CIO roundtable: Staying in control in the cloud

Organisations moving to the cloud need to establish a risk profile to determine which IT infrastructure and applications they can trust to be managed on their behalf by a third-party cloud provider.

This was the general consensus among attendees at two CIO Australia’s roundtables luncheons in Sydney and Melbourne titled, ‘Cloud computing – are you in control?” sponsored by CSC.

Attendees at both roundtables agreed that some CIOs have not embraced the popular cloud computing model because it lacks the level of control that they expect from an enterprise environment. This is potentially made worse with the increasing popularity of public cloud services within businesses.

However, it is possible to have the benefits the cloud computing provides – such as scalability, flexibility and improved application performance – without necessarily losing total control.

Joe Demian, head of IT at investment management organisation, Future Fund, said performing due diligence on cloud providers and integrating the management of those providers into existing security processes can provide some assurance to the business that a key hosted application and hosted information is secure.

“We tailor the level of due diligence on cloud providers based on the nature of the information that they host on our behalf and the business criticality of the applications that we intend to leverage,” he said at the Melbourne roundtable.

“This due diligence considers the guidelines and requirements that we are expected to comply with as a federal government agency,” he said.

“We are comfortable with the fact that we internally manage and physically host the data that is of high and strategic importance to our business including the internal assurance of its quality. This allows us to push and pull data between our platform and any number of hosted cloud based solutions” he said.

Interior construction firm Schiavello Group established a risk profile when the company started buying network-as-a-service (NaaS) and software-as-a-service (SaaS) offerings, said the company’s Group CIO Krist Davood.

“We established our risk profile – under international standards ISO27000 and SP 800-30 – with descriptive elements that IT and the business would understand,” he said.

“That gave us an appreciation of what our risk appetite was and that was higher than we originally anticipated so this understanding of our risk profile is critical.”

Is it ok to lose some control?

Whether or not an organisation is prepared to relinquish control often depends on which services and information is being trusted with a cloud service provider.

“It certainly depends on the information,” said Berys Amor, director of technology at law firm, Corrs Chambers Westgarth. “As a law firm, we have a lot of regulation and compliance and our client’s data is treated differently than say, a retailer’s data.”

We established our risk profile – under international standards ISO27000 and SP 800-30 – with descriptive elements that IT and the business would understand Krist Davood, CIO, Schiavello Group

Simarjit Chhabra, CIO, at global provider of life safety and security solutions, Xtralis, agreed that the risk profile of putting information in the public cloud, is different not only for each industry but varies from firm to firm.

“While most of us have good intentions for keeping our organisational data secure within the ‘known’ boundaries, which we guard and protect. However, some of us continue to hold our organisations at ‘gunpoint’ using security in the cloud as a threat without realising the real value of the data to the firm,” he said.

“You need to determine the value to your firm of the information that you are putting out there in the cloud.

“In the past, we were quite secretive about emails. Today we are much more comfortable putting information out on Google Apps.”

But what happens when systems and applications fail? Peter O’Donoghue, CIO at South East Water said “when things go wrong, that’s how you find out how much control you have.”

“It becomes a very interesting question when you are trying to troubleshoot issues around ‘who is actually accountable for fixing the problem?’” he said. “This does create a number of risks to your organisation.”

Page Break

Navigating the cloud contract issue

Some attendees agreed that putting a lot of liabilities into cloud contracts also provides recourse for organisations when issues with a cloud service provider arise.

“This works well for high value contracts but my business is asking me to leverage services costing only $30 per month,” said one CIO. “Based on that, our service providers won’t be willing to commit to indemnities and liabilities that are significant.

“Having a solid contract that talks about really high liability caps is one way to ensure that the practices in your organisation are up to scratch. We also need to be assessing the capabilities of vendors so we can make a call around what is good and what is too risky.”

Darren O’Connor, CIO at retailer The Reject Shop added that when you are moving infrastructure and applications to the cloud you are “essentially swapping one IT team for another one.”

O’Connor said the retailer is using Google Apps to provide applications that need to be accessed by a broad range of people inside the organisation and can easily work with Google if there are issues that need to be resolved.

“We have an account executive at Google, I know where my Google Apps data lives and where the copies are located. You can have those conversations with these cloud providers, it’s not secret stuff.”

The Reject Shop has arrangements with its cloud providers to ensure its cloud applications are “single sign-on”, which provides O’Connor with control over user authorisations and keeps a lid on where content is distributed.

Creating a risk profile

Attendees at the Sydney roundtable also agreed that creating a risk profile and managing relationships with cloud service providers are extremely important.

One CIO said she used a risk matrix to best determine the suitability of a cloud provider.

“I don’t rely on intuition – the risk matrix allows us to evaluate the likelihood, the cost impact and then sharing that with all our the business stakeholders and have them consistently review the level of risk.”

“There is always going to be risk but the question is ‘if you don’t take on some level of risk, will you lose an opportunity,” she said.

Still, one attendee, a head of IT at a large retailer is wary of public cloud providers’ ability to continue to provide service if disaster strikes. This is despite the fact that the retailer has a number of IT systems in the cloud.

“I don’t see how you can possibly be in control,” he said. “If a public cloud provider goes down, where does that leave you as the customer?” You hope that the service provider’s disaster recovery and other processes will keep you going no matter what.”

“But somewhere along the line, something’s going to break,” he said.

We have an account executive at Google, I know where my Google Apps data lives and where the copies are located Darren O’Connor, CIO, The Reject Shop

Derek Welsh, CIO at employment services organisation Angus Knight, added that organisations and their cloud service provider should be sharing risk.

“Cloud service providers need to be able to scale their infrastructure and guarantee that elasticity is there and they have enough infrastructure in place so no matter what the load, customers will never see an impact,” he said.

Karolis Macionis, cloud manager at CSC Australia, pointed out that there are up to 12 cloud providers emerging each month in Australia.

“Most people see that as an attempt to cash in on a buzzword (cloud). But if cloud service providers can provide resources on a pay-as-you-go, scale up and down basis and spin up a virtual machine in five minutes,” he said.

“We are missing the main point of cloud. It’s about providing companies with flexible computing resources that they can easily scale up and down.

“Electricity is a good example of that, we flick the switch, we pay for it; we switch it off, we don’t. That is the biggest difference to managed hosting. Unfortunately in the marketplace at the moment, there are not many companies that can provide real cloud computing services,” he said.