Myriad public cloud risks continue to give enterprise CIOs pause, despite all the advice given them last year to embrace the public cloud or risk losing control as divisions provision their own IT services with a credit card.
Some say public cloud computing is all about giving up control gracefully, but at this stage, paranoia is a healthier state of mind, said Prateek Dwivedi, CIO at Mount Sinai Medical Center in Toronto. Persistent risks, such as security and availability, are serious concerns, said Steve MacLellan, senior vice president of security solutions and architecture at the Fidelity Technology Group in Boston. Regarding the potential for an interruption of service, MacLellan put it this way: "If the data is not there, you're out of business."
On the one hand, public clouds like Amazon's Elastic Compute Cloud (EC2) enable IT departments to outsource infrastructure (servers, storage and networking) and applications, making such IT services available over the Internet to an increasingly mobile workforce. In theory, this would free up IT to become the trusted integrator -- and technical innovator -- for the enterprise.
On the other, a recent survey of 895 Internet experts and users found that public cloud computing "presents security problems and further exposes private information to governments, corporations, thieves, opportunists, and human and machine error," according to Lee Rainie, director of the Pew Internet & American Life Project in Washington, D.C.; and Janna Quitney Anderson, associate professor and Pew Internet researcher at Elon University in Elon, N.C., who conducted the survey.
Indeed, nearly half of the 1,800 IT professionals surveyed in April 2010 by ISACA, the international IT certification organization, said cloud risks outshine the benefits: While 15% of that survey's respondents plan to use the public cloud for low-risk services, only 10% plan to use it for mission-critical IT services, and a quarter don't expect to tap into the public cloud at all. But not using the cloud, experts said, is the biggest risk.
Getting comfortable with cloud risks
"My advice is to understand what you are comfortable allowing into the cloud, then develop a list of approved providers and a process for migrating or developing applications and systems in the cloud," said Rich Mogull, analyst and CEO of Phoenix-based consultancy Securosis LLC.
Steven John, CIO of Saint Paul, Minn.-based global adhesives maker H.B. Fuller Co., followed that route: He decided to outsource non-mission critical business processes and applications, such as email, human resources and customer relationship management, to several cloud providers; hired a consulting firm to vet cloud providers and shape cloud contracts; and started to develop applications on Salesforce.com Inc.'s Force.com development platform.
John did not find that cloud risks outweighed the benefits -- which included being able to install a global collaboration platform for the first time in the company's 120-year history -- but he was in the position of not having a big IT budget to update an outdated IT infrastructure.
"Large companies will join [the cloud] later because they've made a huge investment in IT, so they have less ability to take on risks," John said.
Sharing liability for cloud risks
Companies aren't shying away from the cloud, but they want to transfer financial liability to cloud providers if something should go wrong, such as an outage, said Tanya Forsheit, a founding partner of InfoLawGroup LLP in Los Angeles. "The cloud can be a big positive if they can get those assurances and protections."
Large companies will join the cloud later because they've made a huge investment in IT, so they have less ability to take on risks.
Steven John, CIO, H.B. Fuller Co.
IT executives can reduce a lot of the risk by doing their research ahead of time, understanding their service-level agreements with providers, and providing guidance and an approval process that preferably involves a risk assessment with a security team member who has experience in the cloud, Securosis' Mogull said.
"The key is focusing the right services, the right requirements -- services-based and services-oriented," said Tom Bittman, distinguished analyst at Gartner Inc. in Stamford, Conn. "In terms of risk, the [capital expenditure] risk isn't there, plus you're offloading technology management," he said. "We're in a complex business. The idea that we can push that to someone else is very attractive."
With every good story, however, comes a darker side. "It's not always cheaper. We've found that with our customers, pricing models are in flux," Bittman said. "Security is still a problem. You define the boundaries, where secure-enough works for you."
Let us know what you think about this story; email Laura Smith, Features Writer.