When an organisation decides to use a cloud computing service, it passes responsibility for managing a component of its IT infrastructure to a third party. It is important that in doing so, that organisation does not lose ultimate control of its own information assets.
There are a number of ways, however, that careless cloud adoption could endanger that control. One way is simply to constrain the portability of customers’ cloud-based systems, preventing them from moving to a different provider. Another way is to limit the visibility the organisation has into how the cloud infrastructure is being used.
In this, the second part of our series on questions to ask prospective cloud providers, we present some suggestions to help you make sure the decision to use cloud computing does not mean sacrificing the ability to dictate your own IT strategy.
How easily can I move to a different cloud provider?
The fear of "cloud lock-in" is one of the key concerns limiting cloud adoption today. Enterprise IT buyers are extremely wary of becoming overly dependent on a single supplier, as it limits their technology options and damages their ability to negotiate future contracts.
Many experts argue that the ability for customers to switch cloud providers easily is essential if there is to be a healthy, competitive marketplace for cloud computing services.
Before entering any cloud agreement, therefore, an organisation must know exactly how they would get out of it when the time comes. This is not just a matter of porting the data itself, although that is critical, but also the configuration of the hosted system, so that it can run as expected in the new environment.
Portability is dependent on standards, and these are still emerging in the cloud computing space. There are open standards available, such as the open virtualisation format (OVF); elsewhere, vendor-defined specifications serve as de facto standards.
When I chose to leave your cloud, how do you dispose of my data?
Once you have decided to leave a cloud provider, it is essential to know that your data will be entirely removed from its infrastructure.
According to Darren Ratcliffe, chief architect for Infrastructure as a Service (IaaS) at Fujitsu UK and Ireland, this is not necessarily as simple as decommissioning a hosted server instance, as data that has been deleted can sometimes be recovered.
"Organisations should seek assurance from their cloud providers that the next occupant of that same capacity couldn’t do some disc scanning that would enable them to recover their information," he explains.
How do you integrate with other cloud providers?
Just as important as the ability to move data between cloud services is the ability to link many of them together, for example to connect an online CRM application with a hosted finance package.
The nature of cloud computing allows organisations to source services from a broad array of providers, but that breadth of choice will be constrained if the services do not interoperate. "CIOs that are further along the journey towards cloud are now focused on interoperability between cloud service providers," explains Ian Mitchell, Fujitsu’s chief architect.
Again, interoperability standards for cloud-based systems are still emerging. Nevertheless, it is prudent to ensure that a given cloud provider supports the appication programming interfaces (API) of as many of the major cloud services as possible, in order to ensure that supplier choices today do not limit your options in the future.
Beyond technical interoperability, there is also a question of how cloud providers share responsibility for the data that is passed between them. If data is lost or corrupted in the process of being passed from one cloud service to another, who is liable? It is worth investigating the nature of the relationship that cloud providers had one another beyond supporting one another’s API.
How will you help me to track usage?
One of the defining features of cloud computing is the ease with which new capacity can be provisioned. In the case of infrastructure as a service, new servers can be created by developers at the click of the button. With software as a service, new user licenses may be provisioned without the involvement of IT.
And while this is beneficial in terms of operational flexibility, there is a danger that it could lead to ‘cloud sprawl’ – the proliferation of undocumented cloud systems, all costing money and containing valuable data.
"Many public cloud service providers are targeted at individual consumers rather than enterprise organisations," says Adam Jackson, product manager for Fujitsu’s global cloud platform. "This is evident in the fact that they only offering credit card billing facilities rather than traditional business contracts."
"This makes it difficult for CIOs, CTOs and IT directors to manage how their team members consume public cloud resources using company money, data and time,"
It is therefore essential for IT management to have a holistic view of all services acquired from a given cloud provider, even they have been provisioned using different accounts or company credit cards. And while keeping procurement under control is ultimately their own responsibility, buying organisations would be advised to seek as much visibility into usage from prospective cloud providers as possible.
Who can I talk to in your organisation?
Cloud service providers vary in the degree of human interaction they offer their customers. At one end of the spectrum are entirely automated utility providers, that only offer support and customer service through their website; at the opposite end of the scale are providers that offer traditional, high-touch customer account management.
Organisations may well prefer the hands-off approach, but it is worth considering the matter strategically. Today, your cloud computing provider may only support test and development systems, but if the economic benefits prove compelling enough, they may end up supporting more business critical systems one day.
In that situation, the value of an established relationship with the provider would be greater – offering the customer greater insight into the provider’s technology roadmap, and the ability perhaps to influence that roadmap in future.
"The fundamental question for any CIO to evaluate in relation to adoption of cloud computing is the impact of the intellectual property assets of the company. Specifically the four key initial areas on which I always seek clarity are on IP in terms of security, privacy, residency and portability.
"The answer to those questions alongside the wider commercial business case allow me to assess the risk to business benefit ratio and advise accordingly.
"The first two of security and privacy can be objectively and conclusively assessed; the second two of residency and portability can lead into more subjective criteria and decision clarity can sometimes lack precision.
"In such circumstances a precautionary approach is my advice if the IP is genuinely felt to be of value and competitive advantage."
CIO & CTO, Fujitsu UK & Ireland