This article can also be found in the Premium Editorial Download "Modern Infrastructure: Securing and mitigating risk in the cloud."
Download it now to read this article plus other related content.
The debate around cloud computing risk continues. This isn't because the risks that large enterprises care about have worsened (they haven't, broadly) or because there is a new set of risks that present concern (there aren't, again broadly). The debate continues because cloud computing technologies have introduced "buyer uncertainty" into the sourcing market. Cloud capabilities have matured enough to induce vendors to rapidly evolve offerings in an effort to capture market share -- but not to promote interoperability. The clarity of cloud's risk-adjusted value proposition thus has yet to emerge, mostly because evaluations of risk and value remain moving targets.
So what is there about managing cloud risks that should be top of mind for IT leaders in today's environment? CEB analysis suggests that the foremost risk is not anything intrinsic to the cloud provider community as a whole, but rather the lack of a consistent framework in large enterprises for engaging with and managing cloud services. The risk issues normally associated with cloud technologies, such as data privacy and security, are evolving rapidly. Even the technologies themselves vary by provider and service. The absence of a consistent approach to these technologies and providers should be the risk that is top of mind, in that it will exacerbate the risks of what could otherwise be a perfectly acceptable sourcing arrangement.
What does an enterprise framework for managing cloud services entail? We'd argue that it must account for three deficiencies:
CEB analysis suggests that the foremost risk is the lack of a consistent framework in large enterprises for engaging with and managing cloud services.
- First is the lack of a consistent approach to the evaluation of cloud providers. Early CEB studies conducted around "flaws" in cloud services indicate there are several flaws that should represent immediate disqualification or screening criteria for vendors. However, many organizations have yet to evolve their vendor evaluation criteria to account for these criteria for both current and new vendors.
- Second is the lack of clear guidance for integration and the migration of applications or capabilities to cloud providers. This should take the form of reference architecture patterns that developers, project managers and business partners can use off-the-shelf to promote consistency in managing architectural risk.
- Third is the lack of clear communication with key stakeholders around IT's strategy for engaging cloud services. Vendors have a clear incentive for bypassing IT in selling and promoting cloud services because they can increase contract value by 50% to 100% by going directly to business partners, and they can reduce sales cycle time by 50% to 80%. For IT to promote consistent evaluation frameworks and architectural guidance, leaders need to convey a strategy that ties to articulated business objectives, shapes business partner expectations, and defines challenges that require business-IT collaboration to solve.
The latter objective is particularly true in areas where provider/platform risks need to be tested in coordination with business partners and providers to determine what constitutes acceptable risk management. Means are available to most IT organizations to address these risks, but not through conventional vendor management frameworks. Most existing vendor management frameworks are premised on a view of risk that is too focused on the technology or the provider, and some IT organizations are today beginning to question the assumptions built into these premises. For example, should you build redundancy and "hardening" into the application layer rather than the infrastructure layer?
The best organizations recognize that the tools they need for managing cloud risks should come from reference architecture. These include business capability-aligned roadmaps to help clearly understand where cloud providers can provide:
- New sources of business value
- Patterns and standards to integrate cloud capabilities within the larger architecture
- Decision frameworks and guidelines that help partners procure cloud services safely
Large enterprises that will successfully manage cloud technologies and risks recognize that, no matter how the market evolves, cloud services are likely to represent an element of our future technology architectures, and they need the reference models in place to define the role these services play. They understand that the bigger risk lies not in the technology or provider, but in the cost of lost opportunities if the enterprise is unable to take advantage of different-in-kind cloud capabilities.
Mark Tonsetic is a managing director and Jeremy Bergsman is a practice manager at the Washington, D.C.-based consultancy CEB.
This was first published in June 2013