Cloud computing — and the cloud-computing business model — is maturing at a rapid pace with new solutions, systems, and a seemingly never-ending conga line of vendors offering compelling reasons (and deals) for why you should move to the cloud, however they define it. For those CFOs who have enterprise risk management burned into their portfolio of accountabilities, it’s important to examine those offers with a gimlet eye.
One of the core value propositions of cloud computing is that your enterprise’s IT disaster recovery (ITDR) plan is taken care of by your cloud provider. However, moving to a public cloud may increase the complexity and costs of your ITDR plan and, in some instances, increase your risk. This is a somewhat controversial position — maybe. But it requires careful thought and assessment — definitely.
Business Continuity and IT Disaster Recovery
It’s important to draw a distinction between a business continuity plan (BCP) and an ITDR plan. Fundamentally, your BCP should cover every aspect of how you would continue to run your business in case of an adverse event such as a natural disaster (say, a tsunami in Japan or a flood in Thailand affecting your supply chain or a manufacturing plant), a pandemic, an infrastructure failure, a global credit crunch, a collapsing euro: you name it. The ITDR, on the other hand, focuses on the resilience and continued availability of your enterprise IT systems. It forms a subset of your enterprise BCP.
Every organization that relies on its IT systems to survive and thrive should have a tried and tested ITDR plan to cover possible adverse events such as fire, major IT infrastructure failures, data corruption, network failures, and so on. Now add cloud to the mix.
How to Mitigate Your Risk
The fact that the relationship between IT uptime and cost is nonlinear is relatively well known. The cost of increasing IT uptime service levels from 99.0% to 99.9% is generally affordable. Taking it from 99.9% to 99.9999% may be prohibitively expensive. What’s this got to do with cloud? Well, in the public cloud, an enterprise has no control over the investment the provider makes in security or performance or ITDR, nor any control over the risk appetite of the provider. You cannot make an additional investment in your public cloud provider to alter its risk profile, which presents a challenge if your risk tolerance is lower than your provider’s. Would you have been willing to pay a premium to BlackBerry to eliminate the possibility of last October’s three-day outage? Would other customers? Would it have made a difference?
It’s not uncommon for cloud providers to offer compensation in the event of an infrastructure failure and service outages. This usually comes in the form of future subscription credits, which doesn’t really compensate you for the true cost to your business of a major outage. You’ve taken the hit now, but your subscription credits are redeemable later. Consequently, you need insurance.
This is a relatively virgin territory for consumers of public cloud services. Two foundational aspects of insurance are probability and precedence. With cloud computing, what role does insurance play in bridging the gap between the compensation paid by your cloud provider (at some future time) and the true cost to your organization? The challenge in obtaining specific insurance coverage for consequential losses arising from the failure of your cloud provider is that the insurer may have limited-to-no actuarial data on which to price risk. While there have been outages for well-known organizations such as Amazon, BlackBerry, and so on, each provider’s infrastructure is unique, and in aggregate the number of occurrences is low. This makes accurate prediction — and, consequently, the assignment of premiums — difficult.
The Obvious Disaster
The most obvious disaster that could befall a business in the cloud is that its provider ceases to exist, whether due to a catastrophic business failure, seizure by regulatory authorities, or some apocalyptic event. The recent and sudden takedown of the global file-sharing provider megaupload.com last week by the FBI locked out hundreds of thousands, possibly millions, of users, whether law abiding or not. Academics, musicians, and others are now unable to access their data. If your cloud provider is a privately owned company in a foreign country, the risks associated with business longevity are even more difficult to figure. On top of that, the cloud marketplace is nowhere near stable, with new entrants competing and vying for business on a daily basis. It’s a safe bet that not all of them will survive.
If you are using a cloud application for your critical, core transactional applications, such as order processing, billing, or logistics, there are major technological hurdles to shifting your systems to another provider in the event of a failure of your current one. Here are some things you need to consider: While in most cases you will be able to retrieve your data, your business logic and software systems will be left behind. You’ll need specific software — and the knowledge to use it — to bring your data back to life so that you can continue to run your business. Another consideration is that if you have a large volume of data, it could take days to extract it and transfer it to a new provider’s system. It may, in fact, be quicker to airfreight the data on a hard disk, if that’s technically possible.
Due-Diligence Paradox
The public cloud presents a due-diligence paradox. While it may simplify IT from your perspective by abstracting away all the nasty complexity of enterprise IT, it increases the difficulty of performing a comprehensive and deep due diligence. Many public cloud providers will not allow a stream of potential or existing clients into the most intimate parts of their organization to kick the tires. In most instances, you’ll have to rely on the provider’s assurances that it will meet your minimum standards of system security, confidentiality, availability, and integrity, and that the certificates they boast of (SAS 70, for example) have been earned.
The Case for a Private Cloud
With a private cloud, you are 100% in control, so you can dial your investment up or down to meet your own risk appetite. You get the full benefits of scalability, agility, lower unit operating cost, system resilience, and so on; however, the key financial determinants to building a private cloud are access to capital funding and the total cost of ownership over the expected lifespan of the system. You should always test the assumption that the public cloud is the lowest-cost option. Do the math: you may be surprised when you accurately factor in the cost of risk in the public cloud.
After all, it’s your business, not your cloud vendor’s.
Former CIO Rob Livingstone is an author, speaker, academic, and consultant. He is the principal of Rob Livingstone Advisory Pty Ltd. Visit Rob at www.navigatingthroughthecloud.com.