The Case Against Cloud Computing, Part Two
In part two of his series on the case against cloud computing, Bernard Golden tackles a second reason why enterprises are reluctant to embrace cloud computing: the legal, regulatory, and business risks.
Thu, January 29, 2009
CIO — In the first part of this series on The Case Against Cloud Computing, I noted that in speaking with a number of people involved with cloud computing, they (rather paradoxically) discussed with great vigor all the barriers to enterprises adopting cloud computing. As a result, I thought it would be useful to discuss the list of issues they (collectively) raised and offer some thoughts about them, particularly with regard to the potential for mitigation. The first of the series addressed the issue that, today at least, it is not possible to do a straight migration of a typically-architected corporate application into any of the common cloud services—they all impose their own architecture.
In this posting, I'd like to discuss the second issue raised with regard to why enterprises are/will be reluctant to embrace cloud computing:
Cloud Computing Imposes Legal, Regulatory, and Business Risk
Most companies operate under risk constraints. For example, US publicly traded companies have SOX disclosure legal requirements regarding their financial statements. Depending upon the industry a company is in, there may be industry-specific laws and regulations. In healthcare, there are HIPAA constraints regarding privacy of data. There are other, more general requirements for data handling that require ability to track changes, establish audit trails of changes, etc., particularly in litigation circumstances. In other nations, customer data must be handled very carefully due to national privacy requirements. For example, certain European nations mandate that information must be kept within the borders of the nation; it is not acceptable to store it in another location, whether paper- or data-stored.
Turning to business risk, the issues are more related to operational control and certainty of policy adherence. Some companies would be very reluctant to have their ongoing operations out of their direct control, so they may insist on running their applications on their own servers located within their own data center (this issue is not cloud-specific—it is often raised regarding SaaS as well as more general cloud computing services).
Beyond specific laws, regulations, and policies, the people I spoke with described an overall risk question that they asserted enterprises would raise: the risk associated with the cloud provider itself. Some people noted that Amazon's cloud offering isn't their core business. interestingly, however, they described Amazon's core business as "selling books." I think Amazon's business efforts are well beyond books and this response may indicate an unfamiliarity with the total range of Amazon's offerings; nevertheless, the question of Amazon's core competence and focus on computing is valid, and might even be more of an issue if the company is spread across many initiatives.
For the other cloud providers, which are probably considered more "traditional" technology companies, this issue of core competence and focus probably isn't a direct concern. It's still a concern, though, since one might discern that the cloud offering each provides is not its main business focus; therefore, the company might, in some future circumstance, decide that its cloud offering is a distraction or a financial drag and discontinue the service. Google's recent shuttering of several of its services gives credence to this type of concern.
So, all in all, there are a number of risk-related concerns that enterprises might have regarding their use of cloud computing, ranging from specific issues imposed by law or regulations to general operational risk imposed in dependency upon an outside provider.
However, many of the people who proffer these concerns do so eagerly and, to my mind, too broadly. Let me explain.
First, many of the legal and regulatory risks assigned to cloud providers are understood by them. They recognize that they will need to address them in order to attract mainstream business users. However, in order to get started and build experience and momentum, they have not focused on very challenging functionality and processes; instead, Amazon, for example, has been primarily targeted at startups and non-critical corporate apps.
To my mind, this is a smart strategy. One has only to look at SAP's protracted effort to deliver an on-demand service with equivalent features to its packaged offering to understand how attempting to meet demanding capability right out of the chute can seriously retard any progress. However, I am confident that cloud providers will continue to extend their capabilities in order to address these risk aspects.
Moreover, many people who discuss this type of risk characterize it as something that can only be addressed by internal data centers, i.e., the very nature of cloud computing precludes its ability to address risk characteristics. I spoke to a colleague, John Weathington, whose company, Excellent Management Systems, implements compliance systems to manage risk, and he questioned the notion that clouds are inherently unable to fit into a compliance framework, citing compliance as being a mix of policy, process, and technology. To his way of thinking, asserting that risk management cannot be aligned with cloud computing indicates a limited understanding of compliance management.
A second factor that too broadly characterizes cloud computing as too risky is an over-optimistic view of current risk management practices. In discussing this with John, he shared some examples where companies do not manage compliance properly (or, really, at all) in their internal IT systems. The old saw about people, glass houses, and stones seems applicable here. In a way, this attitude reflects a common human condition: underestimating the risks associated with current conditions while overestimating the risks of something new. However, criticizing cloud computing as incapable of supporting risk management while overlooking current risk management shortcomings doesn't really help, and can make the person criticizing look reactive rather than reflective.
Associated with this second factor, but different—a third factor—is the easy, but damaging approach of treating all risks like the very worst scenario. In other words, identifying some data requirement as clearly demanding onsite storage with heavy controls and reaching a general conclusion that cloud computing is too risky for every system. Pointing out some situations or data management requirements cannot be met by cloud computing poses the danger that leveraging the cloud will be rejected for all systems or scenarios. You may disbelieve that this kind of overly-broad assessment goes on, but I have heard people drop phrases like "what about HIPAA" into a conversation and then turn contentedly to other topics, confident that the issue has been disposed of.
Some of this reflexive risk assertion is understandable, though. The lack of enthusiasm on the part of many IT organizations to embrace external clouds due to the putative risk might be attributed to risk asymmetry they face. That is to say, they can get into a lot of trouble if something goes wrong about data, but there isn't that much upside for implementing a risk assessment process and reducing costs by leveraging outside cloud resources. One might say IT organizations are paid to be the worrywarts regarding data security, which isn't really that much fun, but would affect their perspective on risk and could motivate them to be very conservative on this subject.
However, given the very real pressures to examine cloud computing for reasons of IT agility and overall cost examination, resisting it by a bland contention that "cloud computing is too risky; after all, what about X?" where X is some law or regulation the organization operates under is probably not a good strategy.
So what should you do to address the issue of risk management in cloud computing?
One, understand what your risk and compliance requirements really are and how you address those things today in internal systems. Nothing looks worse that asserting that cloud computing isn't appropriate because of risk and being asked "how do we handle that today?" and not having a solid answer.
Second, (assuming you haven't done so already) a risk assessment mechanism to define levels of risk and make it part of the system development lifecycle. Without this, it's impossible to evaluate whether a given system is a good candidate for operating in the cloud.
Third, assess your potential cloud hosting operators for their risk management practices. With this in hand, projects can have their risk assessments mapped against the cloud provider and a decision can be reached about whether cloud hosting is appropriate for this system.
The cloud hosting risk assessment should be treated as a dynamic target, not a static situation. The entire field is developing quite rapidly, and today's evaluation will probably not be accurate six months hence.
Pressure is going to be applied to IT organizations over the next twelve months regarding costs and, particularly, whether cloud computing is being considered as a deployment option. With a risk management framework in place, appropriate decisions can be made—and justified.
Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.