I have some serious reservations about the indiscriminate implementation of “cloud computing” solutions. My reservations are focussed on the needs and interests of small to medium sized businesses, as that is where my experience lies, so the following discussion document needs to be read in that context.
Firstly, let’s define “cloud computing”. This is a general term for any system that provides IT services over the Internet. (The “cloud” reference comes from the use of a cloud symbol to represent the internet in diagrams.) These services may be for storage and / or processing of the client’s information, and is performed at a location that is different from the client.
Typically, a public cloud service is sold on demand, with charges representing the cost of supply plus a profit margin. It is a flexible arrangement, meaning that a user can have as much or as little of it as they want at any given time, and the service is fully managed by the provider. This sounds great – let your IT problems be someone else’s! But let’s think about it for a moment.
(Also see http://en.wikipedia.org/wiki/Cloud_computing for a more complete definition.)
Businesses have become reliant on their information systems more than ever for both customer services delivery and internal systems. An outage of these services for even a short period can cause significant financial loss and may well damage their reputation. (For example, the outage of Air New Zealand's booking services on Sunday 11th October 2009.) So a “defence in depth” approach to ensuring reliable systems and an acceptable means of disaster recovery has become crucial.
The events of January 2012 involving the "Mega Uploads" site highlight what I have seen as a major danger. What happens when for some reason - any reason - the site is taken off-line. Worse still, what recourse do you have if your data is erased without your permission, as happened with "Mega Uploads"?
I am also concerned about the potential loss of privacy with public cloud. Take a look at the following article, "Experts slam online data surveillance law". The awkward thing is that you may be contracting a local company to store your data, but they in turn may be using a US facility, thus opening your data to US scrutiny. I believe that the US is not alone in examining cloud-based data.
This is a massive and highly technical topic. Public cloud computing is very complex. It has to be to provide a wide range of services to a large number of clients. Of course the providers take all reasonable security measures on your behalf, as their clients. But is that really true? Yes, they secure their systems, but your systems are completely private to you, the client. That means that the public cloud providers really cannot take care of your security for you! The responsibility to take care of your system's security is just the same as if you ran your system in your own office. But now, your system is located in a data centre with many other clients' systems, all of which make a big fat juicy target for hackers, so they will target your system all the more in the hope of getting at others. And the opportunities are multiplied because of the communications complexity that has been added!
For this reason, I have developed a deeply ingrained mistrust of public cloud computing solutions in certain circumstances. It’s not that I mistrust the service providers, although clearly this is a risk when data crosses international boundaries. This development has seemed to me to be a step backwards in time to the 1960-1990 era, when many medium-sized businesses made use of the services of computer bureaux, rather than withstand the (then) relatively high costs of establishing their own computer department, requiring a mainframe computer that cost many hundreds of thousands of dollars to purchase, and hundreds of thousands of dollars to operate and maintain!.
I know that confidentiality, security and data integrity of their systems are all covered by legal agreements, but they can still take no responsibility for the security of your system. Also (for example), what happens when the service provider gets into financial difficulty, and the liquidators arrive? Are you confident that they will look out for your interests? Are they bound by your agreements? I suspect not! And anyway, what jurisdiction would you have to take action in the event of a dispute? How long would you be out of operation while the legal wrangling continued? And how quickly can you get your own valuable data off their systems and onto another provider’s solution? Is it even possible? I think you will find that the answers to these questions (or lack of them) will leave you uneasy.
A Better Way
Today, the costs of running all systems required in-house or from a local data center are tiny in comparison to what they used to be. Of course, they can still end up being a significant overhead especially if approached in the wrong way, but in my opinion, no matter what size your business may be you simply cannot afford to take the risk that committing to the public cloud may represent.
The cost of running your own server(s) and networks today can be minimal. For the last more than twenty years I have run all my own services in-house, including e-mail with effective anti-spam filtering, web site hosting, business accounting systems, file and print services … basically everything that I or any of my clients need to run a business. I generally test anything I intend to recommend to clients on my own installation before I will endorse it for use on theirs, which is why I run the same configuration.
The thing is that all businesses have the same basic requirements to operate no matter how big or small, and solutions today are so scalable, that the systems I am familiar with will meet the needs of small to medium sized businesses with an absolute minimum of wastage of resource, whether this is your time, your staff’s time, professional services, software or hardware.
Of course, safety of your data and the continuity of systems is crucial. So I recommend a multi-layered approach to data back-ups – in case of some total disaster, like lightning strike or fire destroying your equipment, backing up a hardware / software solution that will ensure that under all but the most extreme circumstance, critical business systems are maintained functional whenever required.
There are invariably exceptions, and certainly I have considered two situations where I would wholeheartedly endorse a “cloud computing” solution.
The first is where a group of companies, associated by common shareholding or geographic location (or some other significant common factor), jointly establish a shared facility to provide such services. This would most likely be established in a fully managed data center. There can certainly be some significant savings to be realised, and the key thing here is that they remain in control, and responsible for the success of the venture and the safety of such services and any data involved.
The other situation is that involving e-mail. There are many vendors providing e-mail security solutions as a cloud-based service. There is some merit in this, although I personally prefer in-house systems based on the Trustwave Secure Email Gateway (SEG - formerly MailMarshal).
So why run the risk with your precious data ... your business? Call me to discuss your needs, and review your present systems. I will recommend an economic alternative that gives you the peace of mind of having your own data securely stored and managed under your direct control.