As a CFO overseeing your organization’s transition to cloud, how can you ensure your journey delivers on its promises over both the medium and long term? Focusing on the short term is the comparatively easy part. Entry costs are – as cloud vendors are quick to tell you – low relative to on-premise. But enterprise risk management is often one of the CFO’s key responsibilities and an uncontrolled shift to the cloud could expose you and your organization to unacceptable long and medium-term risks.
On the other hand, you could take your chances and hope to get lucky.
But seriously . . .
Broadly speaking, there are four key complicating factors in cloud computing that compound the difficulty of performing effective due diligence on cloud provider offerings:
Volatility: New cloud vendors appear almost on a daily basis. Some will be credible, well resourced, and professional. Others, not so much. Some are adding cloud to their conventional IT services to stay in the race, and others are new entrants that are, as they say, cloud natives, in which case they do not suffer the pains and challenges of reengineering legacy business models and support processes to the cloud. How can a CFO perform due diligence on a provider’s viability if it’s new to the market and backed by impatient startup capital that’s expecting quick and positive returns? Are you concerned about the potentially complex nest of providers that sit behind your provider’s cloud offering? That is, the cloud providers that store its data, handle its transactions, or manage its network? In the event that your provider ceases to exist, can they offer you protection in the form of data escrow?
The cloud ecosystem is far more complex than the on-premise world, even if it doesn’t appear that way at first blush. When you enter the cloud, have an exit strategy, and be sure you can execute it.
Legal precedent: To date, there are few legal precedents available to help shape the cloud decision- making landscape and assist you in your decision-making processes. For example, last February, in an attempt to define copyright in the cloud and what defines “fair use,” Google in effect sided with ReDigi (a provider that allows users to store, buy, sell, and stream pre-owned digital music) against Capitol Records in a record industry lawsuit.
Enterprises should develop an effective listening strategy for the latest court proceedings and decisions in the legal jurisdictions in which you and your major customers operate. This can be as easy as creating your own Google alert for keywords that are relevant to your company, industry, or regulatory environment. Alternatively, ask your legal advisers what notification services they can offer you, or just subscribe to online services such as findlaw.com .
Learning from these proceedings and early court decisions will help you avoid pitfalls that your competitors may encounter.
Legislative and regulatory maturity: Lawyers, auditors, legislators, and regulators are still coming to grips with cloud in its various forms. Navigating the complexities associated with the legislation and regulations that can affect you and your provider’s cloud ecosystem can be daunting, especially if you’re operating across multiple legal and international jurisdictions. For example, the US National Institute of Standards and Technology has a well-defined Cloud Reference Architecture in which the role of Cloud Auditor is defined: “Audits are performed to verify conformance to standards.” Unfortunately, there are presently no universally adopted standards for cloud computing, although there are a number of bodies (mostly sponsored by selected vendors, such as the Cloud Security Alliance) attempting to define them in the areas of security, interoperability, governance, and so on.
In terms of legislation, the rule in regard to data jurisdiction in some states or countries is simple: “No data can reside outside of our legal jurisdiction!” Legislation in this form is like using a sledgehammer to crack a nut. It’s not helpful in the evolution of practical, secure, viable solutions to what are, in many instances, complex problems. Once again, it’s important to keep up to date with your regulatory and industry compliance environments.
The Contract. In the public cloud model, the contract between your organization and your cloud provider takes center stage. Your contract should be balanced, and reflect appropriate penalties and protections in the event of non-performance by your provider. This may be easier said than done. You may not have sufficient financial leverage to negotiate variations to the cloud provider’s standardized contract. If the contract terms are mostly favorable to the provider, yet the commercial benefits appear compelling to your organization, it may be worth pricing in risk to your business case and then reassessing your position.
There are swathes of considerations that relate to a cloud contract review, which I hope to address in the near future to help CFOs assess the balance and appropriateness of cloud contracts.
We are slowly seeing a maturing of the discussions around cloud for the enterprise. However, as the research firm Gartner rightly points out, there are still a few years to go before cloud hits mainstream adoption. Until then, rigorous procurement due diligence should be your default position for your important systems. Of course, this costs time and money, and short-term commercial imperatives when combined with compelling offers by cloud providers – Low-cost entry! Automatic upgrades! Best-in-breed functionality! Easy integration! Bundled support! – may well trump due diligence in many organizations.
As CFO, what are your strategies to withstand this sort of pressure? If you take your risk responsibilities seriously, start thinking about them now.
Former CIO Rob Livingstone is an author, speaker, academic, and consultant with substantial real-world cloud experience. Join Rob at one of his many free live webinars at navigatingthroughthecloud.com.