can move to the provider selection. A result of our, of this first step might be that we say, okay, under a specific circumstances, we can do it in the cloud.
So we have specific requirements and restrictions. For example, a typical one would be only, it has to run in an EMEA. So a European data center or aneu data center, that would be one of these things, which could be a, a result of it. Or we have specific requirements for encryption and other things where we say, okay, only if these are met, then we can pick up a cloud provider. So result of this first phase, first of all, is cloud or not, or maybe which type of cloud is allowed and adding or add information is under which circumstance.
Or you could also say which compensatory controls do you have if it's a potential cloud service, okay, let's move forward. Major steps. In this first phase around identifying the requirements are take result of analysis of the protection requirements. So looking at things like confidential risk map, these to service features, so redefined approach in this area and then identify potential mitigating controls, which have to applied the resulting feature list then contains features for the first selection approaches process, which are strongly recommended, but optional or which are mandatory.
Or we tried expansible if compensator controls can be applied. So you can end up with sort of a qualified list of features, which are your, your main criteria besides standard functional features. So your main nonfunctional features for the next stage of this process. And as I've said, the result could be that we end up with cloud ready without additional requirements. So we can run it in all types of clouds or we have specific requirements, which that means maybe ready only for some specific types of clouds or based on compensatory controls, or we just say, not cloud ready at all.
So we have to do it on promise. That might be also result. In most cases, we probably will end up with something of, yes, we can do it in the cloud. Given that specific requirements are met, that's the most likely and most common result of this. Then we have the second phase where we then go ahead and say, okay, let's start with the provider selection or let's start a provider selection. First of all, I think we, we have to understand the replacement of an existing solution.
If yes, then we, in most cases we'll have to build a much more detailed business case for this. If not, we could say, okay, let's for sure we need some business case as well, but let's start with the assessment of these things. And then in this assessment specific requirements and restrictions on the selection metrics. So the things we've defined in the first stage go into this assessment metrics of these things like specific requirements, electro metrics, and enter here, we have an assessment metrics and then we can assess different types of services. As I've said before.
It's that includes the, the approach of doing nothing. It includes on-premise and it includes the potential cloud service providers, where we might go from a long list to a short list and then prepare our decision. We might have a review by procurement department by legal department. Then we decide for a service. Maybe if we decide for, or we say, no, we don't find any service.
If yes, then we have to document the Analyst requirements and actually we can easily do procurement or end or implementation or mix of those. And then we can start with the governance process. These pictures look a little bit complex, maybe at first glance, but if you go a little bit more into detail and it becomes very clear that you can do most steps in a very well standardized way based on standard approaches, standard metrics is become very fast on doing this. And on the other hand, very well structured.
And most importantly, you're doing it in a way which ensures that you have looked at all alternatives. Another blindly run into the cloud, which is a very good deployment model in many cases, but not always. And I think that's what you really have to, to ensure that this is a very rational decision you're making here. Okay. So the results of this phase might, might be all something, nothing sort of a public or hybrid cloud services chosen to services provided on premise or based on a private cloud infrastructure.
An existing deployment is continu and no new services chosen or new service will be deployed at all. It might be a result if you say, okay, it just doesn't work. It looks smart.
I, I understand the business requirement, but you just can't do it. Okay. And all this has to happen with risk in mind. So risk is one of the most important features we are looking at what is the risk, and if there's a risk, we have to understand this is the risk, and we have to understand how to deal with the risk. So can we avoid it? Can we reduce or mitigated, accepted, shared transfer? We need to risk response. And that's sort of a, a common element of all these steps we are doing. We are looking at the risks, what are our information, risks, our protection requirements?
What does it mean? What are compensatory controls? And then we say, okay, if we, for example, choose the cloud service, we are taking a higher risk. So we have to have some risk response in place. There main nonfunctional features, for example, our compliance location of data, security of data, business, continuity, identity, access, the privilege, the monitoring aspect, integration aspects, and some others. So you can find a series of things here. These are mainly the ones which are driven by information security.
They are for sure, some others, but that's basically what we are really looking at here. And so when building is approach, in fact it's and understanding what is our sort of our questionnaire, our, our standards, checklists, whether it's a potential cloud service or not, then we can rely on, on a lot of sources. So we can have sort of a protection requirement allows we can rely on ISO 20,007 and other things to define controls. We have here, we can rely on, on some other things. So especially my colleague, Mike Small has some, a series of great presentations over the course.
Last series also written a series of very interesting reports, which we will find in our website. And so some of these things are, for example, he talked about seven deadly cloud computing systems. And if you look at these standard things, it should be fairly easy and we've done it before to end up with a sort of an standardized questionnaire where you could rely on, on. And so my conclusion for the entire singers establish a standard process for CSP selection. So when we look at the, the entire picture and the entire topic I've talked about, the point is the main point.
