Some systems managers still believe the promise of cloud computing exceeds the technological reality. They cite the “ities” – security, customizability, longevity, quality, reliability and others – as being key inhibitors to adoption and valid causes for corporate hesitation.
In my opinion, the elephant in the room is really the loss of control that happens when ICT becomes cloud-based and widely accessible to the public.
Giving up direct control has to be one of the hardest things corporate managers have to do (or more correctly to re-do). The basic premise seems to be that if it’s under your control, then nothing much can go wrong! Is the loss of cloud control a valid fear?
Cloud systems are typically (but not universally) characterized by:
- The provider owns the physical premises and can deliver the cloud from any suitable location;
- The provider also owns the hardware, software and networks and they are not dedicated to any single customer;
- Multiple customers could be using the resources (called multi-tenancy) at the same time;
- Anyone can potentially become a customer, especially with public cloud services;
- Common technical and operations standards are used for all customers;
- SaaS applications are pre-defined and may be configurable, but are not easily customized; and
- Clouds are “black boxes” in that the customer cannot directly monitor or manage the resources.
This is certainly different from today’s in-house, custom-built systems but is it necessarily a threat?
Here are a few questions we could ask about the concept of cloud control (we cannot answer them all here!):
- WHO is really accountable for being in control of the cloud system?
- WHAT exactly are we trying to control?
- WHERE do cloud controls get applied?
- WHEN is control actually needed?
- WHY do we want to retain control over clouds?
- HOW do we implement cloud controls?
The first question should be simple (but probably isn’t!). The business owns ICT regardless of how or where it is implemented – in-house or provided as an external service. Ownership and accountability, however, are often not well defined or applied even in traditional IT organizations.
We should also examine WHAT we are trying to control. Four types come to mind:
- Control over data – The business user will always be accountable for the safety, security and proper use of its business data. That’s exactly what the internal ICT organization usually says to its users – the IT department is merely the custodian of data, not its owner. From the user’s perspective, the internal IT group may be no better than an external service provider at managing business data!
- Control over functionality – Business users sometimes claim they need their systems to be customized (or even built) to their specific needs. For these people, to design the business around generic cloud applications is counter-intuitive. More recently, however, the observation has been that today’s “systems of record” create little or no competitive advantage and hence need not be unique or self-controlled. Giving up control over business processes to focus on “systems of engagement” may actually be a strategic decision. The key is to know what functionality is critical to success!
- Control over assets – Businesses today depend on their systems, and treat them as critical assets. Control of ICT assets is seen as equivalent to having control over money and people. Imagine a company staffed only by contractors that you had no control over! The perception of cloud computing is that there’s a greater risk of losing the assets, since you do not own them. This, however, is not really a new phenomenon – timesharing services in the 1970s, PC leasing in the 1980s, and outsourcing in the 1990s are examples of assets not being owned. The key is selecting the service provider and having a “plan B” for cloud disaster recovery (when the disaster is a bankrupt service provider, for example).
- Control over access – Some ICT managers believe that access control is more problematic with cloud computing. In fact, numerous examples of this have hit the press – for example, should an email provider read the customer’s emails to target advertisements? Preventing misuse, illicit use and attacks from external parties requires that IT managers re-think their approach to email control. Robust access controls are critical regardless of the location or supplier.
I’m sure there are other things that need to be considered, but you get the idea.
We can also examine HOW a user can control a cloud ecosystem. Several levels of control could be considered:
- Executive control (governance) – Enterprise management is ultimately accountable for controlling ICT resources, regardless of the implementation choices. This includes ensuring the service provider meets basic standards, is capable and is trustworthy. Appropriate legal and contractual controls must be in place, security and performance must be monitored, and service providers must be auditable. In essence, cloud computing requires governance and oversight to be more rigorous and thorough than it was with in-house solutions.
- Financial control – Cloud computing is a consumption-based resource which leads to a need for cost controls, especially since capital costs have been converted to operating costs. Financial control includes managing investments – for example, how many cloud solutions can be implemented per year, how can duplication be avoided, etc. Cost control can be more difficult in a cloud computing environment since each individual subscription may be low cost, but many small items can add up quickly.
- Solution control – There are various controls associated with the technical solution. Shadow IT – users directly subscribing to cloud services without the IT department’s involvement – should also be controlled. An architecture that avoids “cloud proliferation” and the consequent operational nightmares is needed and, in a multi-supplier world, this will not be provided by the service provider. Architecture control includes procurement guidance, technical standards and best practices.
- Operational control – Control over the operation and use of the cloud service(s) is also important. Although cloud services are typically highly automated, there is no doubt that outages will occur, breaches will happen, and changes will be needed. Controls must be designed to ensure ongoing compatibility, especially in hybrid solutions, and to establish operational policies and practices.
This isn’t anywhere close to a full discussion of cloud control, but it does highlight some of the areas that IT managers need to consider. In essence, the debate needs to change from simply “we’ve lost control” to how best to share the controls among the different stakeholders while maintaining strong oversight.
Perhaps one of the most important controls, from the user perspective, is simply having control over who your suppliers are!
What do you think – is control the biggest hurdle to cloud success?