Rise of hybrid cloud puts accountability in spotlight
It is tougher to establish accountability in a hybrid cloud environment comprising of multiple vendors, where the customer's assets would be intertwined with its service provider. This, however, can be managed with clearly defined service contracts and a better understanding of what is, and is not, allowed by regulators.
Accountability in terms of service experience and event management could be a tricky process when dealing with hybrid cloud deployments, said Rosie Simmons, BT Global Services head of portfolio and strategic partnerships for Asia, the Middle East, and Africa. This would be particularly apparent in a shared cloud environment, because there would typically be multiple ownership profiles, service management responsibilities, and a wide geographical spread, she said.
Latest news on Asia
To better manage this, Simmons underscored the need for a governance function within the hybrid cloud environment, which could comprise internal teams or a service provider with the ability to capture the different variables and align them with their corresponding projects.
Matt Hunter, associate with law firm Olswang Asia, however, noted that it would not necessarily be tougher to establish accountability, since cloud service providers recognize the need to ensure that their offerings can be trusted. He added that are several ways to do this, including adopting legal measures.
At the basic level, there should be a contract detailing obligations on the cloud service provider's part, such as limits on the use of customer data for other purposes, obligations toward confidentiality as well as transparency regarding data location, and obligations to return and delete data on termination.
Data sets of various customers stored on the same infrastructure should be logically separated, and this requirement should be included in the service contract as well, Hunter said. "An enforceable contract provides a good safety net for enterprises when using shared or hybrid, as well as public, cloud environments," he said.
Hunter also pointed to other issues that enterprises should be mindful of in a hybrid cloud model, particularly if their assets are intertwined with those of the cloud provider's. Compatibility must be assured where the two systems need to work together, and responsibilities for maintenance as well as updates should be clearly defined. Again, there should be a clear process for separation if the relationship is terminated, he said.
Simon Dale, head of technology and innovation at SAP Asia-Pacific Japan, noted that proper service level agreement (SLA) management is critical in order to address issues relating to accountability.
"When you have everything in-house, you've got one IT department responsible and governing all the SLAs. When you start integrating external providers, you need to ensure the [both sets of] SLAs are aligned," Dale said. "It's still about having proper evaluation and necessary governance."
He added that customers should clearly define in their SLA what must happen should something go wrong, and what must be done to resolve the issue. To ensure proper accountability and governance in a hybrid cloud environment, enterprises should first understand how to categorize the various services they consume, and the level of risks they are willing to accept with each of these services.
"Second, dig into the service side of things," Dale said. "It might be that something is cheaper and more convenient, but the quality of that service may be something organizations need to investigate in depth and ensure a certain level of guarantee in the after-sales delivery."
They should then look at integration, he said, noting that the traditional approach would not apply as well in a cloud environment, especially in a public cloud where there might be issues with data sovereignty and latency.
Don't let regulations bring cloud down
According to Hunter, regulatory requirements often pose the biggest hurdle to the adoption of cloud services, including hybrid and public. He noted, though, that there are often misconceptions that regulations do not allow or make it difficult to use such services. This is not accurate, he said, adding that regulatory issues could be dealt with if enterprises ensure that the necessary legal measures are in place to manage their cloud services.
"Privacy laws [and vertical-related regulations] do not forbid the use of these cloud services," Hunter explained. "They only require that certain measures are put in place to ensure accountability, security, and privacy are maintained."
For instance, the International Standards Organisation last year published a new standard, called ISO/IEC 27018, which outlines controls that public cloud service providers must observe if they host or process personal data belonging to their enterprise customers. Compliance of these controls would provide cloud adopters with confidence that their providers are fulfilling the requirements mandated by the relevant privacy laws, Hunter said.
Dale concurred that regulations and concerns about data sovereignty should not be seen as a barrier to cloud adoption. While such issues are relevant, they should not be used as "an excuse" to avoid cloud.
Contrary to popular belief, for instance, regulators in the financial service industry do not prohibit all forms of data from being stored in a cloud environment. Pointing to the Monetary Authority of Singapore as an example, Dale explained that the regulator allows the use of certain kinds of data that are not sensitive to be stored or processed in a cloud environment.
"Data sovereignty doesn't apply to everything, but to specific workloads," Dale noted, adding that it is not possible for cloud providers or enterprises to build datacenters in every city across the globe. "If you're just buying and selling products like pencils, how sensitive is that data? So you need to think about workloads, which is missing from conversations [about cloud] sometimes."
Dale said that enterprises should look at segmenting workloads into data that is mission critical and non-sensitive. "It's the cloud vendor's responsibility to do that assessment," he added.
Simmons further noted that customers want to leverage the benefits of an on-demand infrastructure while achieving business KPIs around performance and processes.
In addition, today's changing application demands require maximum flexibility across cloud providers, locations, and technologies, she added.
Addressing a common misconception that hybrid clouds are only about networks or about where the servers are located, she urged the need for large hybrid cloud setups to be evaluated "as business transformation projects", where a new supply chain mechanism might have the potential to drive results.
"Another misconception is that the hybrid cloud is basically a self-service portal to deploy servers. A much more detailed evaluation needs to be undertaken in terms of how the entire delivery platform will function while incorporating multiple partners, technologies, and processes," Simmons said.