“The cloud” has had a positive impact on business environments by providing industry professionals with reliable and immediate access to the software necessary to perform their business functions. While the cloud is equally beneficial to technicians responsible for maintaining computer infrastructures, IT is still reluctant to fully adopt the paradigm. Here we will address some of the fears associated with cloud computing.
Cloud Barriers and Concerns
The first issue IT has with the cloud is lack of control. It's often not just an objection with the technology that is being managed outside the IT department, but the decision to adopt technology that circumvents IT in the first place. Through intuitive user interfaces and "self provisioning," cloud services have made it easy for non-technical teams to provision their own tools, and even make resource decisions that were formerly the sole domain of IT. So far it's working: research published last month found more than 60 percent of IT purchases are now being made by line-of-business employees.
However, the cloud discussion covers more than just organizational issues. There are also legitimate business continuity and risk concerns that make many technology leaders reluctant to adopt these services. The risk of data loss or theft, for example, is a prevalent issue among all industries. While conventional wisdom holds that the principle of least privilege should prevail, the "easy-to-subscribe, easy-to-share" model built into many cloud offerings means that there are often more people with access to critical information than there should be.
The issue is further exacerbated by the fact that cloud providers are not always clear about what services, protections, and insurance they provice in their contracts. According to Gartner, this makes it difficult to employ effective cloud risk management strategies. For example, for organizations that are unable to rely on providers for compensation during downtime, adopting the cloud carries with it an unnecessary and unwanted risk to their budgets. Other potential threats cloud service pose to organizations' bottom lines include:
- Compliance fines if providers fail to meet regulatory mandates
- Loss of customer trust if the provider's system is breached
- New skills or extra labor time required to manage cloud systems
All this means that IT professionals must be proactive in addressing cloud-related risks and in implementing technology that line-of-business employees require to do their jobs. A recent audit of NASA's cloud computing deployment found that employees will likely turn to cloud services even in the most secure and well-educated environments - regardless of whether IT knows about it. In other words, rather than fight the cloud (and be ignored), IT should find ways of incorporating it in a controlled fashion, while using the paradigm to create their own business value.
How IT Can Embrace the Cloud - Slowly and Safely
The first step in reducing risk in the cloud is establishing exactly what the technology needs to do. Once this is known (perhaps after watching a few cloud subscribers in action), IT can play a vital role in creating policies that define the minimum protections a provider must have. For instance, companies that handle credit card data may need a policy that dictates the use of a provider that is compliant with the Payment Card Industry Data Security Standard (PCI DSS). Other factors to consider include:
- The provider's policy for notification in the event of a data breach
- The use of encryption
- A system for measuring value to ensure return on investment
- A clear use case for the cloud, related to specific features (file sharing, collaboration, storage, etc.)
As Gartner warned, IT decision makers should focus on their cloud contracts and push for clarity early on. This means establishing firm service-level agreements with provisions for total uptime as well as potential compensation if SLAs are broken. Furthermore, analysts recommended that the contract include a process to cancel service if the provider fails to meet expectations.
"Concerns about the risk ramifications of cloud computing are increasingly motivating security, continuity, recovery, privacy, and compliance managers to participate in the buying process led by IT procurement professionals," said Gartner analyst Alexa Bona. "They should continue regularly to review their cloud contract protection to ensure that IT procurement professionals make sustainable deals that contain sufficient risk mitigation."
It is also important to recognize that the cloud (at least the public cloud) is not always the best option when working with data that should never be left on 3rd-party servers. With advances in virtualization technology, it has become easier for IT to keep hold of the reins by deploying their own private clouds. This option ensures that the IT department stays in control. However, it is critical for IT to deliver on the cloud paradigm's essentials, including automated resource provisioning and accessibility, for this strategy to be a success.
The ease at which resources can be provisioned in the cloud makes it essential to incorporate usage and access monitoring tools so that the cost of storage, computing, and other resources does not spiral out of control. It also requires IT administrators to become familiar with classes of applications than can be deployed either on-premises or in the cloud, such as human resources packages, sales automation, and secure file sharing.
Do you embrace the cloud, fear the cloud, or both? Please tell us your thoughts and experiences in the comments below.