Cloud computing: Worth the risk?
Are the rewards offered by cloud computing enough to merit the risks? IT Pro investigates.
Cloud computing is all but everywhere right now. Whether it's Apple's iCloud, Amazon's EC2 or the idea of a public sector G-Cloud, the hype and jargon surrounding cloud computing can quickly become disorienting.
But the technology behind the cloud is not actually that new. What is new, however, is the cloud's acceptance as a mainstream business tool.
Understanding what the cloud means is one thing. But businesses may well be left wondering whether the benefits outweigh the inherent risks of "putting your data out there."
Businesses should, first and foremost, look at the cloud as a way to steal a march on their competitors, suggests Sam Johnston, director of cloud and IT services at Equinix, a provider of enterprise data centre services. "Cloud computing allows companies to apply technology to business problems and in doing so, use technology as a differentiator from their competitors rather than an unavoidable cost of doing business."
The majority of IT spending by business still goes towards "keeping the lights on", Johnston explains. Companies should use the cloud to avoid the most "challenging, expensive and yet least rewarding aspects" of IT. The cloud allows businesses to share overheads, including power, cooling, and staffing with other "tenants" of the cloud provider.
"The primary drivers for cloud computing are derived from multi-tenancy - sharing capital and operational expenses between multiple users, benefiting from economies of scale," he says.
However, the challenges associated with any significant IT transition remain. A recent survey, by Vanson Bourne for SunGard Availability Services, revealed the vast majority of chief information officers feel that, in terms of implementation concerns, little has changed.
The idea that cloud computing projects need a separate and distinct approach is "overhyped". Instead, the main issues companies and their IT departments face are those of cost and, more importantly, security.
"There are some genuine new risks associated with certain cloud services, but these need to be reviewed objectively on a case by case basis [compared] with the risks of in-house delivery," cautions Bob Tarzey, analyst and director at Quocirca. "The greatest risk is missed opportunity."
But even vendors deeply involved in cloud computing caution that there are risks. Businesses are rightly worried about security, warns Colin I'Anson, technical director for cloud infrastructure at Hewlett Packard.
"One security slip, if you put your content, or your business data into the cloud and it all goes wrong, it could really damage your business," he says.
"It's very important to get it right," he continues. "Ultimately, it's not easy to get it right first time but you can design a system, carefully and precisely, that can make sure you minimise and control that risk to get it down to the lowest possible level."
Good housekeeping, though, can help businesses prepare for a move to the cloud.
"Preventative steps like carrying out security vulnerability assessments, and regularly running tests in which independent experts try to breach your defences , so-called penetration tests', are becoming recognised best practice," says Tracey Stretton, a legal consultant for Kroll Ontrack UK.
"Based on what we are seeing at Kroll Ontrack there are many companies that have far fewer defences that they need for their systems. Not only are they being hit with some very stealthy and advanced malware, but even when they are, they don't know it for a long time," she added.
The need to keep to best practices is also stressed by HP's I'Anson:
"You have to design the deployment of a cloud set up [so that it] follows standard good practices. The standard good practices have been known for years. There's been multi-tenancy in managed hosting arrangements for years. There have been remote applications for years. So practices are not rocket science, they're not wonderful new things coming in, but they are good practice."
And each cloud project needs to be assessed individually, says Quocirca's Bob Tarzey. "Each service needs to be reviewed on a case by case basis," he says, "The majority of organisations take a pragmatic view they should be OK. Some take too negative a view and they will miss an opportunity. Some are probably over enthusiastic. They will be useful to the rest in identifying areas of truly new risk."
Of course, no CIO who values his or her job security wants their company to serve as a guinea pig. Businesses need to take care, when picking the parts of their infrastructure, and which business data, should go into the cloud -- and what should stay out.
"Businesses have to be very sensible in terms of the content they're willing to risk in the public domain environment," says HP's I'Anson. "They have to think about how much they trust the very companies who are providing those client services to them. There is some information which will always stay home."
Trust, then, is another key factor for businesses considering the cloud. This reinforces the role of service level agreements (SLA), both in creating that trust, and for protecting the data business do opt to put into the cloud.
Questions of trust
"It's very important to read what that service level agreement says, and that what the company who is providing the hosting and the cloud services says, is [actually] there in their literature, to make sure that you can go into a trusted arrangement with them," says I'Anson.
The issues some Amazon customers faced, during and after the EC2 outage earlier in the year, are a prime example of the concerns many businesses have over cloud computing.
"I think it's a reminder to look at the cloud vendor you go to, to understand the services they are offering, and to understand that if there is an outage, how you are going to deal with it inside your own business," says I'Anson. "You can't just throw things over the wall to the cloud, hope they will work and walk away from all responsibility. You still need to take responsibility yourself and read what was written in your contract."
And there are some IT services which, according to Quocirca's Tarzey, are good starting points for companies starting out with cloud computing. "The cloud services an organisation should look at in the first instance are for utility IT services such as email management, PC backup, file sharing and web conferencing," he says. In general terms they can expect to get better continuity, security and service level agreements."
But, despite the promise, businesses are still being cautious when it comes to the cloud.
According to data from Kroll Ontrack, and provided exclusively to IT Pro, just over 1 in 10 companies are using the cloud to store data and, for those already using the cloud. But for those that are, the top benefit appears to be efficiency.
"Decreasing IT budgets can mean that some companies are slower to adopt [the cloud] than we might expect due to the upfront time and investment required to implement a cloud environment," suggests Phil Bridge, managing director of Kroll Ontrack UK.
"A combination of stagnant budgets and the complexities involved with new technologies may indicate that proper training in data management is taking a back seat." But younger companies, set up within the last five years, and staffed by "digital natives", are more likely to adopt cloud computing from the outset, for the majority of their IT infrastructure.
"Established entities on the other hand are currently conducting proof-of-concepts, pilots and tactical deployments," he says. "Though many have also adopted the cloud as part of their overall strategy," he says.