Cloud Computing, as defined by both National Institute of Standards and Technology (NIST) and the Cloud Security Alliance is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services). These resources are configured / combined to operate like a utility. Cost is based on usage and is variable in nature i.e., the more you use the more it costs.
Costs and risks and overall governance will vary depending on whether your deployment is based on the following types of Cloud Computing:
Created for a single company, in-house focused and very much like a typical outsourcing agreement. Not much risk involved and comes under the governance of a typical outsourcing agreement.
Created by a third-party for a much larger audience. Transaction based (e.g., Salesforce.com), greater risk to the consumer organization since data will be stored at multiple locations and not so easily retrieved. Governance is handled with standard SLA and contract terms.
Multiple cloud deployments bound together to form a unique solution. Has to rely on greater cohesion of data integration to make this work and overall security and risk will be highest in this deployment.
The only reason to tackle this as a viable technical solution is cost of capital, scalability, and financial efficiency. Getting a business solution up and working with minimal capital outlay and as quickly as possible, allows companies to experiment with new services without gambling a lot of money. It becomes an efficient tactical solution and has the same arguments as outsourcing — by outsourcing portions of information management and IT operations, enterprise workers will be free to improve processes, increase productivity and innovation.
Because companies will not be able to place their hands on the storage devices containing their data and cannot impose their unique IT controls on the “cloud,” care must be exercised on how you use this new computing model. For example, prototyping new applications for a new service to test its viability would make sense in the short-term. If the data was not critical to the survivability of the company and would not cause an embarrassment or regulatory issue if exposed, then keep the application in the cloud. Standard risk assessment methodologies can be used to help guide companies.
Governance is a two-way street between the company and the provider. A typical outsourcing deal will be at least three years and as long as ten years. Governance is handled via a lengthy contract, SLAs, penalties etc. This governance model will not be effective with Cloud Computing. Vendors should consider adherence some type of third-party certification assurance using ISO standards or something similar. This will increase transparency into operations and risk mitigation and will also aid in assurance compliance to privacy and trans-border information flow. Simple entry and exits for agreements have to be structured so that a contract can be “in force” even if there is no spending involved. This will simplify start-up and tear-down for usage. Vendors will be the ones taking the capital risks and not individual companies and like outsourcing arrangements, it is hard to switch once you start with a vendor.
Let Daniel L. Ruggles and the team at PM Kinetics, LLC help you understand and navigate the complexities of Cloud Computing, Sourcing and Capital Planning, Vendor Management, IT Security, IT Infrastructure planning and execution.