Cloud computing risk management: Cloud computing seems to be the perfect technology for people with short attention spans. As I watch the commercials and read the ads about trusting the cloud for business, I keep wondering how these firms have established their credibility and garnered trust. The answer is, they earn trust only so far as trust is built through meeting service level agreements. Most of these companies are relatively new, and even larger firms, with a longer track record, don’t have much of a track record when it comes to cloud computing. Service level agreements without history are bets, they are not guaranteed.
It struck me as I had a discussion about outsourcing at recent future of work and facilities management conferences that the penchant for outsourcing, especially that of outsourcing virtual content to nearly virtual firms, was a rather risky proposition that has no historical precedent. Whereas outsourcing human labor is ancient, though the business models have evolved from slavery to more humane and profitable arrangements, the outsourcing of computing services has a history that reaches back only a few decades, and that history is filled with lessons I am not sure about today’s CIOs are heeding.
The most important lesson is that services come and go. Although stalwarts like ADP continue to process checks, many other service bureaus, as computing service firms used to be called, no longer exist because the price of computing hardware dropped to the point that firms could bring that capability in-house. I was personally involved in the transfer of data from a service bureau to an in-house system, and although some of the tools have evolved, the manual systems analysis effort to pull that data into the in-house system required precise mapping and testing. In the early 80s, these were primarily flat-file systems so the mapping was relatively easy. Imagine if a firm like salesforce.com ceased to exist and all of the data stored there must be brought into another CRM system. Of course, this will never happen, but on the other hand, it is probably inevitable that it will happen at some point. Either a new technology will out-compete Salesforce’s, or Salesforce will face some shift in fortunes. Again, when you look at the historical record of firms, this will likely happen.
Even if it doesn’t happen, and the cloud service continues on, the story that transitions to new technology will be seamless only holds true if the business model supports the shift. Any radical shift in the underpinnings of technology, be it the relational database or the basics of systems operations (e.g., a new computing architecture arises that replaces current server farms with something much more efficient but completely incompatible). I still have boxes of TRS-80 floppies in the garage with Scripsit and some of my writing. 5.25 inch floppies to 3.5 inch floppies were not radical, but they caused a lot of shuffling and resaving. Not very productive. And the material that is on my original cassette taps is just lost to eternity. When I went from Scripsit on cassette to disk-based Scripsit, I had to re-enter all of my data. Today that would be unfathomable for a PC or Mac owner, but that same risk is being assumed when outsourcing data to a cloud service. We have little visibility into the future of computing and we already know that history is filled with changes, both radical and subtle in computing. I am not suggesting that organizations avoid cloud computing, just that they don’t tacitly assume the risk or believe the guarantees of firms where such guarantees have not be tested by time.
As a scenario planner, cloud services also include existential risks which the provider cannot, and will not, be able to account for. Earthquake, flood, fire, solar flares, and the like.
So if the world is moving to cloud services, what should you do?
- Don’t jump just because all the cool CIOs are doing it. Some services, like social networking, may be fine to move, if the data can be stored in multiple locations.
- Make sure you understand the data archiving and security capabilities of the cloud service provider. If they can’t show you, tell you, and demonstrate to you, how they manage backups and how they manage security, then don’t trust their claims.
- Don’t let current costs drive long-term strategic miscalculations. Sure, cloud computing is cheaper, requires fewer people, fewer facilities, and results in lower utility costs – but as a CIO, you should first be focused on the data, not the costs. If the costs increase the risk to the data, then you are not fulfilling your obligations by pushing it to the cloud, especially if you can’t ensure viability and access over time.
We go to libraries and visit museums and we see records that are ancient. Old books, hand-written scrolls, hieroglyphics etched in stone. The cloud offers none of the longevity that data has enjoyed during human history. One of the reasons paperless offices have failed to appear is the lack of trust that digital records retain the same degree of permanence afforded to physical records. When we outsource to the cloud, we give away the little control still held by our firms, of the employee and customer data that has been collected. We give our future history away and no clause in the contract accounts for that.
I am far from a Luddite, but as a strategist, I must point out to my clients when they are taking a risk and the character of that risk. IT has always made our future history less tangible, but cloud computing completely removes it from the presence of the organization that owns it.
When I look out 20 years, I see cloud services, and I see distributed computing platforms and I see entirely new forms of data storage, encoding, and representation. Most of the cloud computing providers are as tactical as their clients, so they run the risk, themselves, of strategic disruptions from emerging technology and business models challenging their positions and their potency. 20 years out, we may still have cloud services, but they will be very different, so we must as the question learned from cassette tape to floppy, about how painful such a transition might be, who how best not only to anticipate such a transition, but how to plan for it, and reduce the risks associated with selecting a supplier for short-term cost savings when the real goal is long-term business continuity.