Four big obstacles for cloud computing

Everybody seems hyped up about “the cloud,” so there’s a good chance you might be wondering whether your business should be getting ready to migrate many of its day-to-day functionality to a bunch of online services.

Certainly, there is a fair chance that you already make use of a bunch of cloud-based services. If you’re using Gmail or Google Calendar, then you’re already making use of software in the cloud. Externally hosted Microsoft Exchange services have been around for a while and, once again, using these may be considered to be taking advantage of the cloud.

The thing is that ultimately any software that is not hosted locally within your own IT infrastructure, and that is accessible via the internet is actually in the cloud.

There are huge advantages to making use of online services for your business, and certainly email is a fairly obvious one because was originally designed as an internet service, but its time to get your feet on the ground and look at why you really don’t need to rush into moving every last shred of your data onto the internet.

Here are four big obstacles to cloud computing and why you should stick in your heels until they are properly addressed.

Security
Security is the first thing that leaps to mind when you start thinking about putting data online.

You’re no longer responsible for it just on your own premises, but also in a very public space which is fairly notorious for being the playground for script-kiddies and malicious hackers.

Before you export all of your company accounting data into the latest and greatest online accounting package, you need to take a few things into consideration:

  • Transport Layer Security — Traditional forms of encryption for internet traffic are under attack and are no longer completely reliable
  • Software Auditing — All software used to provide access to the service needs to be audited and maintained against vulnerabilities. This includes web server software, middleware application layer software such as PHP or .NET, all libraries used, database software, the actual code for the service, javascript code (because we all love Web 2.0), administrative service software, operating system etc.
  • Data Storage Security — We need to know that our data is actually stored in a secure way, that is not accessible to other users of the service or to any Joe Soap that walks into a hosting facility, and that also has protection from hardware failures etc.
  • Personnel Security — What level of auditing of personnel is performed by the provider? How much access do they have to actual data? What access controls, deprovisioning methods, and account management facilities are in place? Remember the Shionogi incident!
  • Decommissioning Strategy — What happens when hardware containing sensitive data is removed from service? Can you be sure that your data is properly wiped from hard disks when they fail? What happens to your data when you decide to discontinue a service or migrate to an alternate service?

Legislation
Usually very tied up with the security problems, is a problem with regard to legislation. This is such a difficult area that many companies just pretend it isn’t an issue, however you need to consider not only your own country’s legislation with regard to the storage of data and the export of information, but also the laws regarding the same for the country of your provider.

So if you’re an African business, and you decide to make use of a cloud-based service in the US, all of your data is immediately subject to US law.

This has very big implications. While data-privacy laws in Germany are almost sacrosanct, laws governing data-privacy in the US are currently much less stringent.

This adds another layer of complexity, which is usually a compliance issue with regard to data protection. If your business is storing credit-card information, or personal user data such as health information, you need to ensure that that data is stored in a way that meets your own country’s legal requirements, but the requirements of your provider which might be located in a different country may not be the same. This means that you have to ensure that the legal requirements, or at least actual practices by your provider, actually match your own legal needs.

Finally, there are issues around intellectual property and data ownership. While it should seem obvious that the data is owned by the customer making use of a service, the way in which data is store and accessed usually falls to the service provider.

Legally, this presents the problem that since the data is stored on the service provider’s systems, the actual owner of the data cannot exercise more control over it than to simply access and manipulate and process the data.

This could present a number of problems with regard to exporting data or migrating away from a provider. Since laws vary all over the world, you might think that you have some level of protection, but your cloud vendor may have a completely different perspective.

Integration
While cloud vendors will be quick to tell you how much money you will save using their services, exporting different facilities out onto the internet has a different associated cost that is very hard to measure, and this is the cost of integration.

Firstly, you need to consider that it is unlikely that you will be able to move every bit of your IT infrastructure into the cloud in one go. That means that existing facilities need to be integrated with online facilities so that you can keep the same, or at least very similar, business processes to those that you already have in place.

