Three myths clouding CIO judgement
October 19, 2011
For the CIO today, perceived barriers to cloud computing remain security, regulation and compliance. The danger that data loss poses to brand equity, customer trust and share price is just the same whether data is stored in a cloud computing or traditional infrastructure model.
This is reflected in legislation which gives the Information Commissioner’s Office (ICO) authority to levy fines of up to £500,000 on organisations who recklessly lose confidential or personal information…
Security quite rightly should be at the top of every CIO’s agenda, but there are over-simplifications and dangerous assumptions that get made.
For example, the idea that security and compliance are merely external issues. Whether you choose to place your data in the cloud or create a hosting platform from dedicated servers, security must remain your concern.
Security cannot be handed over wholesale to a cloud service provider because the very real question of security policies and procedures concerns users as well. Firewalls and the rules that govern them still stand, irrespective of whether infrastructure is virtual or physical. Likewise, the usual security processes such as changing passwords and enforcing permission levels need to be observed within the organisation.
Robust data protection is critical to preserving the brand value and reputation of any company. Every week there seems to be another high-profile example of a security breach undermining customers’ trust in a brand, whether that is an online gaming site, web retailer or even a government department.
Regulations regarding security, control and privacy of data are complex. CIOs need to be certain that their service providers can help them navigate these rules and clearly understand where the responsibility for applying each part of the security policy sits.
Another example is the idea that simply having better SLAs will give sufficient protection.
To some degree, the question of SLAs reinforces the same point. If you are using a traditional managed hosting service to host your data, you will ask for a robust SLA that leaves you confident that you can deliver on your SLA to the business.
Businesses adopting cloud computing need to take the same approach. However, relying on the SLA alone does not guarantee performance. It may mean there are penalties in the event of downtime, but that is cold comfort to an e-commerce organisation at the height of its busiest season faced with a website that has been offline for hours.
Uptime availability figures aren’t enough. That 99.99 per cent uptime figure may sound impressive – until you work out the cost of 0.01 per cent downtime.
CIOs should be asking the same questions around cloud services as they would do about any other IT service they use. What is the organisation’s tolerance of downtime? What disaster recovery and back-up service is available? What will happen in the event of a failure at any point in the service?
This does not point to lowest-cost, "best try" service. Your chosen service provider should have the economy of scale to minimise these failures. CIOs have to be confident their service provider is able to respond and support their business, especially in the face of a disaster.
Furthermore this should form a key a part of the organisation’s business continuity plan.
Some believe, also quite wrongly, that private cloud is inherently more secure than public cloud services.
Cloud services have moved on since they were defined in 2009. The background of early public cloud services has contributed to the perception that this type of cloud has lower levels of security. Private cloud should not be seen as a guarantee of security.
Private cloud is dedicated to your organisation. By definition this can reduce the risk of using a platform shared by many customers, but again it is only as secure as the policies and procedures that you enforce.
Firewalls still need rules. Datacentres still need physical security. A private cloud can be more secure than a public cloud but, like any other system, it is at risk from poor housekeeping and human error. Assumptions should not be made.
The decision criteria for private or public cloud implementation should be far broader than simply assessing whether the solution is perceived to be more secure.
CIOs will be asking what their organisations want to achieve. Is it cost savings, speed to market, or flexibility to scale up or down, or a combination of all three?
Many businesses are using or piloting cloud computing services across parts of the enterprise, but very few are putting services 100 per cent in the cloud.
Cloud computing is not simply about buying CPU cycles at the cheapest rate. It represents a fundamental change in how we consume and take advantage of IT. The consumerisation of IT is increasing this rate of change and old methods just won’t hack it.