Can we really, really, trust the cloud?

Trust in the reliability, availability, and security of services is the glue that holds SOA and Web oriented architecture together

My last post summarized some analysts' predictions that we will soon start to see large cloud ecosystems evolving, offering everything from infrastructure to applications to online tools from the cloud.

However, many people still have reservations about moving mission-critical systems and data (or control of data) to outside cloud providers. A reader of this blog, mr1972, posted an interesting argument as to why enterprise cloud computing still carries risk, noting that as companies seek to cut costs, they will leap to the clouds before considering the ramifications to security, common-sense IT management,  and other matters.

According to mr1972, "none of the big players or the small players in the could have really addressed the following" (mr1972's concerns surfaced here):

Data Ownership. "The problem is the EULA normally give IP and ownership rights to the cloud vendor, not the enterprise. So keeping trade secrets on the cloud is a no no and pretty much anything other data you might want to keep secure and secret. The solutions put forth so far are "Build your own data center for storing trade secrets and sensitive information." Hmm. If have have already incurred the cost of a data center, why not use it for my business???"

Technical Support. "As soon as an enterprise can't use Excel and Powerpoint because a network server at Microsoft is down and you lose a big deal, the enterprise will start to value a service that is up 95% and has a support structure that meets the enterprises schedule not the vendors schedule."

Exit Strategy. "No matter how big the play they can still go out of business. If you are an enterprise dependent on a vendor to supply your software, or storage over the internet and the cloud vendor goes out of business, what do you do? Xdrive was a storage company that offered cloud storage. They went out of business and only gave their users 48 hours to save data to another place. For an enterprise, this can't be exceptable risk."

Long-Term Data Storage and Accessibility. "If you are fortunate enough to get a cloud vendor to stay in business longer than 4 years you might have 6 year old documents stored with them. Can you still read the documents? Can you still open them up? If you keep tax records on the cloud you might need them as much as 5 years. What happens when the file format is no longer supported or there isn't a file reader that can open the file any longer? Will the U.S. Taxation Office give your enterprise a pass on paying taxes because of technical difficulties or will your enterprise have to pay huge fines?"

These points are important, and within this blog from time to time I have explored the issues around having a cloud provider going out of business -- or shifting its business model, or being acquired, and the acquiring company loses interest in supporting your particular apps.

As I also pointed out to another reader, enterprises really will have to do their due diligence ensuring that outside providers adhere to the same security requirements they have in place. I recently spoke with one IT executive who felt that the requirements in place at a Software-as-a-Service provider were more thorough than those applied to his own IT departments. He made sure, however, he was intimately involved and proactive about the relationship. The point is that cloud computing isn't just something you buy on the fly -- the relationship should be as tight as with all mission-critical vendors.

By the way, the same due diligence needs to be applied to any types of services accessed from the network. Trust in the reliability, availability, and security of services is the glue that holds service-oriented architecture and Web oriented architecture together.