The major point is we can't trust start with cloud governance. We have to manage the process before cloud governance also worry.
Well, I think that's really the, the, the most important thing here. If you start with cloud governance, we've missed the first step and we can make a, a lot of severe mistakes selecting cloud providers. And when looking at selecting cloud providers, it's important to understand that it's always about not only selecting the best cloud provider, but also also about understanding that it's not necessarily a cloud service. You select the M of today. In many cases, it'll be a cloud service, but in some cases it might be on premises overall better than the cloud service.
So the biggest risk in cloud computing is not even one of the standards, risks discussed. The ones we've talked about before. It's about not having a structured efficient focus process or not having structured efficient processes for cloud service provider selection in place, because that's where you can make the most mistakes.
Sorry, I click too soon. What you, what do you need to do? You need to define that process, understand that the cloud trust another deployment model from a end user organization perspective, it's simply said, it's, it's just that you, that you don't need to invest in a clouded strategy. What you need to invest in is in an approach which enables your it to manage all types of services consistently and efficiently, regardless of the deployment model.
And if you have that process in place, logical results that you easily cancel can decide about what is the best way to, to deploy a service is the cloud or not. It's about rationalizing the entire process and for sure you need, and that's a major task. You need the appropriate it organization as well. So electric consequences that you have to change a lot of things in your it organization, moving away for silos there towards the layer, which allows you to manage all the services consistently. I quickly wanna launch another poll, which is around risk management and the risk approach.
You have a trust interest in just curious whether your organization have one of these approaches in place. Okay?
And so, as I've said, that's really my conclusion. What you need to do is not only build your governance process, but first of all, build your selection process in a standardized structured and very lean and efficient way. And we know from our experience that this is feasible, it works, it can be done and you should do it. Okay. We can assist you in this.
So when it's about building your CSPs election process or your governance process, or both, there are a lot of ways to do it together with skipping a colleague there's to a code service contract, which allows you to stay in touch with us, get access to the Analyst, get access to all of our research. There's a cloud provider assurance workshop offering.
We have, I will talk about this later. There are our advisory services. So custom advisor, based on your specific requirements, where we act, you trusted advisor in a lean focused, educated, efficient way. We have to research of management before, and for sure their European identity conference, the best place to meet with the experts. So our leadership and best practices, future of information security today. And it's definitely worse to attend this conference regarding this cloud provider assurance workshop. We have a standard trend here.
You will be able to download the slide deck tomorrow. So I don't go through every step, but it's a two day workshop where it's about understanding the role of cloud computing and selecting the provider as well as implementing cloud provider assurance. So get what you pay for. And we do it in a two day workshop. The first day, more focused on cloud service provider selection. Second on cloud service provider assurance supported by a lot of examples for tools and methodology you can use. And I think it's a very efficient way to move forward around cloud service provider assurance. Okay.
I'm through my stack of slides. So we're at the questions right now. If there are any questions, please enter, I'm using the questions tool and go to way to go to webinar control panel. And I will try to answer these questions. I have a first question here. I've talked about the four factors of hidden TCO of the cloud. Can you give an estimate of the value of final TCO? Maybe some person it's hard. I I've recently read some numbers with probably also very rough calculation there.
I don't have them exactly in line, but it, it appeared that it's, let's say a well above 30% ratio, which you have to expect here. I think it depends on, on how good your process is at the beginning. And on the other hand, if you look at integration costs, integration costs really can kill your entire calculation over time. Second question. How do you best control data privacy in the cloud? I think the first question maybe is if you have a data privacy issue, what can you do in the cloud?
And when you look at data privacy, then that automatically leads to a series of nonfunctional requirements, which are, for example, the location of the service, which are aspects like encryption of the data, which are aspects like the D and access management to the data. So data privacy in the cloud in fact means that you have better control about the service than you have for many of the standard services you're facing. Are you being today? It really means you need better audit locks, better X control capabilities and other things.
These are sort of all, all of these are sort of the additional features. So specific feature requirements you have, and if you can't matter, or if you, if you don't have this feature as a standard feature, then it means maybe what could be the compensatory control.
So there's not a silver bullet to control data produce in the cloud, but if you have a standard process, which results and requirements, and if you sort of have input of data, privacy requirements, then the output of this process, the cloud service provider selection process has to be, these are the spec specific requirements, and maybe these are the types of clouds you can use. And these are clouds you can't use at all. Not that answers the question. Any other questions from your side? I just wait for a few moments.
And so if there are no first questions just have said again, don't, or just have a look at our cloud providers workshop, I think it's very worse to do it. We can do it virtually everywhere. So based on our us colleagues, UK, France, German colleagues, and the ability to travel, and I think it's really worse to do this workshop. Thank you for your time and for attending this a call webinar. Hope to have you beg again as a, a cold webinar parti and soon. Maybe see you at European identity conference next year may. Thank you. Bye.