For today's CIO, the perceived barriers to cloud computing remain security, regulation and compliance. The danger that data loss poses to brand equity, customer trust and share price is just the same whether data is stored in a cloud computing or traditional infrastructure model.
The severity of the issue is reflected in legislation like the recent Criminal Justice and Immigration Bill which states that the Information Commissioner's Office (ICO) now has the authority to levy fines of up to £500,000
Security quite rightly should be at the top of every CIO's agenda but there are a number of myths that lead to over-simplification or indeed dangerous assumptions about cloud computing. In light of this, we explore three myths that we have encountered recently and why they may be distracting CIOs from the real questions that need to be asked.
1. Security and compliance are "external issues"
Whether you choose to place your data "in the cloud" or create a hosting platform from dedicated servers, security must remain your concern. Security cannot be handed over wholesale to a cloud service provider because the very real question of security policies and procedures concerns your users as well. Firewalls and the rules that govern them still stand irrespective of whether infrastructure is virtual or physical. Likewise the usual security processes such as changing passwords and enforcing permission levels need to be observed within your organisation.
These are simple examples but they serve to illustrate the point. Robust data protection is critical to preserving the brand value and reputation of any company. Every week there seems to be another high profile example of a security breach undermining customers' trust in a brand, whether that is an online gaming site; web retailer or even government department. Regulations regarding security, control and privacy of data are complex. CIOs need to be certain that their service providers can help them navigate these rules and clearly understand where the responsibility for applying each part of the security policy sits.
2. Better SLAs will give sufficient protection
To some degree, the question of SLAs reinforces the same point. If you are using a traditional managed hosting service to host your data, you will ask for a robust SLA that leaves you confident that you can deliver on your SLA to the business. Businesses adopting cloud computing need to take the same approach.
However, relying on the SLA alone does not guarantee performance. It may mean there are penalties in the event of downtime, but that is cold comfort to an ecommerce organisation at the height of their busiest season faced with a website that has been offline for hours. Uptime availability figures aren't enough. 99.99% uptime may sound impressive until you work out the cost of 0.01% downtime.
CIOs should be asking the same questions around cloud services as they would do about any other IT service they use. What is your organisation's tolerance to downtime? What is the disaster recovery and back up service available? What will happen in the event of a failure at any point in the service? This does not point to lowest cost, best endeavours service. Economy of scale should mean that your chosen service provider is able to invest to minimise these failures.
CIOs have to be confident their service provider is able to respond and support their business, especially in the face of a "disaster". Furthermore this should form a key a part of your organisation's business continuity plan.
3. Private cloud is inherently more secure than public cloud services
Cloud services have moved on since the first definition from NIST in 2009. The background of early public cloud services has contributed to the perception that this type of cloud has lower levels of security. Private cloud should not be seen as a guarantee of security. Private cloud is dedicated to your organisation. By definition this can reduce the risk of using a platform shared by many customers, but again it is only as secure as the policies and procedures that you enforce. Firewalls still need rules. Data centres still need physical security. A private cloud can be more secure than a public cloud, but like any other system it is at risk from poor housekeeping and human error. Assumptions should not be made.
The decision criteria for private or public cloud implementation should be far wider than which is perceived to be more secure. As a CIO you will be asking what your organisation wants to achieve. Is it cost savings, speed to market, or flexibility to scale up or down, or more likely, a combination of all three?
As one of the most significant changes in IT in a generation, cloud computing can deliver real benefits in the way organisations consume IT. However, like any significant business change, careful consideration needs to be given to what the organisation is trying to achieve and why. Our own annual CIO cloud research demonstrates that the majority of businesses are using or piloting cloud computing services across parts of the enterprise, but very few businesses are deploying cloud services 'in full'.
The deployment of cloud services across the entire enterprise was only 16 per cent, while deployment of cloud services 'in part' averages out at 35 percent. This demonstrates that companies are engaging in cloud computing, but very few are making or will ever make the shift to cloud computing outright. Cloud computing is not simply about buying CPU cycles at the cheapest rate, it represents a fundamental change in how we consume and take advantage of IT. The consumerisation of IT is increasing this rate of change and old methods just won't hack it. While going on this journey from old methods to new is daunting, choosing who you take with you on the journey is perhaps the most important decision any CIO can make at this stage.
Posted by Steve Hughes, Principal cloud specialist, Colt