A couple of months ago I happened to stop at two different retail stores in two different shopping centers in different ZIP codes. Both were small stores with no more than three employees in the store at any one time, both part of different small chains that were run fairly well. In both cases, their “cash register” system had gone down over night. Since their credit card authorization system still worked, they both carried on, in one case for several days. It was a little more work on the staff, and took some time to get everything updated in the system once it came back on, but it had minimal impact on their business.
When we talk about the Cloud, we are potentially talking about an entirely different scenario. While some Cloud providers and consultants recommend not running anything “important” in the Cloud, in the long term that is bad advice. I understand wanting to start with something non-critical. The Cloud is new, and you need to gain confidence that it is a secure and reliable alternative. However, the real financial and business rewards will occur only when you move your key business applications into the Cloud. After all, those are the applications you are spending the most money on in terms of infrastructure and support and, therefore, have the most opportunity for financial advantage. Those are also the applications that will provide the most gain from increased agility to react to changing business needs. If you have only thought about disaster recovery or business continuance, then the Cloud can also provide additional cost-effective solutions in those areas. It is therefore essential that from the very beginning you work with companies that can solve the security, availability and performance requirements for your critical applications. It does no good to test drive a Smart Car when you have three kids.
If you have looked at all at Cloud Computing, you have found the myriad of Cloud Service Providers (CSPs) and Cloud Consulting Companies (CCCs) all coming at you with what sounds like very similar messages and capabilities. When you peel back the top layer, you find there are lots of different capabilities around the four-dimensional issues of security, performance, availability, and price. Whether you deal directly with a CSP or use a CCC to do the discovery, analysis, and planning of your move to the Cloud, and potentially become your long term “trusted advisor” on getting the most advantage of the Cloud, you will need to be aware of the risks your company faces, and balance those with the initial and on-going costs and the potential financial and business gains.
What are risks to you for moving some or all of your IT into the Cloud? How much of that risk is shared with your CSP or CCC? I’ve categorized your risk in four areas, the usual security, availability and performance, and added what I call “contractual” risk.
If your Cloud vendor allows inappropriate access to your or your customers’ data, it is your fault and your problem to fix and your reputation that is harmed. The vendor may help in forensics, but they will not share this risk. Recommendation: pick a vendor who has the infrastructure, personnel, policies, and procedures in place that at least enable them to provide the appropriate level of security. I talked more about securing your data in the Cloud in an earlier posting.
Risk: not shared. All the risk is yours, and you are subject to the potential of financial and legal penalties.
Most CSPs will agree to service level agreements (SLAs) for availability, with financial penalties when they fail to meet them. These penalties are usually capped by the monthly fees you pay. Hopefully you know the risk and cost to your business if various parts of your IT infrastructure are unavailable so you can evaluate this risk.
Risk: shared, but your risk is unbounded while the providers risk is bounded.
Like availability, most CSPs will agree to SLAs, with financial penalties capped by the monthly fees. Often the main difference is whether you have a public cloud or a private cloud implementation. With a public cloud, you can usually get almost unlimited performance (for a price) based on instantaneous demand. With a private cloud, there may be some delay to get increased performance, but it is often far less than it would take you in your current IT environment. Of course, there are increased security risks with a public cloud implementation.
Risk: shared, and usually to your advantage.
Many of the CSPs have amusing contracts. I have seen contracts where the customer has a single digit number of days to pay the monthly fee, and if you miss by even a day they can shut down your Cloud services immediately. I have also see contracts where the CSP can terminate service for any reason on short notice, as little as ten days, with no financial penalties paid to you. While they may claim they have never done that, they can. Some contracts read like a real estate lease, where your financial penalties for leaving early are equal to the amount you would have paid to stay for the entire time of the agreement. You are often allowed to sub-lease the services, if you can find someone who wants at least what you were using and is acceptable to the CSP.
Risk: all yours. Make sure you have a realistic plan to move off the CSP within any contractually specified time frames before you sign.
The last word:
In my first college physics class in a huge lecture hall with over 200 students, Herr Professor Doctor Miller said “Look down your row. At the end of this three semester series, there will only be one of you left.” (I can’t reproduce his thick German accent, sorry.) He was, of course, wrong. At the end of the series there were only four left in the entire room. Cloud Service Providers are, I believe, in the same position. It is a new field, and we will see companies fail, new companies appear, companies succeed, lots of mergers, acquisitions, and the introduction of new technology and capabilities at amazing rates. The company you contract with today may not be there tomorrow, or there may be new companies with new technologies that you will want to move to.
A good Cloud Consulting Company can help you sort this all out.
Keep your sense of humor.