Heading into the cloud can seem like an attractive prospect. But there are a lot of questions companies should consider before they make the trip.
The sales pitch for cloud computing is simple: Companies pay a third-party vendor to run one or more of their systems, like email or payroll, on its own servers. In theory, the clients save a bundle on hardware, software and personnel costs and can devote those resources to boosting their business.
Leadership in ITSee the complete Leadership: Information Technology Journal report.
But the reality usually isn't so clear-cut. The costs may not be as attractive as they look at first glance, for instance, and it may be better to keep some critical or complex software in-house even if it's more expensive to do so. There are also potential legal issues that arise from using cloud servers; companies might unwittingly violate the terms of their software licenses or federal rules on storing data. Plus, reliability may be an issue, as some customers of Amazon.com Inc.'s cloud services learned last week.
Here's a look at some of the most important questions to ask before committing to the cloud.
How Much Do We Save, If Anything?When considering which systems are candidates for the cloud, companies need to start with the basics: Is this move going to save money, and will it bring better technical results?
The calculation sometimes isn't as simple as it looks. Let's say a company is paying a cloud vendor based on how much bandwidth it uses. In some cases, the rates are staggered and start to climb as clients use more bandwidth. So, it may be cheaper to invest in an in-house system instead.
Companies also need to consider the money they've already sunk into in-house systems before dropping them for the cloud. They may want to wait to depreciate the costs of their existing systems before switching.
How Complicated Is Your Software?Enlarge Image
CloseThings can also get murky if companies have software that needs constant tweaking and updating—think of a specialized trading system at an investment bank. A cloud vendor may make that kind of hands-on control difficult and expensive.
Many companies also patch together different software programs to run various parts of their operation. But a cloud vendor may charge a lot more to host that kind of system, since it takes more expertise to maintain the various components. Even moving a big, complex system to the cloud in the first place will probably bring added costs, since the client and vendor may need to do a lot of tinkering with the vendor's systems to get everything set up properly.
On the whole, it may be a better idea to move relatively simple and nonessential systems, like email and payroll, to the cloud first. Taking this step frees up some of a company's attention and resources, so it can focus on improving the business. And its tech team has a chance to get familiar with the cloud in a lower-risk environment.
Meanwhile, there's always the possibility that other companies will want to be first movers and shift their complex systems to the cloud immediately, forcing vendors to find ways to accommodate them. With any luck, that will mean lower prices and fewer headaches for companies who waited.
What Are the Legal Issues?Software licenses come with lots of conditions. Companies need to look those over carefully before moving any systems to the cloud.
Older licenses, for instance, may not cover off-site use. So, putting the programs on a cloud server could lead to an audit, fines and bad publicity. Some newer licenses, meanwhile, prohibit a crucial part of cloud computing—virtualization, where many different applications run on a single server.
Where's the Data?While consumers may be happy to have their photos and email reside on the cloud at some unspecified location, executives have to consider a host of compliance and regulatory issues.
The European Union, for example, has laws that strictly dictate the movement of data and access to databases. Thus, a company based in the EU can't assume it is all right to have all its cloud data stored "across the pond" with a U.S. vendor. Similarly, financial-services companies operating in China have to keep their data within China and can't use a cloud facility in Singapore for data storage.
There has been a call recently for "cyber embassies," where data can be hosted in a third country under the laws of the embassy's country of origin, but such a move is a long way from becoming reality.
Another potential source of problems: Many organizations use live feeds of information from third parties, like stock updates from exchanges. But the data providers may not let that information be accessed from a cloud vendor.
How Accessible Is It?Companies also need to consider how quickly they can get data out of the cloud vendor's systems, and in what format.
Vendors store data based on projected usage. They might keep information that's in constant demand, like sales figures that reps need for client visits, on conventional servers. Data that isn't needed all the time—like the Internal Revenue Service's vast store of taxpayer records—might be encrypted, compressed and stored on tape at a remote facility.
Having instant access to data will mean a higher price tag. Tape storage, meanwhile, can bring higher costs and hassles if the vendor doesn't use the same kind of encryption and compression as the client.
What's more, companies can't just hand over data and forget about it. They need to check it regularly to make sure the formats are still compatible with their current systems—think of all those eight-tracks in the attic—and the tapes haven't started to degrade.
Failure to stay on top of these issues could mean big trouble. The Sarbanes-Oxley act, for instance, requires that companies store email for seven years and have it accessible for audit in a timely manner. That may not be possible with a distant vendor that stores data on tape.
There are other kinds of compliance to consider. Let's say a company is in health care. To comply with the Health Insurance Portability and Accountability Act, all access to data must be recorded—not just who looked at it but what they accessed and whether they actually had access rights.
A cloud vendor would need to put a system in place to manage all this, without burdening doctors, nurses and administrators with layer upon layer of access codes. Getting that done will mean higher costs—as will calling up those records when they're needed.
How Secure Is It?Cloud providers are usually much more capable defenders of data than companies are. They typically have state-of-the-art defenses such as firewalls and actively search out intruders and try to trap them—a step few companies take on their own.
What's more, companies often overlook the potential for trouble from within. Employees can steal sensitive material right off their own desktops, and in many cases the security system is none the wiser. Even if a company is actively looking out for theft, employees are prone to accidental security breaches, such as downloading dangerous material from websites, using an unauthorized smartphone for business, or losing a laptop full of sensitive material and not reporting it immediately.
That said, companies can't simply hand off their systems to a cloud provider and assume that all will be well. Businesses need to perform rigorous tests on the vendor's systems and watch how they handle potential problems. For instance, hackers may try to attack the client's systems instead of the vendor's, grabbing data as it's moving to the cloud. Smart vendors will help clients protect against this kind of attack.
Some businesses go even further to make sure they're safe. Not only do they test their own computer systems and their vendor's, but they also hire pros to do some real-world snooping—like trying to sneak into the vendor's facility to see how well it manages security. Many vendors pride themselves on having lots of state-of-the-art cameras, biometric sensors and security guards with guns; security specialists put them to the test by trying to sneak onto the premises with fake ID badges and get access to the computer system from within.
Dr. Plant is an associate professor of computer information systems at the University of Miami School of Business Administration. He can be reached at reports@wsj.com .
No comments:
Post a Comment