February 24, 2012
Cloud Computing Services, Caveat Emptor
It seems as though we do not go through a single day without one pundit or another touting Cloud Computing Services (also known as Software as A Service or SaaS) as the next big thing in computing. At first glance, there are many enterprise advantages to using these services, not the least of which is cost. However, in some circumstances, engaging such services can pose an existential risk to a large enterprise which is often not considered when evaluating the service offerings.
Large enterprise IT departments have gradually evolved a tendency to do less and less in-house, preferring to outsource services such as help desk and general IT to third party firms. The classic IT model for large enterprises with thousands of PCs, internal networking, large server farms or mainframes has become so cumbersome and expensive that such companies are understandably looking for ways to reduce ongoing costs. IT personnel are relatively expensive, require continuous training development, and a full in-house service requires many such resources. Furthermore, IT expense is seldom other than an overhead function, i.e. it doesn't directly drive enterprise revenue. Taking a cost center department-specific view, lowering or containing cost is usually bullet-one on the IT executive's yearly objectives. In contrast, the enterprise-wide view may yield different analysis results, as the business could be put at risk with a simple IT cost-cutting approach in some cases, especially when the core business of the enterprise rests on the IT infrastructure.
Much of this IT cost reduction focus follows on the wave that saw the outsourcing of previously in-house software development and call centers to overseas third party providers. As consultants, we have seen many unintended consequences which are the direct result of such decisions.
When it comes to software development it becomes an issue of where the business intelligence and assets are located. Without sufficient internal resources who fully understand the developed software, the enterprise is now fully dependent on the provider for even trivial issues. Furthermore, there is an element of intellectual property risk which must be carefully managed. The last decade has shown many examples where outsourced development led to intellectual property losses. Those losses, we would argue, more than offset the cost savings associated with outsourcing. A case of risk not being properly assessed during the RFP process.
Call centers are a different matter, in this case the risk issue is the loss of control over an enterprise's customer base. That loss of control can be direct and/or indirect, the direct is simply that a third party is now executing customer-facing actions on behalf of the firm, the indirect is that those actions may alienate their customer base. Again, these risks are difficult to determine and often are not included in the cost analysis. Many examples exist of companies pulling call centers back into their enterprise after a failed outsourcing adventure.
In an ideal world, the business decision to outsource services would be a straightforward financial one between comparable in-house and outsourced offerings. However, this is seldom the case, as risk elements are typically understated when it comes to the outsourced offerings. That is not unexpected, as the RFP team typically understands their internal situations much better than what the outsource vendors are offering. They are also not as adept in knowing what interface costs will be needed to fully manage the outsource vendors. These cost-reduction projects are typically planned with very little time, which also works against a robust risk assessment.
What kind of enterprise risks are we talking about, when it comes to cloud computing services?
We see two types of risk scenarios which should be considered, contractual liability and sovereign interference risk.
Contractual liability is a significant issue, when running an in-house IT department the liabilities reside within the enterprise. No matter what happens, the company is responsible. How do the cloud computing services compare? Not very well, actually, in most cases the service company assumes practically no liability. Below is an excerpt from the standard terms of one major supplier, which illustrates the issue.
The above set of terms basically provide an "as-is", no guarantees, service. The full liability rests within the enterprise just as it did when providing the services in-house. If a company is considering putting enterprise critical data or applications on such a service they need to be fully aware of the lack of liability coverage. In cases such as this, the only recourse a company would have is to stop doing business with the services firm, which is a mere subset of the incurred costs for a major failure. These terms are not unusual, most of the major players use a similar disclaimer approach. We suspect that many such contracts have already been signed by IT managers, and fully expect that we will be hearing horror stories during the next few years, subsequent to a severe breach or failure of the services.
If the enterprise had negotiated some service levels and full liability into the contract, the ongoing service cost could approach or exceed the in-house one, so that isn't necessarily a viable solution either. We do strongly recommend that the general counsel's team be part of any decision making prior to signing such an agreement, as a solo IT manager experiencing this worst case scenario is in a "career limiting" position if the risk is accepted without consultation.
Sovereign interference risk is the risk that the government or governmental agency will interfere with the enterprise's business. That risk, while remote, can be catastrophic under the right circumstances. Assuming an enterprise whose data or applications are mission critical, the locating of such within an external service increases the possibility of sovereign interference. The reason is that in most cloud scenarios, the enterprise is not the only customer of the provider.
Suppose the enterprise has contracted cloud web servers within a local zone, and by chance another customer is running an illegal web-bot controller service within the same cloud. The FBI swoops in to the data center and confiscates all the servers as evidence. Now, not only is the enterprise offline until other arrangements can be made, but the data that is core to the business is exposed in an insecure manner. The FBI, or government, cannot be sued to recover damages and the provider is not responsible under their contract.
Before the reader suggests this scenario is farfetched, it has actually happened many times in data centers, even when the enterprise owns the equipment within its leased rack space. Law enforcement is not elegant when it comes to gathering evidence, consequential harm occurs to others without recourse. In the case of cloud services, it is even harder to excise only the offending party.
If the equipment/servers are actually located within the enterprise, the company is better protected from unreasonable search and seizure. The general counsel's team earns their keep by mitigating this sort of risk.
Conclusions:The real benefit of cloud computing is therefore not first and foremost cost, for enterprises with mission-critical needs, but rather scalability. In such cases, the enterprise should deploy internal cloud architectures where all of the physical assets are not shared with other parties, and where the enterprise can best mitigate their liability exposure. That solution speaks well to both liability scenarios while still partaking in the primary benefits of the cloud.
Copyright © 2012 Arbitor.com All Rights Reserved. Last modified: 12/3/2012