A CIO's guide to cloud risk management
A comprehensive collection of articles, videos and more, hand-picked by our editors
In part one of this feature on the economics of cloud, CIOs explained how their use of cloud services is closely tied to the particular business demands and constraints of their enterprises.Part two offers expert advice for getting the most out of cloud services by analyzing business value drivers, nailing the contract, using cloud monitoring tools -- oh yes, and calling up your peers.
One of the first steps in developing a cloud economics strategy is understanding the business' "value drivers" for the cloud, said David Linthicum, senior vice president at Cloud Technology Partners (CTP), a Boston software and services provider specializing in cloud migration services.
"If you're a big bank, your value drivers around using cloud-based technology are going to be very different [from those of] a manufacturing company, and very different [from those of] a healthcare company," he said.
At manufacturing companies, for example, business processes tend to be fairly static and stable and, unlike at finance and technology companies, typically not transaction-heavy, Linthicum said. "There's not a lot of high-end stuff that has to occur. There's some data analytics, but those may be perfectly addressable with the existing systems."
Linthicum recommends that CIOs start their cloud economics analyses by examining the three areas in every business where there is potential for value to be found in moving to cloud:
- Operational costs
- Security and compliance issues
Identifying the operational cost savings of migrating to the cloud -- "the whole Capex vs. Opex thing," as Linthicum put it -- is probably the most straightforward analysis for most companies. "If a company is about to build another $10 million data center and it's trying to avoid [the cost of ownership], using cloud computing can add to the bottom line," he said.
Pat Smith, CIO
In an area such as security and compliance, however, the ROI of moving to the public cloud will be more difficult to calculate. Many heavily regulated companies will indeed decide the potential risks of the public cloud will outweigh its benefits.
"They just want to maintain the systems and control them more closely than outsourcing them to Amazon or Rackspace or Microsoft [would allow]," Linthicum said. But even in these cases, he recommends that CIOs not jump to conclusions. "In the majority of cases, I find out that's typically not the case," he said.
For companies that absolutely need to control sensitive data, an alternative is to use a private cloud; however, this option may not be very economical in the end, because you still need to buy your own software and hardware, among other things, Linthicum said.
Negotiating cloud service contracts
A very important part of making sure the cloud will match and meet business drivers and a company's needs happens in the negotiations with vendors and the contract that is ultimately signed.
Cynthia Nustad, CIO at Irving, Texas-based Health Management Systems (HMS), which specializes in analyzing costs for large health providers, said she never signs a cloud contract that doesn't allow her ownership of the data. But her chief concern is related to "stickiness." Vendors look for ways to keep customers on their service, she said, "but you don't want that. As a purchaser of those services, you need to be able to be nimble. And if one vendor really outdoes another in performance, price and quality, you need to be able to switch."
Kyle Hilgendorf, research director at Gartner for technical professionals, agrees that every company and every CIO needs to have an exit strategy for cloud services. "It's only a matter of time until at least something goes wrong with the provider," he said, whether that means the relationship with the vendor sours, or a new CIO had a bad previous experience with that provider and insists on switching.
Vendor loyalty is not a CIO virtue
Pat Smith, CIO at Our Kids of Miami Dade Monroe Inc., a not-for-profit serving abused and neglected children, believes that "if you have too close a relationship with any one vendor, you're not doing your organization a good service."
Her advice for CIOs is to do their homework and understand what's in the vendor's environment that could cause the project to not work or to cause the cost to increase. And on the flip side, they should understand what's in the vendor's environment that could be favorable and beneficial. CIOs need to do this research because, in her experience, "vendors will not take the time to really understand your environment enough" to give sound advice, including advice about all the cost advantages their cloud solutions may bring to your particular environment.
Sometimes the only way to get an accurate picture of the benefits of using the cloud versus providing services in-house is to hire a consultant to do the analysis, said analyst James Staten of Forrester Research -- particularly if your IT organization feels threatened by outsourcing infrastructure and services to the cloud.
Cloud monitoring tools can help
Once a company has moved to the cloud, Staten advises CIOs to use cloud cost monitoring tools such as Uptime Software and Cloudability, both software-as-a-service solutions, to gauge cloud costs. These tools allow companies to monitor how everyone in their organization is using cloud services, help find cost overruns and detect anomalies, he said.
For instance, if a cloud application has been left on and nobody's using it, or if a business department scaled up for some reason but then never scaled back down, or if IT has set up big instances for an application but then the application is never used more than 20% -- these are all anomalies that can be adjusted and rectified to help companies reduce costs, Staten said.
The cloud management tools also allow a company to put a threshold in place and monitor employee usage. When an employee exceeds that threshold, the company will get an alert basically saying, "Bill is going nuts again," Staten said.
Not everyone agrees that these cloud cost-monitoring tools are fine-tuned enough yet to be useful -- HMS' Nustad, for one. "I'm not seeing the maturity there," she said. In addition, her fellow CIOs, more so than analysts, continue to be her best resource for cloud economics.
"If I really want to find out what one of my friends in the neighborhood has paid, I just pick up the phone and call them," she said. "That is one of the best ways to get market intel on cost versus going to the analysts."