Earlier in the week, I saw a couple tweets passing with comments such as “they dare to post this blog”. I got intrigued and clicked on the link. It brought me to an SAP on the Cloud blog guest post by Chris Heffer, titled “Why I don’t care about cloud computing”. I thought it might be worth reading.
In theory, Chris is correct. Users should not have to care about where IT comes from. To use Nicholas Carr’s analogy, you don’t care about where your electricity comes from either,. He just happens to be a little ahead of the curve. This analogy works because of 3 main reasons. Let’s review them 1 at a time.
Has IT transformed itself?
Not caring about IT implies you fully rely on 1 environment to source and use the functionality you require. This implies all available services are concentrated and managed through a single user experience. This actually sounds very much like converged cloud—my previous blog post. But we made a couple assumptions here:
- IT has a clear understanding of what the users want—implying a clear governance process
- IT gears up to deliver on that and because they cannot deliver everything in-house—IT becomes a service broker
- In becoming a service broker, IT sources services from external providers and integrates them into IT’s overall environment, taking care of managing security, financial transactions and service level agreements
Most IT departments are not there yet—that is why we see so much shadow-IT in most enterprises. To use the analogy with energy provisioning, IT is becoming the power company. Typically, they generate some power themselves; then they source more from the market. They use the grid to transport the energy to the end-user, who only has a couple wires and a meter to care off.
The analogy only goes so far, but it’s a great tool to refocus the thinking. How should IT be structured? Well, you have an operations department responsible for the delivery of the in-house services, a sourcing department looking after the service providers and finding new ones, a development department responsible for integration of the services, and last but not least a “sales” department interacting with the users to understand function and resource requirements.
In my mind transforming IT is the first thing that needs to be in place to achieve Chris’ vision.
Do we have an integrated view of risk?
Once we recognize that services are sourced from service providers, we build an open IT environment where data circulates between internal systems and service providers. Do we understand the implications of such approach? How much are we putting the enterprise at risk? We regularly hear about security breaches, and service providers are not legally obligated to notify their users of such breaches. Who knows how many are not accounted for.
So, where do we go after this? I would suggest a 3 step approach:
- Understand what data is located where (data at rest) and where that data is used (data in motion). Identify the sensitivity of the data. Frankly 80 percent of the data of an enterprise is does not have high enough sensitivity that a breach would have major implications. It’s the sensitive data that needs to be secured first.
- Have a detailed discussion with the service providers on how data is protected when within their perimeter, and what responsibility they are taking for that data. You may want to go back to the 5 CNIL recommendations I mentioned last week. Also understand the “supply chain” of your service provider. Which other players does he rely upon to deliver you the service you consume? How are they addressing security?
- Take an end-to-end look at security, from the user device all the way to the service provider and back. How do you secure data? How do you ensure confidentiality etc.
With that in mind you can now assess the weak spots in the eco-system and decide whether you can live with them or need to do something about it. That is where risk management plays a role. What are the risks the enterprise is prepared to take?
Beyond doing this, you may want to educate the users on the subjects of risk and security in cloud. Looking back at our energy provider example, you tell me you do not get any information from your energy provider. That’s because on the 1 hand, you have no other option than to go with 1 of the providers available in your region. On the other hand, providers have built pretty robust environments over the years. And occasionally you get the black-out and there is little you can do about it.
From an IT perspective, we are not that far yet and the user has many choices. He/she often makes choices without a full understanding of the implications. There is nothing malicious about that, just that they are unaware potential risks. So, pointing these out to them is important.
What about compliance?
The third area is related to compliance. The cloud is global while the law is local. And in our day-to-day job, we have to be compliant with the regulations of our region/country. And let’s be honest, laws are not always easy to understand. They are written in language that leaves most nonprofessional readers scratching their head. But noncompliance can have a high cost. To come back to Chris’ point of view, not caring of where IT comes from implies fully trusting both the internal IT department and all the service providers used. This attitude may not be a wise one knowing how some service providers take liberty with privacy rules for example..
But laws are difficult to understand and need to be translated in terms that the user comprehends. This work should be performed jointly by legal and IT, and become part of the education process we talked about earlier.
Users don’t want to have to care about where services come from. They just want to consume the services. That vision holds, but should remain an aspirational goal at the moment. However, IT should transform itself and become a strategic service broker, sourcing services and only develop what is core for the enterprise. IT should listen to the users and gain an understanding of what they are looking for along that transformational road,. In the meantime, as shadow-IT continues flourishing, users should be educated on the implications of their choices on enterprise security and compliance. So, yes, not having to care about cloud as a user is a great vision, the current reality forces us to be pragmatic and care. What do you think? Write a comment here under, or join us on the associated LinkedIN discussion.