10 hybrid cloud risk areas that the enterprise must manage

Organizations seem to be embracing hybrid cloud in a big way--but are they approaching it in the wrong way? Here are some critical areas of concern.

Image: iStockphoto.com/Marek Polchowski

The latest Tech Pro Research survey found that nearly 68% of companies either use or are thinking about using the hybrid cloud--and some analysts put the number even higher. But while there's no mistaking the allure of hybrid cloud to the enterprise, that architecture brings its share of risk. Here are 10 hybrid cloud areas that companies should include in their risk management strategies.

1: IT architecture design

A hybrid cloud is a highly complex IT architecture that involves varying combinations of public clouds, private clouds, and on-premises IT. It takes a sophisticated IT staff to architect and run an end-to-end infrastructure that must support continuous data transfers between all of these platforms--as well as ensuring continuous governance no matter where the data flows. Many IT departments don't have the requisite expertise in house, so managers need to determine whether they're going to hire it, contract for it, or provide internal IT with training.

2: Coordination of cloud procurement with end business users

The worst way to enter into a hybrid cloud strategy is to do it haphazardly. Haphazard situations develop when end-user departments and IT independently contract for cloud services. Before you know it, you have a hodgepodge of public cloud, private cloud, and on-premises IT--and no one who is accountable for overall coordination and performance of these investments. The practice invites risks and inefficiencies.

SEE: Integrating the hybrid cloud (ZDNet special feature)

3: Data management

More companies are using storage automation in their data centers to route data to tiers of fast, medium, or seldom-used storage, depending upon type of data and data access needs. The business rules and stewardship of this data gets riskier and more complex when data gets ticketed for non-data center destinations and must be earmarked and tracked. The net result is that IT will have to rethink its data stewardship and deployment automation rules to encompass not only how frequently data must be accessed, but also the security and safekeeping needs for the data based upon where it is stored.

4: Security and privacy

Security and privacy of data are improving in the cloud, but that doesn't change the fact that corporate IT has direct governance, security, and privacy control over data that the company keeps in its own data center--and it doesn't have this direct control in the cloud. Companies have responsibilities to their customers to keep data safe and secure. They have to weigh these responsibilities against the advantages of storing data in the cloud, where data security and safekeeping control are significantly reduced.

SEE: Cloud Data Storage Policy Template (Tech Pro Research)

5: Bandwidth and latency

Access to the cloud can be via a secure, private network or most often, over internet. This means that bandwidth management and the risk of latency for real-time data streams and bulk data transfers become riskier than when they are occurring within the company's own internal network. One of the risk evaluations the company must make for data and applications that go to the cloud is how much latency and/or downtime the company can afford if there is an unforeseen interruption and/or slowdown in data communications with the cloud.

6: Disaster recovery and failover

Companies moving data and applications to the cloud should ask to see the disaster recovery plans and DR/failover commitments of the cloud providers. They should also find out how many data centers the cloud provider uses and whether there is complete failover between data centers. Of equal importance is whether the cloud provider owns its own data centers or it's leasing data center capacity from other third parties that the company does not have a contract with. Very quickly, the risk assessment in this area can become both a business continuation and a legal liability issue. Whatever the outcome of research and discussion, the company has to feel comfortable that its business will not be interrupted or liable if a cloud service fails.

SEE: Power checklist: Building your disaster recovery plan (Tech Pro Research)

7: Switching vendors

How easy will it will to switch cloud vendors if you choose to do so? Although it might be a "plug and play" proposition technically, it might be more complicated from a contractual or a cooperation standpoint.

8: On-premise licenses and contract management

If you're shifting applications from on-premises to the cloud, the optimal coordination occurs if you can make the transition when your on-premises software licenses are expiring. The cloud migration is usually not a problem if you're staying with the same vendor, but it can be if you are moving from one vendor to another. It is also important to thoroughly review (and even have legal counsel review) your contracts for pricing and other conditions and stipulations. Many companies end up disappointed when they begin to receive extra charges on their bills for different services they thought would be included in their flat monthly fee subscriptions to the cloud.

SEE: Executive's guide to integrating the hybrid cloud (free ebook)

9: Vendor SLAs

Many cloud vendors do not publish service level agreements (SLAs), nor do they include them in their contracts. If you're planning to move to a public cloud, or a private cloud hosted by an outside vendor, the baseline SLAs you should require from your vendor are for uptime, mean time to response, mean time to problem resolution, and disaster recovery time. All should be written into your agreement. If they aren't, you are probably taking on too much risk.

10: Vendor liability and risk management

What is the vendor's liability for a disaster (and downtime) in service that harms your business? What if the vendor doesn't have control over the circumstances leading to the problem? (This could happen if the cloud vendor doesn't own its own data centers and is contracting for them with third parties--and the issue originates in one of those data centers.) What happens if there is a security breach into your data that happens in the cloud? All these potential situations should be reviewed with the cloud vendor before you sign any agreement. Be sure to contact your legal counsel if there are any questions about legal liability.

Also read...

Other risks?

Have you encountered any hybrid cloud risk areas not covered here? Share your experiences and advice with fellow TechRepublic members.

By Mary Shacklett

Mary E. Shacklett is president of Transworld Data, a technology research and market development firm. Prior to founding the company, Mary was Senior Vice President of Marketing and Technology at TCCU, Inc., a financial services firm; Vice President o...