There are compelling – and widely understood – arguments that cloud computing brings efficiencies and savings. There are, however, also widely-held misconceptions that cloud computing brings serious risks to business information. We need to set the record straight.
The varied benefits of cloud computing are undoubtedly worth pursuing, and range from energy savings to greater effectiveness and better staff utilisation. But let’s be blunt: cost-cutting tops most companies’ lists of priorities in these challenging economic times. If you want to attract the managing director’s attention, you need to talk about money – making more or spending less.
Having turned from futuristic possibility into increasingly well-established practice, the cost of ‘outsourcing to the cloud’ is now falling dramatically. It is no longer rare for a company to consider cloud computing rather than in-house data storage, and the chance to save money is playing an increasingly important role in that decision. With cloud computing, a company is charged for the use of software applications, and for data storage, accessed over the internet, just like being charged for electricity. In only paying for the resources used, therefore, operating costs can be reduced. After all, in-house data centres typically leave 85%-90% of available capacity idle. Cloud computing can lead to energy savings too, removing from individual companies the costly burden of running a data centre plus generator back-up and uninterruptible power supplies.
Managing the risk
So cloud computing is on many people’s radars this year, not least because of the attractions to budget-conscious and performance-orientated businesses. Which arguments, then, will win over the sceptics?
Realism helps. There are risks to cloud computing, inevitably, just as there are risks to any IT migration. Managing and reducing those risks to an acceptable level is core to strategic success; firstly when thinking about the options presented by cloud computing and then when actually implementing the process.
The risk management process begins when choosing a service provider. Naturally, you need to be confident your business information will be secure. You need to carry out due diligence on the service provider before you entrust this firm with your vital data. Compliance questions should include looking at ISO27001 and European Union ‘Safe Harbor’ certificates, Statement on Auditing Standard (SAS) 70 reports and business continuity arrangements. The challenge for procurement professionals is determining which questions to ask, what assurances should be in the contracts and how much risk is being assumed when a service is moved to the ‘cloud’. The key is to know which paths are good for your organisation today and which paths are going to be better tomorrow.
Cloud service providers are not unified in their approaches, their methods or their technologies. There are, for instance, as many ways to implement virtualisation as there are hardware and software manufacturers. The concept of the cloud, however, matches this diversity very nicely. Arguing about the details of whether you are paying for platform-as-a-service (PaaS) or software-as-a-service (SaaS) seems less important if you can receive both options from a single provider. By using ‘Everything-as-a-service’ as a model, we can evaluate internal versus external hosted services for just about anything.
Increased data security
Cloud computing in 2010 does not necessarily offer weaker data protection than an in-house server or data centre. In fact, cloud computing can help to defend an organisation from IT security threats such as denial-of-service attacks, viruses and worms (self-propagating pieces of malicious software). By moving IT functions to a shared external service provider, even the smallest companies benefit from a comprehensive range of the latest security protection systems. Those small (or medium-sized) enterprises would otherwise rarely, if ever, be in a position to buy and implement all those state-of-the-art defence systems independently. The cost – financially and in terms of time and human resources – would simply be too high.
And that question of staff utilisation is an important point for chief information officers. Outsourcing rarely-needed IT tasks and functions allows IT staff to focus on core work. Equally, rather than having an IT team spend valuable time monitoring the market for new products, and then facing the challenges of integrating those products into an organisation, cloud computing means that up-to-date software suites are painlessly introduced across a company ‘from above’ by the service provider.
There are a growing number of external security providers catering to the ‘cloud’ and, because of the nature of networks, security monitoring can actually reside anywhere. Internet service providers are already capable of detecting viruses and worms in transit. A self-diagnosing and self-cleaning ‘cloud’ might not be far behind.
Cloud computing is not a new and frightening idea but an established, positive – and secure – IT option for many businesses. Not every cloud brings rain.
IT Governance is exhibiting at Infosecurity Europe 2010, the Number One industry event in Europe held on April 27-29 in its new venue of Earls Court, London. The event provides an unrivalled free education programme, with exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information, please visit: www.infosec.co.uk.