As a CFO, why should you be concerned about your cloud provider’s data center? Isn’t not having to think about the data center — about all those boxes and wires, vents and air conditioners, landlords and leases, staff and security, access and uptime — one of the reasons you moved to the cloud in the first place?
It would be pretty to think so.
Public cloud computing (that is, multitenant, off-premise environments) can remove much of the pain of running enterprise IT. Your cloud provider (theoretically) takes care of everything so you can sleep soundly. The prevailing perception is that reputable public cloud providers are running best-of-breed IT infrastructures, supported by best practices, and meeting minimum industry governance, security, and operational standards. Typically, their data centers are protected by layers of physical and electronic infrastructure, contain multiple layers of redundancy, and offer a level of resilience that cannot be matched by traditional, on-premise centers. In fact, unless you devote a great many resources to IT, it’s unlikely that you could improve on your cloud provider’s levels of service and security. Running a data center is not your business. Your business is something else. But the data center is the cloud provider’s business. Without it, there’s no cloud and no business.
So, why worry?
A Jacob’s Ladder of Dependencies
Here’s why. When you sign your public cloud provider’s contract, or accept its online terms of agreement, you sign away any and all input, control, or say over how its data centers are run, managed, or secured. In the case of your software-as-a-service (SaaS) provider, remember that it is most often hosting its offering — the one you’re paying for and depending upon — in a third-party provider’s data center. The performance of the SaaS application you’ve signed up for therefore depends upon the good governance of the underlying data center and the balance, integrity, and enforceability of the SaaS provider’s contract with its hosting provider, as well as all the other parties that make up its computing ecosystem.
Are you comfortable with that? Are you comfortable with the fact that you’re most often in the dark about the day-to-day management of the data centers upon which your business relies?
If you’re not, the question arises: How can you perform due diligence on your public cloud provider’s data center?
Your Problems Are Your Provider’s Problems
The effective and efficient management of cloud data centers depends upon skilled IT professionals working in a robust and rigorous management environment. Public cloud companies have the same sorts of challenges in recruiting, managing, and training staff to design, audit, and operate data centers as you do. For example, I live in Australia and at the moment there is a technical-skills shortage in a number of key disciplines, which increases the pressure on data-center management teams to maintain strong engineering groups. It also applies upward cost pressure, just as it does for you.
The paradox of the public cloud is that while it can deliver significant benefits, it also concentrates the risk of failure. Data centers are more vulnerable now than ever before as they’re exposed to an increasingly diverse array of threats coming from multiple points. When something fails in your on-premise data center, the damage can be isolated, contained, and addressed. When something fails in a large, shared data center — whether due to a security breach or a problem introduced by one of its customers — a large number of people and organizations can be affected simultaneously and, due to the size and complexity of the cloud ecosystem, the source of the trouble may be more difficult to pinpoint and therefore address. Larger providers offer multiple data centers located around the globe to mitigate against a local failure. This, however, does not eliminate the risk altogether. In addition, these large cloud data centers are highly sophisticated, complex organisms, with many moving parts, which can introduce Murphy’s Law into the equation: Anything that can go wrong will go wrong.
The owners and operators of modern cloud-ready data centers have to ensure that systemic risks are as well controlled as the technical risks. Building engineering teams, with robust policies, plans, and procedures, together with solid procurement and equipment life cycle strategies, are key to the success of a cloud data center.
The importance of identity management and access control in the public cloud also cannot be understated and presents another concentration of risk. Most top-level administrators and other privileged users at cloud providers have access to large, dense application and infrastructure clusters, so a disaffected individual, or a human error, can inflict serious damage if not appropriately controlled at the system level. Cloud data-center operators must be able to provide access to their infrastructure to a wide spectrum of individuals — vendors, contractors, employees, auditors, maintenance, utility providers — from anywhere, at any time. There are technologies, policies, and processes that can make this safer but, as is generally the case with IT security, risks can only be managed, not eliminated.
As a user who may have critical parts of your organization in the cloud, how can you be sure that these procedures and strategies are being implemented?
If your organization’s success, or even its existence, relies on the data and systems hosted by your cloud provider, you may want to hit the road (bringing along a data-center expert) to see for yourself what’s going on in your share of the data center, what’s lurking behind the misty veils of the cloud.
Former CIO Rob Livingstone is an author, speaker, academic, and consultant. He is the principal of Rob Livingstone Advisory Pty Ltd. Visit Rob at www.navigatingthroughthecloud.com.