Cloud computing allows companies to outsource part (and sometimes almost all) of their computer processing. Instead of spending on in-house servers and (in the view of CIOs) the surly IT pros needed to service them, businesses simply pay an external provider. They then access their computing infrastructure over the Internet though the cloud, in IT-speak.
Better still, cloud vendors tell us, cloud computing is massively scalable. The big box retailer handles a holiday rush with a quick online request for more computing capacity. The growing small business without a big data center can leverage the heavy-processing muscle of a cloud provider.
Seeing gold in them hills, big players have launched divisions to provide cloud computing. The leaders include Amazons EC2 and Google App Engine. In the excitement, the acronyms are multiplying. Cloud computings near cousin is Software as a Service (SaaS) software delivered over the Net and Salesforce.com touts a version of cloud computing called Platform-as-a-Service (PaaS).
IT pundit Nick Carr hails cloud computing, in his book The Big Switch, as the inevitable next step in business computing. Just as we now access electricity from huge external plants, he explains, we will access computing power from sprawling external processing facilities. Messy in-house data centers are passé. The future is bright, well ordered and reasonably priced.
But Carrs analogy falters when you look at the difference between electricity and data. Theres nothing confidential or sensitive about the wattage that flows into your business. But theres something profoundly sensitive about the data that flows in and out of your business.
Merely whispering the phrase Sarbanes Oxley, with its labyrinthine compliance requirements, is enough to make some CIOs shudder at giving a cloud-based provider even partial responsibility for their document management.
Making those CIOs even more anxious is this uneasy truth: as it evolves, cloud-based service is increasingly provided by a chain of providers. So youve contracted with an outsourcer, who in turn contracts with a series of outsourcers, and on and on and this global crowd of unknowns is handling your most precious corporate secrets.
Its like the pretty girl in high school who doesnt want to give out her phone number, except she shares it with her steady sweetheart, the football captain who keeps his address book posted on his Facebook page.
Cloud Computing or Bust
The many red flags of cloud computing are catalogued in Assessing the Security Risks of Cloud Computing, co-written by Gartner analysts Jay Heiser and Mark Nicolett.
Their thesis isnt that companies shouldnt use cloud computing. Rather, companies must go into the process with their eyes wide open, fully aware of the risks, taking essential precautions to stay safe. Or, as safe as possible, given the black box nature of cloud computing.
Probably [cloud computing] would be more popular already if people didnt have concerns about the risks, Heiser tells me. Still I dont think most of the potential users are truly cognizant of the risks. But they have a usefully intuitive sense that this is something new and it shouldnt be undertaken lightly.
(Indeed, a recent Goldman Sachs survey of CIOs plans for 2009, which indicates that the recession is giving them an upset stomach, doesnt bode well for cloud services. Less than 2 percent of respondents made cloud a priority.)
Cloud computings myriad security concerns are enough to make one ask: cant we just stay with that golden oldie known as client-server? After all, servers keep getting cheaper and cheaper (and cheaper), and the IT worker who maintain them are, sadly, surely not paid outlandish wages. Why go out of house?
Despite these doubts, cloud computing will indeed realize its potential as the industry-shifting trend it appears to be, Heiser opines. The train has left the station, recession-scared CIOs notwithstanding. Simply put, the cost savings are too great and the business potential too efficient and flexible for the cloud to be ignored.
Its basically economic, but there are convenience issues, Heiser says.
Theres a control issued. I lump [cloud computing] in with consumerization with being yet another example of how the end user is taking over the initiative from IT. If they dont like the answer that IT gives them, theyll just go out and buy the thing.
For instance, How much of SalesForce.com was motivated by sales mangers who just wanted to get away from IT and put in their own CRM?
Moreover, spending on cloud computing is seen as more desirable than writing checks for servers that start aging the moment theyre unwrapped. When you buy something in the cloud, its an expense. When you buy something like a computer, its an investment, Heiser says.
So its a different color of money and people like that.
Nine Security Concerns and How to Address Them
The most practical way to evaluate a cloud provider is to get a third party to do so, Heiser says. There are so many questions and concerns that doing all the work in-house may be prohibitive. Making the process still more difficult is that fact that many cloud-based service companies are far from transparent.
Call up Google and ask them how transparent they are, he says, indicating that the answer will be, not very. So why should you trust them?
I contrast them with Salesforce.com in terms of their transparency, Heiser says. We emphasize Salesforce as having some early attempts at transparency; we didnt really flag Google as being the evil twin to Salesforce, but theyre awfully opaque.
If you or a third party are kicking the tires of a cloud provider, here are issues to be aware of, and recommendations from Gartner for handling them:
1) Privileged User Access
With cloud computing, your confidential data will be processed by personnel outside the enterprise, so non-employees could conceivably have full access to it.
Advice: Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access.