The recent outage suffered by Amazon has reignited the controversy around cloud computing. Many traditional IT enterprises have been actively debating the merits and risks of moving services to cloud providers. In this post, I’d like to examine the conventional wisdom that cloud computing is riskier than on-premises, self-managed environments.
Many folks have a strong, “religious” opinion about cloud computing. That is, they take a position that it’s the greatest thing since sliced bread or an unprecedented threat to enterprise IT stability. The reality is that any significant enterprise has a complex and diverse set of workload. They need to evaluate the cloud as a spectrum of opportunities, with individual risks and benefits.
At it’s heart, cloud computing is simply another form of technology outsourcing. As with any outsourcing analysis, a firm must be confident that its selected service partner has the proper controls and architecture in place to ensure required service levels. This analysis would at a minimum look at the service provider’s IT service management practices, architectural redundancy and business continuity capability. In addition to their own examination of the service provider’s controls, a firm would typically look for various certifications from the ISO and SAS 70 families. Finally, an examination of the prospective partner’s service record (backward looking) and SLA’s (forward looking) would provide further clarity around their capabilities and commitments.
Interestingly, many firms don’t hold their own internal IT departments to the same level of scrutiny as they do potential cloud providers. Additionally, across corporate America, firms experience regular outages of their internally provided IT services , with no bad publicity. While Amazon’s woes are instantly tweeted (and analyzed for weeks), nobody but a firm’s own personnel are typically aware of a similar internal failure. It would be interesting how the debate around cloud computing might change if all corporate IT outages were covered by the tweetosphere. The fact remains that many firms are still skittish about making a move to the cloud. There is a strong sense that it is inherently riskier.
Let’s examine this in the context of two hypothetical enterprises; one that has chosen to move most resources to cloud based providers and one that uses a more traditional self-managed approach. “Edge Corp” is a firm that has decided to make aggressive use of cloud based technology. They are using one provider for all messaging and collaboration services. They use a second provider for their ERP environment. A third provider runs their CRM software as a service. A fourth handles all public facing websites. They use Amazon for their new application development and testing environment. Finally, they have decided to continue managing a number of critical line of business applications through a traditional “owned and operated” infrastructure.
In contrast “Safe Corp”, has taken a wait and see attitude towards the cloud. They continue to manage all technology services internally via their own pair of data centers. The only exception they have made is to have their public facing websites handled by a web hosting company, a decision that predates the word cloud itself.
So, is Edge Corp in a significantly riskier position than Safe Corp? Did they make the right move by migrating these services to the cloud? While there isn’t a simple yes/no answer to these questions, we can evaluate them as follows:
- What is Edge Corp’s historical internal service record?
- What was their capability and commitment to maintaining service levels on internally managed platforms?
- Did they perform a thorough and thoughtful evaluation of each service provider that they selected?
- Have they planned and tested business continuity measures for each service provider?
- How do the service provider’s capabilities compare with Edge Corp’s internal record?
- How does Safe Corp’s internal capabilities compare to leading cloud based providers?
The questions above look at the risk of an outage in the cloud vs. internally provided services. But what about the impact of an outage similar to the one that Amazon recently experienced? In Edge Corp’s case, since they are using multiple providers, only one “segment” of their technology would be unavailable. In the case of Safe Corp, with the exception of their web hosting, it is possible that they would experience an enterprise wide outage. Edge Corp, by diversifying, would in theory be minimizing their risk of large scale service disruptions.
Admittedly, this is a hypothetical and highly simplistic example. I have not addressed the very real security, privacy and regulatory issues associated with moving services to the cloud. I also have not examined the integration challenges of diverse, cloud based services. Additionally, as a form of outsourcing, cloud computing needs to be a cultural fit for your company. Any outsourcing decisions impact employees and result in some diminished control over the migrated services. Lastly, any strategic decision is influenced by a firm’s appetite for risk. In some traditional (i.e. conservative) firms, there is a bias away from bold departures in strategy. In these settings, a CIO can be forgiven for internal service outages that represent status quo, but rapidly criticized for outages resulting from a purposeful move to the cloud.
So let me stop my waffling and disclaimers and provide some guidance for firms that are considering moving resources to the cloud:
- The cloud provides significant benefits in flexibility, agility and scaleability over self-managed resources.
- Despite highly publicized outages, cloud computing continues to mature, with greater service capabilities as well as improved functionality.
- The starting point for firms considering cloud computing must be an evaluation of their cultural values and appetite for risk. Every firm will want to approach the cloud with a unique pace.
- The cloud should not be looked at as an all or nothing proposition. Firms should consider which specific services make sense to initially move to the cloud.
- While any individual decision could result in increased risk, a move of multiple services can be part of a resource diversification strategy.