To build trust in cloud engagements, ask these 3 questions

To build trust in cloud engagements, ask these 3 questions

Summary: Cloud is a compelling proposition, but most business leaders are nervous about security and reliability. Here's a way to calm those nerves.


Cloud trust needs to be earned. Robert Grazioli, CIO of SuccessFactors, an SAP Company, provided the following advice on building that trust.

The hype and excitement surrounding cloud computing is reaching a fever pitch, yet many businesses are still expressing concerns over cloud security and IT integration issues. How can distrust of the cloud be resolved, and is the cloud worthy of the current hype? 

robert-grazioli cio of SAP SuccessFactors
Robert Grazioli, CIO of SuccessFactors, an SAP Company. (Image: SuccessFactors)

There's a paradox at play here: The cloud is generally agreed to offer significant potential. Yet, some businesses are failing to tap into the huge opportunities offered by cloud computing due to a lack of trust.

In a  recent global survey of 360 businesses by Knowledge@Wharton and SAP, 67 percent cite "security breaches and data losses" as their main cloud computing concern. This concern with the cloud is similar to when the personal computer was introduced. Large companies resisted its deployment for a long time due to questions about security, costs and more. Deployment spread only after PCs started being purchased by CEOs, and IT organizations had to figure out a way to integrate them successfully.

Information is powerful weapon in the battle to eliminate cloud concerns.  The following are three questions business and IT leaders should ask before moving to the cloud:

What laws should govern my cloud computing technologies? 

There is a complex legal regulatory environment surrounding cloud computing that both customers and providers need to consider. In the United States, there are industry-specific laws governing the cloud computing environment. In certain domains, such as medicine and banking, stringent legal and policy frameworks, not unreasonably, constrain the ways in which data may be treated.

For example, under the Health Insurance Portability and Accountability Act (HIPAA), there are three security safeguards required for compliance: Administrative, physical, and technical. The act establishes privacy and security standards for the use and disclosure of certain health information in electronic form and transaction standards for the exchange of health information. Additionally, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions storing data in the cloud to annually notify each customer about the personal information they've collected, where that information is kept, how it is used, and how it is protected.

Approaching security for the cloud requires a master plan using the requirements from industry-specific laws. Understanding federal, international and state laws governing cloud computing will help companies ensure legal compliance and enable customers to gain confidence in cloud security.

How can I ensure my provider is complying with industry best practices? 

Companies need to create a set of rules and policies that govern the terms and conditions for consuming cloud resources (the compute, storage, and network). This is called the orchestration layer. Without this orchestration layer, adherence to service-level agreements (SLAs) and the capability to manage the creation, activation, and ongoing support of all the resources is at risk.

Clear and well-defined SLAs are the best way to make sure governance can be integrated into the customer's organization. Customers can include regular audits by 3rd party organizations in their contracts to ensure the provider complies with best practices and any legal obligations. Additionally, POC testing is mandatory: companies should go into deployment with no questions unanswered. Customers can also explore "try and buy" options and have "opt-out" languages in the contracts.

How can the cloud benefit my business today and in the future? 

The Knowledge@Wharton/SAP survey shows 87 percent of businesses believe cloud computing will transform their business or industry, and 47 percent see cloud computing as a driver for innovation and differentiation. There are a number of reasons for considering a move to the cloud, but the most compelling is the ability to lower total cost of ownership and the flexibility it gives businesses to work on strategic initiatives.

Cloud implementation is much more straightforward than traditional software. There is a fixed fee, so companies know exactly how much they'e going to pay each month or year depending on the model. Cloud vendors usually price based on a per seat model. This allows companies to add or subtract users without additional infrastructure and staffing costs.

Another cost-benefit factor is the value of agility — the ability for businesses to quickly respond and make changes to meet dynamic circumstances. For example, if there is a business need for a new system, companies can simply provision the resources required from public cloud providers. This process is much easier than configuring and hosting hardware and software assets.

In a couple of years, we'll be hearing companies talk about how cloud technology helped them create a much tighter connection between IT and business transformation. All it takes is trust.

Topic: Cloud

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Outside the USA...

    One big problem is, that outside the USA, using any cloud service which has even a branch office in the USA, let alone a data center or a headquarters, is precarious at best.

    Using Google, Amazon, Microsoft etc. is pretty much out of the question, because they have said that they will comply with requests for information belonging to customers under the Patriot Act. That means you open yourself up to possible prosecution under the Data Protection Acts (E.g. in the EU), where that data cannot be handed over to the US Government without first getting the written permission of all parties whose PII will be compromised. The customer, whose data the cloud provider is giving away without notification or gaining permission to do so, is the one that will end up being prosecuted.

    You really need to see if your cloud provider has either no ties to the USA or that they will protect the data under safe harbour, before you give it to them.

    The likelihood of the US Government wanting the data is relatively small, but if they do and somebody finds out, you can face heavy fines or inprisonment for the cloud provider handing the data over "illegally" to the US Government.