Original URL: http://www.theregister.co.uk/2009/08/25/cloud_questions/

There’s no escaping the cloud

You can run, but you can’t hide

By Dale Vile

Posted in Servers, 25th August 2009 11:38 GMT

So you think the cloud is not for you? If that's the case, you are not alone. Feedback from The Register's readership has been consistently mixed on the subject of cloud computing. In spite of all the hype, many working at the sharp end in mainstream IT departments remain sceptical.

While some dispute the economics and dismiss the claims of the evangelists as being wildly exaggerated, others point to some of the integration challenges of getting multiple cloud services working together with your in-house systems.

There are then the questions about how to coordinate security and access policies across multiple operating domains and the dangers of getting locked into proprietary services. Also, there may quite frankly be doubts over the readiness of some cloud service providers with a limited track record and/or more of a consumer background to step up to the mark when it comes to supporting core business processes.

By far the most commonly heard concern, however, is that of trust. Many IT pros are reticent about handing the corporate crown jewels, i.e. core information assets, across to a third party for safe keeping, especially when that third party is a US multinational perceived to be open to governmental snooping under the pretence of antiterrorism legislation.

And regardless of how robust the provider’s security infrastructure appears to be in physical terms, stories of admin passwords escaping into the wild and exposing private information have a tendency to feed the fears of the sceptics.

Box hugging

One response to this is to simply sit tight and carry on with the 'box hugging' approach, maintaining everything in house where you can keep an eye on it. But does that mean information pertinent to your organisation's business will be 'safe’ from the cloud?

I had an interesting exchange a few months ago at a vendor conference I attended that cast doubt on this. As is becoming very clichéd nowadays, the senior exec stood up and gave a keynote talking about how cloud computing was the future and how his company was well positioned to help organisations 'make the transition’.

You would get the impression from listening to him that the whole world was committed to embracing this brand-new disruptive paradigm shift that was taking place. To illustrate the point he talked about how the use of Salesforce.com had transformed his own organisation.

The following speaker that stood up was one of the vendor's customers - a big financial institution. After talking about how the vendor's traditional product offerings had helped his organisation, the floor was opened to Q&A. One of the questions asked at this point was to what degree the company had embraced cloud computing.

The answer was really not at all because, you guessed it, the idea of the bank’s data and/or core business systems being looked after by a generic third-party would be a 'difficult sell' to business stakeholders. While bespoke hosting arrangements with a trusted traditional outsourcer might be one thing, this utility stuff is a different kettle of fish altogether.

Feeling in a slightly mischievous mood, I stuck up my hand, reminded the presenter that the vendor hosting the conference had described the bank as a strategic customer, and had also talked about all of its sales and account management needs being fulfilled by Salesforce.com. Given the deep interaction between the two companies, I therefore suggested that a lot of proprietary information about the bank was probably being maintained in the cloud whether they liked it, trusted it, or not.

This would, for example, include the names, positions and responsibilities of key people, and who knows what other background on each. It could also include details of past and future projects, which trusted suppliers had been made aware of in confidence, or which had been mentioned indiscreetly by an employee over a beer with a salesperson. When I asked whether the aforementioned bank stakeholders were aware of this, or how they would feel if they realised it, the response was merely that this was an ‘interesting question’.

No escape

The point here was not to pass judgment on whether cloud services are a good or bad thing, either in absolute terms or for any given organisation, but simply to highlight the fact that there really is no escaping the impact of this trend.

In the example given, we were talking about CRM data, but as cloud-based ERP gets used in a collaborative supply chain context, as sensitive contract information ends up in the inbox of a supplier, customer or partner who happens to be using Google's hosted email service, and so on, we have to accept that the security and privacy of our proprietary business data will increasingly be dependent on cloud providers.

As the bank’s spokesperson said, this really is a very interesting problem, and there is no easy answer to dealing with it. Some cloud providers are clearly very competent and probably don't represent a significant risk, but if someone we deal with is putting information we care about into the hands of dodgy or inexperienced cloud players, there is a potential exposure, at least theoretically.

Against this background, I am interested in your views. Is this a real problem, or something we shouldn't get too hung up about?

Perhaps it's a question of making sure policies are in place to deal with the sharing of information or the vetting of third parties before sensitive information is shared with them. Does the dreaded DRM approach have a role to play? Then again, we could question if anything has really changed. After all, how well do we police the way in which other parties store and manage information that is confidential or sensitive to our business now?

I would appreciate any feedback or experiences you might have in this area.

Freeform Dynamics Ltd