Why isn't cloud computing being adopted as quickly or as pervasively as we would expect? Marc Schiller says it's about fear, but not the kind of fear you think.
Cloud computing is all the rage. Everyone's talking about it. Every day there's a new story — or 10 — about cloud computing and all the great economic and operational benefits it will bring:
- Reduced infrastructure costs
- Increased deployment flexibility and speed
- Decreased internal overhead and personnel for managing utility-like services
- Consumption-based payment
It all looks so wonderful. In fact, it seems that for once we all seem to agree on something.
In our small company, we run everything in the cloud: mail services, accounting, collaboration apps, and e-commerce — they're all managed outsourced services. We don't really have much of a data center, just a whole lot of bandwidth.
Until very recently, I thought that pretty much everyone was headed in this direction. I knew that as a small tech company we may not be quite the norm, but I still expected to see wide-scale adoption of cloud computing services. Boy was I surprised to see a recent ISACA survey of its members. (ISACA is an international organization of IT professionals focused on IT security, audit, and compliance. They have been around since 1967 and have over 86,000 members in 100+ countries.)
Here's what we learn about the realities in the front-line of cloud computing from the guys and gals who are on the critical path to bringing cloud computing to life:
- 45% say the risks involved in cloud computing outshine any benefits.
- A mere 10% plan to use cloud computing for mission-critical IT services.
- Just 15% say they'll use it just for low-risk services.
- 26% won't use the cloud at all.
Wow. That's serious stuff. Remember, this is not some random survey. These are ISACA members speaking. These are serious IT professionals.
So why is this? Why isn't cloud computing being adopted as quickly or as pervasively as we would expect?
Well, I think it's all about fear. But probably not the kind of fear you're expecting.
Lion, tigers, and bears ... oh my
There are three principal reasons given for not moving to the cloud:
- Data security and privacy
- Performance and interoperability
In other words, people seem to be staying away from the cloud not so much because they don't believe it will work, but rather because of good, old-fashioned IT risk management.
But how could that be? Cloud services have matured substantially since their early days. In fact, these risks have been largely eliminated with the introduction of specialized and customizable offerings from companies like Amazon with its Elastic Compute Cloud.
Such offerings provide access into the back-end systems of the cloud providers as well as transparency and direct control into the cloud services — much the same as if the systems were within your own four walls. Servers can be segregated both physically and virtually. Security is configurable to eliminate shared uses with other companies at the hardware, software, operating system, application, or data level. Just name the type of security, performance, or governance feature you would like from your cloud provider and it's out there, available right now.
Bottom line: Today moving computing services to the cloud: (1) makes good business and operational sense and (2) involves little risk. So why are so many companies still afraid to do it?Is it really about the cloud?
To answer the question, let's revisit the most frequently stated reasons for not moving to the cloud: security, performance, and governance. I want to challenge you all to answer this simple question: Aren't these all challenges you already face today within your own data centers? Aren't these the very core concerns of IT risk management with which you must deal every day?
Stated more bluntly: Don't you already have these issues under control and well defined for all your systems today? Are these core concerns (or the way you deal with them) really all that different, based on the location of servers and the name of the company on the paycheck of the people doing the day-to-day work?
Let's be clear: I am not suggesting that moving to the cloud doesn't involve change to how you manage security, for example; sure it does. But you are already in the business of data security. You are already doing proactive vulnerability checks on your internal systems. You are already seeking out data security holes to protect against internal and external hackers, right? What? I can't hear you.
And it's not just data security that you take care of. Don't you already have in place a smooth, well-running performance management system with rock-solid control over critical services like performance tuning, backup and restore, fault management, and disaster recovery? What's that? A little louder please, I don't hear the chorus of YES.
And in terms of governance, don't you already have the appropriate budget allocation models, cost controls, and reporting in place? You know the stuff that you can easily adapt to the cloud services.
With all these key controls in place today for your internal systems it should be a breeze to move to the cloud. Just make the appropriate modifications to your protocols based on the customized services of your chosen vendors, and off you go.
OK, enough sarcasm
So, here's what I really think is going on: The people who don't completely have their acts together in these critical areas within their own shops are the same folks who are decrying the cloud's vulnerabilities in these areas. And they're doing so precisely to mask their own weakness in these same areas. For those companies, the whole prospect of moving to the cloud — when they themselves don't have a rock-solid grip on all these things — is deeply unsettling. They're afraid that such a move will expose their weaknesses, will be embarrassing, will cause system interruptions, and will expose to the world their own vulnerabilities, not the cloud's.
What I'm trying to say is that the hesitation of moving to the cloud for so many IT leaders is not about the challenges in the cloud per se, but rather in the cloud-readiness of their overall systems. So instead of saving a whole bunch of time, money, and resources by moving to the cloud, these poor folks would have to actually shell out a ton of money to address core issues of security, interoperability, and governance in order to get to the cloud.
Let's be fair
If you find yourself in this plight, you are not alone. And let's be honest: It ain't so easy to get all this stuff right. It's easy to talk about having rock-solid control on security and privacy; it's another thing altogether to actually do it. In fact, it's extremely tough work. You don't have to look far to see that's the case. Practically every month we learn of a new way to breach Microsoft's OS. Yes, even Microsoft — which has a gazillion dollars to make its software perfect — has difficulty with security.
So let's have a little respect for the very real challenges IT leaders have in those so-called "mundane and commoditized" areas of IT security, performance, and governance.
Here's where it gets fun
So what is a serious and responsible IT leader supposed to do in this situation? How are they supposed to take on and, more importantly, justify the potentially large costs of moving to the cloud?Remember Y2K? Sure you do. And I'm also sure you remember what was really going on. Under the cover of a potential computer "disaster" that would shut down the world, corporate America used the Y2K crisis as a front to essentially revamp all their core financial and operational systems, which they needed to do anyway. The Y2K imperative just helped IT leaders to do the right thing.
I believe cloud computing represents a similar opportunity. Precisely because it is everywhere and the executive suite so buys in to it as the way to go, IT leaders once again have Y2K-like leverage to do the right thing.
Rather than being afraid of exposing the security, operational, or governance weaknesses in your system (read the costs in remedying these weaknesses) on the way to cloud computing, use it to your advantage. Join the cloud computing bandwagon, but explain about the important up-front investments that need to be made in order to effectively get to the cloud.
Use the cloud computing momentum to open up some budget to address the core issues of security, interoperability, and governance that would otherwise go unfunded. It's always going to be scary to ask for a couple million dollars just to make all your internal systems secure and compliant, but moving to the cloud provides the perfect cover story. Best of all, it's all true. There are real benefits of moving to the cloud, which we all acknowledge. The only issue is unlocking the resources to do it properly.
So fear not. Grab hold of the opportunity. With a single bold move, you can both rescue the damsel and slay the dragon — get the benefits and ROI of cloud computing and address those notoriously unsexy but critical areas of security, interoperability, and governance.