Since every business is different in terms of the software and services that they make use of, and how these pieces of infrastructure are tied together, it is unlikely that a vendor will meet your exact needs. Usually, this either requires a change to your business processes or to your current infrastructure, potentially requiring some custom development to make things work smoothly.

Perhaps the most commonly highlighted problem is that of Identity Management.

In the good old days if an employee left your company, simply revoking their account would be sufficient to prevent them from accessing facilities that they were not authorised to access. By moving different components of you IT infrastructure out into the cloud, you create something of an identity management crisis.

The problem here is that firstly, cloud vendors tend to be specific about the services they offer. That means that you might end up using a variety of different vendors for different services. This means that you have different accounts for your users hosted in a variety of different places. A user could end up with multiple passwords that need to be managed and different access rights depending on the services that they have connected to. This creates an administrative nightmare. If an employee leaves, there is no way to quickly check that access to all services has been removed.

There are movements to try to get a handle on this, such as Federation, but all of them are immature and pretty costly to implement, not to mention that you need to make sure that your cloud vendor is using the same technologies as you’re interested in using. As your infrastructure becomes increasingly distributed, the cost of integrating different components that allow your business to function smoothly increases as well.

Availability
Once upon a time, your IT guys just had to make sure that LAN connectivity was operational, and then all of your users could get on with their work. By moving services out onto the cloud, you become increasingly dependent on a chain of third parties in order to access business critical data.

Inside your business, you will still need your LAN to function with the same resilience that it always had, but now you will also need to be sure that there is guaranteed uptime not only for each of the services that you use on the Cloud, but for your ISP as well.

While certainly it is possible that having services out on the cloud actually increase availability, since an ISP failure can easily be overcome by using an alternate ISP during an outage. By using cloud services, you can suddenly access business facilities via your mobile phone, your tablet or laptop computer. Realistically, however, when your internet fails within most enterprised-sized businesses, you can’t have everybody take their laptop down to Starbucks to carry on with your day-to-day business activity.

Yes, you could build in extra redundancy by subscribing to two or more different ISPs to ensure availability, but not only are you addressing only one point of failure, you are also increasing your costs which is meant to be one of the big benefits of cloud computing in the first place.

You also have no guarantee that financial collapse or a legal battle involving your cloud service provider doesn’t render your own data unavailable for a period that may cripple your business. It is not unfeasible that the activities of an unrelated business hosted on the same service as your own, results in a legally sanctioned seizure that makes your data unavailable to you. By moving your data out of your own control, you are allowing your business to be impacted by circumstances that are not your own responsibility.

While it is true that cloud vendors will point out that you actually have increased availability, in the sense that you can access business services from anywhere in the world on any device at any time, this can help to nullify many of the security policies that you may prefer to implement.

So increased availability, at least in the sense that it is touted by cloud vendors, is not always an advantage.

Concluding Remarks
Although this article is fairly long, I’ve had to be brief and have only skirted around many issues. The important thing to remember is that the “cloud” is not new, it simply means the internet. And more often than not, it is actually just limited to the World Wide Web.

I believe that its modern rebranding is a skillful method of getting people to leave behind many of the pejorative ideas that jump to mind when we think of the internet, but it doesn’t change the fact that when a vendor tells you that your accounting data will be hosted in the cloud, it means that you are sticking your accounting data out on the internet where it is subject to all of the problems that go with this territory.

It is worth bearing in mind that the big consultancies and analysts who are currently describing all the virtues of cloud-based technologies don’t do this out of their own unfunded will toward the good of humanity. Every single one of them is paid by the big corporates that are currently pushing this technology for all they’re worth.

That’s not to say that I don’t agree that cloud-based services have a lot to offer many businesses, it’s just that as these services are marketed we need to keep in mind what they’re really about and the challenges that a business needs to consider before it gets caught up in the hype.

More

News

Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Memeburn

Sign up to our newsletter to get the latest in digital insights.