What could go wrong with cloud? Let's count the ways....
In their latest book, Cloud Computing for Business, Dr. Chris Harding and his team of co-authors affiliated with The Open Group — a key standards body for enterprise architecture — detail some of the key risk areas that need to be looked at with any cloud project:
Risk #1: The solution may not meet its financial objectives: Do your short-term and long-term ROI work. The key factors to consider when assessing cloud ROI risk probability include utilization, speed, scale, and quality. "These factors are built into most ROI models, and affect the headline figures for investment, revenue, cost, and time to return."
Risk # 2: The solution may not work in the context of the user enterprise’s organization and culture: Always a biggie. The best way to address is having "a clear executive vision and direction for business transformation," which includes top-level executive support. (Easier said than done, right?) This should include the establishment of "a clear roadmap for procurement or implementation of cloud services and applications that use them, and coordination of stakeholders and competing strategies to get consensus for storage, computing, network and applications to avoid islands of demand usage." Always start with pilots to create confidence and "build buy-in and usage in the user community for cloud services."
Risk #3: The solution may be difficult to develop due to the difficulty of integrating the cloud services involved: "There is a risk that it will not be possible to integrate [multiple] cloud services with the existing system and with each other. This risk is critical; if the system cannot be built, it cannot be used. The service integration risk can be assessed by considering interface conversion cost, ability to change the existing system, and available skills." The skills part could stand as a risk on its own, as Harding and his co-authors point out that "significant skills are required to assemble and customize multiple cloud services from different providers in a flexible, adaptable way, while maintaining security, backup, and governance mechanisms."
Risk #4: The solution may not comply with its legal, contractual and moral obligations: "Dependence on an external cloud supplier can increase the probability of noncompliance. Even if you have contracts that provide the necessary assurances on location and confidentiality, force majeure may prevent the supplier from honoring them. For example, what would be the result of legal action for subpoena of data in a cloud environment that may not even be held under your tenancy, but have been placed on the same system by other tenants? And what would then be the impact on your corporate reputation?"
Risk #5: A disaster may occur from which the solution cannot recover: Along with the usual mayhem, this can be a business "disaster" such as bankruptcies or contract cancellations on the part of cloud suppliers. "As part of your risk analysis, you should identify the unplanned events that could harm you, and assess their probabilities and impacts. You may also wish to make general provision for unforeseen events that disrupt the cloud services that you use, or damage their data... you can build into your system design elements that will reduce their probability or mitigate their effects. For example, an effective backup and restore process, with the backup copy held in a different location from the data, or on your own rather than the cloud supplier’s system, can change the impact of a disaster from fatal to merely serious."
Risk #6: System quality may be inadequate, so that it does not meet users’ needs: "The system quality of an external service can be assessed using the same factors as for the system quality of your own solution." In addition, look at the track records of suppliers very carefully, just as you would any outsourcing provider, Harding and his co-authors advise."
Risk #7: Security may be inadequate: Need we say more? "Having your own information, on your own hardware and between your own four walls, provides a level of comfort that you lose in the cloud," Harding and his co-authors point out. "Cloud computing is not necessarily insecure, just that new considerations need to be taken into account and more modern security models developed and applied. You must adapt traditional security models to suit cloud computing needs and consider end-to-end security, including your own internal policies for access control and user provisioning."
Risk #8: I'm going to add an eighth risk to The Open Group's list, and that is, there may be an existing lack of service orientation. Not having full-blown SOA isn't necessarily risky in itself when moving to cloud, but the inability to move processes from current interfaces and underlying applications to more agile cloud services could really make a mess of things -- and ultimately make cloud more expensive than leaving things as is.