Look before You Leap into the Cloud
The upsurge in the adoption of cloud technology is being driven by its well-known virtues, which include local disaster protection, ease of management, availability, and scalability. It also includes an answer to the widespread shortage of skilled IT labor and need for improved service levels. For CIOs, cloud computing is a promised escape from the costly and demanding data center business. It also helps to prevent unauthorized, undocumented employee tinkering with business software and incorporates a 24/7 failover service to minimize downtime during outages.
But taking true IT functionality to the cloud is typically not an easy jump. The required economies of scale may be unattainable in business environments run on aging apps and databases. These need to be reconfigured, where data integrity and confidentiality are top concerns and a multitude of different regulations are at play. Spinning up the infrastructure may eliminate four-six weeks of hardware procurement and setup time, but due diligence can take more days depending on the complexity of organization and how much computing is moving to the cloud.
The cloud offers better security and privacy than organizations can provide on their own—including an advanced access-control framework and multiple layers of firewalls
Before you leap to any prospective solution, you’ll want to ask the tough questions to properly align organizational needs with the realities rather than the hype of the cloud.
Understanding of Cloud with Potential Solution Provider
There are many definitions of cloud computing and it pays to know the difference. With the ‘public cloud’ (e.g., Microsoft Azure and AWS), data resides on a network of remote servers hosted on internet. An alternative is for organizations to house data in a single installed data center, aka the ‘private cloud,’ to which they’re tethered via a wide area connection.
Most organizations subsist on the ‘hybrid cloud’ with a mix of on-premise, private cloud, and public cloud services. While some software publishers are accommodating their clients’ cloud ambitions by making new web-enabled apps, others are merely renaming existing products to suggest they can seamlessly run on simplified data center infrastructure and automated policies. Keep in mind that software manufacturers will typically only support their products in a cloud setting if they’ll be running on hardware it has certified.
When evaluating solutions to move to the cloud, a logical approach is to start with those that have a native Software-as-a-Service (SaaS) option (e.g., Microsoft Office 365 and Salesforce CRM). Next, look at non-mission critical systems (e.g., storage, file shares and data backups) and, finally, applications that are mission-critical to your enterprise.
Is the Application or Solution Cloud-Suitable?
Be sure your evaluation includes four key considerations-
• Regulatory compliance
To successfully move to the public cloud, you need to be aware of all the regulations that apply to your industry, geography, location, protocols and procedures of your intended cloud provider. You are ultimately responsible for what happens to your data.
Does the cloud service provider offer geo-location of data? Solution providers may have data centers all over the world, and will move data as needed to accommodate customers and capacity. In highly regulated industries such as energy, banking and healthcare, a datacenter outside of the U.S. could result in a regulatory breach resulting in fines and possibly also criminal prosecution.
If any of this applies to your company, be sure the cloud service provider you select is contractually obligated to store datasets within specified geographic boundaries. Ideally, your legal and risk-sharing departments are involved on the front end and, as needed, underwriters to develop policies to cover insurance risk.
• Level of disaster recovery needed
Does the cloud make sense as a disaster recovery solution? It’s great that you maintain backup copies of data at your physical location, but what if that’s where catastrophe strikes? Is a secondary, accessible location in the cloud an option? If you ever need to pull that data down from the cloud, will the transport even be affordable or timely?
If not, how foolproof is your disaster recovery plan? Are there mileage minimums required by regulation or industry best practice between your primary data center and disaster recovery site? Too many organizations designate locations separated by a distance less than the width of a typical tornado. Suppose you’re doing business in a rural area where everyone depends on the same source of electrical power. Then, you’ll need to find a backup location on a different power grid as well as factor in generator setup time at your home location.
For some CIOs, the bigger difficulty is convincing the CFO a disaster recovery plan is a good investment. To make your business case, seek the support of your risk management department and calculate the hourly cost to the organization of an unplanned disaster. And find an advocate in operations who can articulate the impact of not meeting customer needs and expectations, or not having information required to make business-critical decisions.
• Information security
The cloud offers better security and privacy than organizations can provide on their own—including an advanced access-control framework and multiple layers of firewalls. But given high-profile hacks of recent years, it pays to be cautious. Verify with your cloud provider liability limits if a data breach occurs. Further, having a clear understanding and well-documented communication and response plan is just as imperative when data is stored in the cloud as when it resides on premise.
Also, how does enterprise security develop supportable processes to handle the merry-go-round of IP addresses as virtual private networks are pinned up and ripped down? Service providers tend to minimize the complexities of moving an existing virtual network to the cloud, suggesting a simple script in an organization’s firewall will maintain traffic control to and from select IP addresses. The ranges of IP addresses can conflict with existing internal IT security and audit practices. Allowing full networks can be a dangerous place to land when you have zero visibility to the security practices of your cloud provider. It increases the chances of risk to have your name in the press for all the wrong reasons.
• Cost versus current deployment
It’s important to compare and contrast a cloud computing solution to traditional IT using standard performance indicators such as uptime, mean time to repair, restoration of service, and delivery time on storage and computing requests. Capital costs associated with internal data center space—environmental, security, infrastructure, and maintenance—must all be factored in. It is vital to take an honest look at your internal IT talent mix and cost pool. If your current bandwidth is low, remember to factor in the cost of the upgrade you’ll need to migrate business to the cloud.
Relocating to the cloud is a complex undertaking that is never a purely financial decision. Oftentimes, significant internal politics make it wise to enlist the help of an outside consultant to produce analysis, work with solution providers, and recommend approaches that align with both business objectives and financial goals.