|Issue:||North America 2013|
|Topic:||Cloud solutions –|
The devil is in the details
|Organisation:||Cloud Industry Forum|
Andy Burton, is the Chairman of the Cloud Industry Forum. Mr Burton is also the Chief Executive Officer and the Chief Executive Officer of the Fasthosts Internet Group where he leads the strategic development of the company. Mr Burton has over 15 years managing technology companies in the security, monitoring and asset management markets. Previously, Mr Burton held CEO roles at Centennial Software; Content Technologies (Baltimore), and Chubb Information Security Mr Burton was also Chief Operating Officer of ClearSwift, and held Managing Director posts within the publicly traded Chubb Security Group (now UTC) and Securicor Group (now G4S). Mr Burton is a Non Executive Director of FAST.
Andy Burton has an MBA in Business awarded by the Open University and a Diploma in Company Direction from the Institute of Directors.
Cloud support is now a mainstream option for most organisations. The benefits – flexibility, easy access, scalability, cost effectiveness and pay only for what you use – are well known. Still, when thinking about cloud services must thoroughly consider their overall company and IT strategies. Among the primary areas of concern when using cloud-based services are the security of company data and networks, disaster recovery, accountability of the service provider, SLAs and the licensing of software used on the cloud.
‘Cloud’ is no longer a nebulous business buzzword. Three quarters (76 per cent) of all organisations in the US and 62 per cent of UK organisations already consciously use cloud computing in some shape or form within their organization for at least one service. Satisfaction rates stand well above 90 per cent.
Whilst adoption of cloud solutions should look very attractive to organisations on many levels (the achievement of flexibility, ease-of-access, immediate scalability, agility and cost efficiency using pay-as-you-go practices), there are equally a number of delivery aspects and accountabilities that cloud computing can touch upon that are not as intuitive and require a deeper consideration before contracting.
These aspects are critically important in making rational deployment decisions but are rarely given sufficient consideration compared to the positive hype that is so readily peddled. Anyone considering cloud services adoption must assess their decision not just on the technical constraints and requirements, but also ensure they have understood the impact upon IT strategy, IT security, service contracting and software licensing in order to avoid pitfalls at a later date.
To put these facets into context let’s consider them in turn.
The cloud and IT strategy
Any one organisation that has a variety of different application areas and operational needs is likely, over time, to have a combination of on-premise, hosted, SaaS (software-as-a-service) and private/hybrid cloud solutions. In fact, this is likely to become the norm, so a key issue in future IT strategies has got to be in providing good governance of IT for broad distributed networks and a variety of managed and unmanaged deployment options. As such, clarity of controls, end-to-end monitoring, alerting, reporting and operational transparency will be vital to effective IT delivery. Care is also needed to ensure that, in driving up efficiency and driving down costs, new risks are not created due to lack of skills or tools to manage the new order of IT services.
Equally, due consideration has to be given to inter-operability/portability of data. So, when IT applications are delivered as a service, the data owner should be able to maximise efficiency by balancing the mix of on-premise and hosted services. This means avoiding unnecessary replication or re-entry, and that data is fully recoverable in a usable form at the end of any contract term.
A further consideration as part of the IT strategy has to be that of disaster recovery or business continuity. Some organisations use cloud as a fallback solution, others as a primary, but in either event understanding the business continuity risk and requirement is still essential.
Cloud impact upon IT Security
Whilst security is not an issue wholly related to any specific IT deployment models, it is an issue that attracts a great deal of FUD (Fear, Uncertainty and Doubt). Coupled with the nascent market conditions for cloud, there are many myths about security concerns related specifically to cloud based solutions. Security has to be a proactive component of all IT operations regardless of delivery model and to be effective it has to embrace policies, practices, tools and training. There will always be those that argue that security is easier on-premise because you have direct access and ownership of the IT equipment. There are those that argue that professional cloud providers are likely to have higher standards of security for their data centres than the average company can afford on-premises. Either in isolation is not a valid argument.
When assessing cloud-based solutions it is equally important to understand with crystal clarity the accountabilities of the parties. In a SaaS delivery model, it is likely that all but password creation is in the hands of the service provider, whereas in an IaaS (infrastructure as a service) model the end-user is likely to have root access control of their infrastructure and therefore are responsible for defining and managing the bulk of security practices.
At their heart, cloud based solutions can introduce three new risks to manage. First, by nature cloud uses an untrusted network – the Internet – so, depending on the sensitivity of data, appropriate mechanisms to secure communications and access to data need to be implemented. Second, some cloud service providers (CSP) will operate multi-tenancy implementations and customers should closely examine their CSP’s penetration testing to ensure the integrity and security of data stored on their platforms and to ensure their data is not accessible by a third party.
Finally, since CSP’s are aggregators, offering services to many customers, as the CSP grows so do the risks; they become, compared to an on-premise implementation, a more appealing target to the hacking community or those wishing to target DDoS (distributed denial of service) attacks. Professional CSP’s should be able to provide assurances regarding their defences and countermeasures to any external attack.
Cloud service contracting
Arguably one of the biggest impacts of cloud services adoption is getting used to the cultural and operational changes of having IT delivered as a service. Some have seen the use of cloud as transitioning responsibilities under contract to third party service providers; however the governance of IT and corporate responsibilities for matters such as data protection cannot be delegated outside the end user organisation. Therefore, understanding with clarity which party is responsible for which elements of the delivery of the cloud service is critical to ensuring effective governance of IT.
Adoption of cloud services should not obfuscate responsibility for IT, which will always be the strategic responsibility of the user. In service models like SaaS, the boundaries are fairly clearly defined as the greater part of the stack is delivered as a turnkey solution, however, even in this scenario, consideration must be given to disaster recovery capability should the service ever fail. For IaaS (infrastructure as a service) and PaaS (platform as a service) solutions, clear accountability of the service provider and the end user should be documented and agreed to avoid misunderstanding or gaps in service delivery; ideally this should be backed up with a clear service level agreement (SLA) to guarantee performance.
Cloud and software licensing
Finally, and by no means least, the use of cloud services does not ensure license compliance, far from it. Again, whilst a SaaS delivery model will likely include licensing considerations within the rate charged for the service, IaaS and PaaS solutions may only cater for the operating system used; the end user organisation is responsible for licensing application software.
Furthermore, licenses used by an organisation on-premise may not necessarily transfer to a hosted or cloud solution unless the EULA (end user licence agreement) or contract specifically allows this. Therefore the need for an effective software asset management programme is as relevant in the cloud era as it was in the on-premise era. Given the added complexity of BYOD and mobility, licensing requirements will tend to get more demanding and intricate in the near term. Whilst the variable costs of hardware and networks are largely under control and getting easier to simplify, obtaining value from software assets is an increasingly demanding and critical aspect of managing IT today.
So, whilst cloud is a powerful and compelling opportunity for most if not all organisations, accountability and application of strategic thought cannot be allowed to take a back seat. The benefits of cloud are clearly worth pursuing. Nevertheless, one needs a clear understanding of cloud benefits and vulnerabilities to ensure a robust and sustainable IT service platform for your organisation in its increasingly hybrid state.