Cloudy issues around risk: the large enterprise user perspective

Is the cloud as safe as it needs to be in order to lure business critical data? Are we placing enough emphasis on security or simply taking SaaS/cloud vendors on trust? What is the large enterprise view?

One of my main objectives in attending the SAP UK and Ireland User Group annual conference was the opportunity to meet with UG chair Alan Bowling and get him together with Ray Wang. I already knew that Ray would be presenting a position that for many UK SAP customers might seem radical even though to me much of what he said is 'day to day' for people like Ray and I. It's a measure of the differences in approach, understanding and readiness for newer technologies between the US and UK. It is well worth understanding if we are to get a sense of globalized operations.

I had no idea what the topic of conversation would be until the end of the first day when Alan and I got into an animated discussion about cloud computing - the fashion phrase du jour in enterprise tech. The video above illustrates the kernel of what Alan and many of his UK colleagues are thinking.

As I was recording this conversation snippet, I found myself increasingly thinking of the days when telephone use was restricted. Suddenly, Alan's remarks seemed retroactive and stifling of the very innovations Ray was recommending and which have captured the imagination of many organizations. But then the points he raises are still around us. Last December Oliver Marks wrote:

The reality is that putting data in the cloud isn’t just a vendor viability issue - there is also this fundamental plumbing reliability concern to think about when connecting federated or distributed partners and business units.

With many people now very dependent on the internet for their livelihood it is growing increasingly important that the fundamental infrastructure of the net - which is strategically important on a lot of levels - is more closely monitored and guarded. Depriving entire nations of internet access can be as crude as snipping cables, as was the case with telephone cabling in World War 1.

I recall a recent conversation with Zach Nelson, CEO of Netsuite where he said that his biggest competitor is no decision. Another interpretation might be that despite economic arguments for SaaS/cloud, customers remain nervous. If that's the case then it will only require one well publicized outage or data loss for the SaaS/cloud industry to experience a major setback. The investment in allaying customers' fears has surely got to be worth the elimination of that (perceived?) risk.

Off camera, Alan made some extremely important observations that tie into his main message of exercising due diligence on cloud alternatives in exactly the same way you would on-premise. By pure co-incidence, I noticed that Larry Dignan had a guest post on Friday from TechRepublic’s Scott Lowe, CIO of Westminster College in Fulton, Missouri that said something similar:

Highly secure environments remain that way by connecting themselves to as few other environments as possible. Every time an organization outsources a particular process or service, lines of communications need to be established and remain open to facilitate that process or service.  While many outsourcers have enviable security measures in place, IT groups that want to outsource must make certain that vendors maintain regulatory compliance as well as security measures. Failure to do so can and will open an organization to major liability.

Alan talked about the fact that UK government is taking the issue of security in all its forms extremely seriously. It's had its fair share of embarrassments but is concerned that cloud proliferation could lead to increased risk. "The data's got to be on some server but where? If you don't know then how can you realistically perform a meaningful risk assessment?" It's a good question to which there are no easy answers.

The UK has developed rules governing data protection that (among other things) restrict UK vendors to using EU based server environments. However, the penalties for non-observance have been piffling. From January 2010, it is expected those penalties will be ratcheted significantly. That's an indication of how seriously government considers the potential risks even if that might seem counter intuitive to free market thinkers in the US. Alan also pointed out that there are many different flavors of risk understanding that make the cloud compute landscape incredibly complex for decision makers. That's also a fair point.

At the commercial level, Alan talked about having been burned in a past life and his fears of it happening again in the public cloud environment. Despite my arguments to the contrary, it was apparent to me that Alan's position is based upon three things:

  1. Uncertainty,
  2. A lack of standards and
  3. A lack of what he sees as well thought out operational measures to ensure that if/when the inevitable disaster does strike, that business doesn't come to a grinding halt.

In illustrating his point, I got the sense Alan was referring to a series of Doomsday Scenarios that could be matched in the on-premise world. Even so and with predictions that we'll see many 'clouds' both public and private, it is hard to argue against the main thrust of what he's saying. I've seen for myself some cavalier thinking at the VSB end of the market such that I wouldn't touch certain services with a long bargepole.

I sense that wise thinking people would agree that right now, we're looking a a 'Wild West' of unencumbered innovation but with it a lack of attention to managing the moving parts in something resembling best practices.The handwavers are drowning out any perceived dissenting voices in the name of IT democracy. Last time I read, democracy comes with a price tag: responsibility. I don't hear too much of the balancing argument and in that sense agree Alan has a solid point worth serious consideration.

Regardless of whether you think Alan is overstating the risks or being overly cautious, his voice resonates with many customers. It is the voice of experience over hope that lends a pragmatic certainty and authenticity you cannot ignore. His members will listen to his position in the knowledge he comes from a position of experience and from which they will feel they can learn. The way forward is to open up the discussion to healthy debate though I am less hopeful of that than the downstream effects of a catastrophic disaster.

Cloud vendors need to step up and provide assurances so that customers can have confidence that business critical data put into the cloud is as safe as possible. As time goes on, the definition of what constitutes 'business critical' will not be limited to say billing applications (no bills, no cash, you're dead in the water.)

Bearing in mind that much emphasis is currently being placed on the melding of unstructured data from multiple sources with existing on-premise generated data, that of itself could easily create a breeding ground for uncertainty and risk. Right now I see little industry attention paid to this important topic.

Time to take a deep breath and think this issue through?

Read also: Dark Internet Fundamentals from Oliver Marks