It happens with every new technology. If you look back to the advent of the Internet, even basic networking, the move from Mainframes to a distributed model, the commoditization of infrastructure, and the introduction of wireless networking, there is always one common theme at the start. The cry of technologists shrieking “it’s too risky!”
No more so now than as cloud continues its rollout globally. It is astonishing the number of news articles, blogs, and technology reporters that are perpetrating this myth. I guess, from a cynical point of view, fear sells in the media, but I think that there is a large degree of ignorance involved as well.
As I’ve blogged before, risk has to be qualified and understood in context of your business and the way you operate. There are many risks that are raised I’ve which I’ve tried to debunk a few below.
What we are seeing is a misunderstanding of risks related to Cloud. There are very few risks to Cloud adoption. The primary risk to your Cloud adoption is not knowing your own business, your services, your needs, and what you want.
This is a great example of a news article bearing no resemblance to the content of the piece at all written by someone who is smart enough to create a catchy “fear” title. It names a security firm that says there is a risk that if you don’t shut off a staff member’s remote access when they leave your company, they could get into the cloud.
Well duh. If you don’t shutoff a staff member’s access when they leave they can get into anything, cloud or not, if you don’t take keys off them they could get back into your office. But do we see headlines saying “Office Buildings Creating New Zealand Security Blind Spots”? No, we don’t.
This particular news story falls into the “wild risks” category and once again, the title is out of line with what he actually said, and the risk that he actually stated, is less a risk, and more a statement about content and those software agreements you electronically “sign”.
Wozniak said that putting stuff into the cloud was effectively “signing it all away.” This can be true, look at the original T&C’s for Google. You own nothing, ditto Facebook. But for a smart company entering the cloud, this will never be an issue.
First off, “the Cloud solution may not meet its financial objectives.” Well, this is true, the number of people who outsource, or Cloud source, to save money is high, but getting a good ROI is low overall. This risk is not a barrier to entry, it is a warning that you best know what you want before you start buying Cloud services.
“The solution may not work in the context of the user enterprise’s culture and organization.” OK… This is a fancy way of saying, you need to have a plan. Oh, and the plan best align Cloud with the direction the business goes in. This is less about Cloud, and more about ICT setting business directions and the risk that involves.
“Integration of various Cloud services may be difficult.” True, but not impossible. This is a risk with no consequence. Also, as time moves on, it is likely that we will see broad standardisation of Cloud services and reduction in the number of offerings as the market collapses down to a few providers.
“The solution may not comply with its legal, contractual, or moral obligations.” Then make sure you buy one that does…
“A disaster may occur from which the solution cannot recover.” True, but unless you are making a conscious decision to move from your own facilities to facilities that have a lesser disaster recovery protection level, then this is a null risk. I will cover DR in the Cloud in a post sometime as there are some unique risks to it, such as, where are you on the pecking order in terms of restoration in a multi-customer public or community Cloud?
“System quality may be inadequate.” Again, why would you move from a well-performing internal system, to one that is of inferior quality?
“Security may be inadequate.” Again, same as the last two risks. You are not knowingly going to allow this to happen.
I don’t agree with their last risk, which is effectively around the fact that if you don’t have some kind of Service Oriented Architecture you have the potential to get into a mess. I suspect if you don’t have some kind of SOA you’ll never be able to move to the Cloud anyway.
ZDNet’s risks are less risks and more things that you need to think about before moving to a Cloud based service.
Gartner published seven security risks for the Cloud, but once again, I think these are less risks and more about making sure that you are moving carefully. I don’t buy this argument that as an organisation you can’t control security in the Cloud. The question is, how much do you want to pay for it? You could buy a private Cloud that no one other than your organisation had access too, completely locked down, but in effect, all you are buying then is facility management. You have to loosen the reins to get the ROI, but that doesn’t mean that you can’t monitor and control the reins with a very high degree of sophistication.
Gartner’s risks are; privileged user access, regulatory compliance, data location, data segregation, recovery, investigative support, and long-term viability.
I don’t think anything other than “long-term viability” is a risk. I think the first six are requirements that you need to make sure you understand and make sure your Cloud service can deliver you before you start migrating. Long-term viability is absolutely a risk. You need to pick an organisation that is in it for the long-haul, that is financially stable, and is not going to collapse into bankruptcy. This is critical, something I’ll cover in another blog.
Cisco comes in with another five “risks” but gets the angle right from the get-go.
The blog is titled “The Top 5 Security Risks of Cloud Computing” but sub-titles it, “Evaluate potential providers on their responses to these key concerns.”
We’re closer here, it’s less about risk, more about concern, and in reality, it’s actually about requirements. For the record, their “risks” are effectively the same as Gartner’s.
What we are talking about here is not so much risk, as it is requirements. One of the critical mistakes you can make is just to jump into Cloud without thinking about what your services are and what is required to support them. It is important that you create a standard based schedule of services and assign them non-functional metrics before even analysing Cloud offerings.
Most of the risks that the commentators and media raise today, are not risks at all, hence the myth.