Is your data really safer in the cloud?

Here's what you need to consider before moving core applications into the cloud.
Written by Mark Samuels, Contributor
"Going with third parties really is a compelling argument. As an industry, we're getting there," says CIO Richard Norris.
Image: iStock
The cloud might now be a mainstay of enterprise IT provision, yet executives still have concerns about the use of on-demand technology, particularly when it comes to information security.

As many as 75 per cent of IT professionals say security is their primary reason for not moving applications on-demand, according to the Cloud Industry Forum. Yet such concerns might be unfounded: the same research suggests just two per cent of organisations have experienced a breach when using the cloud.

And while the technology might be compelling, CIOs must also consider the reservations of other executives, particularly in relation to governance and operational benefits.

You can rely on the cloud if the right governance is in place

Richard Norris, head of IT and business change at Reliance Mutual Insurance Society, says the ability to buy commodity services - for areas like mail filtering, policy administration, and Microsoft Exchange - is a big benefit for CIOs. "The opportunity to just phone up your supplier and add another 100 accounts on-demand really changes the business dynamic for IT leaders," he says.

Norris said governance around the cloud has evolved to a level that provides CIOs with assurances about data protection. He also believes vendors have taken big strides in regards to the setup of their technology estates, meaning wholesale use of the cloud is more realistic.

"Going with third parties really is a compelling argument," says Norris. "As an industry, we're getting there. The IT vendors are playing a key role and people are getting more relaxed about taking up cloud-based services because they've proven to be more secure."

Norris says he has already moved parts of his organisation's IT on-demand, including policy administration systems. Norris says any decisions to use the cloud must be related to accepted data classifications, and sensible governance and guidelines.

"I've been a cloud advocate for years and have spoken about its benefit at open forum events," he says. "I've always encountered people who've said that you need to worry about security and governance, but I've also always felt that business will only continue to move their IT on-demand."

Norris asks CIOs to think about security expertise within their own businesses: whatever resources you have, he says, the external supplier will always have more. "Their success of their business is predicated on keeping your information secure," he says. "They have to get it right, otherwise they'll fail."

This is a principle that chimes with Ian Cox, former CIO and independent consultant at Axin. "Fear, uncertainty, and doubt still predominate but has there ever been a security breach of a tier one system that holds corporate data?" he asks.

"CIOs are rightly concerned about security and governance, but it's all relative. If you take a step back and measure your server room against the datacentre of a tier one provider, you'd quickly see that there's no way your internal IT could be anywhere near as secure. So, why not rely on the cloud?"

You need to build a business case around operational benefits

Sean Harley, IT director at Top Right Group, says it is fine to stack up the business case for the cloud. But when it comes to moving systems on-demand, CIOs have to make sure host environments and networks are ready - and Harley believes governance remains the biggest issue affecting a move to the cloud.

"IT leaders need to have the policies in place that automatically close down environments that aren't being used," he says. "If you only use developers between 9am and 5pm, why would you run your servers 24/7? It's alright being able to fire things up quickly but you need to ensure costs don't run out of hand."

Harley says culture is also an issue. A case for moving to the cloud must be articulated carefully to senior executives and should be extremely well thought-through, especially given the legacy of previous decisions to rely on external service provision.

"My board wouldn't welcome me approaching them and saying that we're planning to place everything in the cloud," he says. "We used external service provision three years ago and the service wasn't very good. What we have to do is prove the value of something step-by-step before we move into the cloud."

The business case for going on-demand can be easier in certain areas. Harley points, for example, to the use of on-demand IT in merger and acquisition processes. "We are acquisitive in terms of our business strategy, but we'll also dispose of brands if we think they'd be better placed with someone else," he says.

"We've used the cloud to help with that disposal process. When we've sold a brand, we might put their virtual servers up into the cloud and then the acquirer can pull that information down safely and simply on-demand."

Omid Shiraji, formerly CIO at Working Links, agrees that use of on-demand is spreading into other areas, including across many different types of business. "Take local and central government organisations, which now seem much more amenable to the idea of cloud services," he says.

Shiraji says on-demand IT provides agility, so that CIOs can scale-up quickly to meet new business demands in new locations. The cloud also helps keep costs in check. Rather than having to worry about capital expenditure, CIOs know how much each new service is going to cost and can manage releases.

Like Shiraji, Abi Somorin - former senior IT manager at beachwear retailer Orlebar Brown and now independent consultant - believes on-demand technology can help reduce operational concerns. He recognises that some organisations remain concerned about security and governance issues, yet he believes the cloud is now an accepted business practice.

"CIOs need to consider their core requirements. Are you running a security business, a software organisation or are you operating in another area altogether, such as retail? The chances are that your key objectives will be related to your area of operation and not technology," he says.

"So focus on what you do best. If you're running a lean IT operation, it really makes sense to outsource as much as you can. Spend your internal money on your core business areas."

More essential tech and business leadership stories

Editorial standards