At the December 18, 2012 Wikibon Peer Incite Research Meeting we heard how ViaWest is enabling tier 1 applications to move to the Cloud. This is good news for organizations. Just as we saw virtualization / private cloud applications move from predominantly test and dev up the food chain into tier 1 apps, it appears that infrastructure-as-a-service providers are beginning to step up to the plate and enable similar capabilities, built on all flash arrays (for example) and pinning quality of service to app delivery.
For CIOs this brings the issue of data governance front-and-center. Specifically, who is responsible if something goes wrong? Security, privacy, data protection issues...all the bugaboos of cloud, now become front and center items for CIOs and their staffs. In the experience of Wikibon practitioners knowledgeable in these matters, cloud service providers take little to no responsibility for data governance. Instead, the governance risk falls squarely on the shoulders of the customer. A thorough read of the SLAs of any cloud service provider makes this pretty clear.
That said, SLAs and policies of CSPs vary widely and can have major impacts on how data governance processes will be addressed in the cloud and what risks customers will need to absorb. In particular, the degree to which the CSP collaborates and shares risk with customers on such issues is fundamental to understanding data liabilities.
Amazon AWS, for example, for all its benefits, is the poster child for data governance red flags to CIOs. Its SLAs are tuned for self-service and scale, not for customization and aligning with the edicts of most mid- to large-sized organizations. To the extent that tier 1 apps (often running on block-based storage) will reside in the cloud, customers should understand the risks associated with data governance and the degree to which CSPs will support organizational goals.
The following eleven questions should be considered when moving any apps but tier 1 apps especially to the cloud:
- Can the CSP really support enterprise apps beyond test and dev?
- How flexible is the CSP with respect to the terms and conditions of SLAs – e.g. will the CSP alter the terms to meet my organizational needs?
- How robust is the network and how will latency impact the performance of my tier 1 apps?
- What happens when the CSP takes an outage? What is the penalty?
- How flexible is the CSP with regard to security/auditing /compliance practices?
- Can my auditors go on site to inspect the facility?
- Will the CSP security team meet with my security team?
- How are security incidents defined and reported, and is there flexibility in the processes – or it is “one size fits all?”
- Where will my data be stored, and is there transparency regarding physical location of data?
- What type of access do I have to the CSP's professionals, what does fast response time cost, and what’s the CSPs track record with regard to support?
- Complexity - What changes do I have to make to my applications to make them run properly in the cloud…i.e. are there nuances around latency management, location management, SLA management.
Action Item: Inevitably, tier 1 apps will move to the cloud over time, and there's clear evidence it's happening sooner rather than later. The benefits of cloud are well understood but exposures remain. Depending on the selection of service provider, the rewards may often not outweigh the risks. CIOs must consider the policies and posture of Cloud service providers and the impacts on data governance strategies prior to developing Cloud plans. The degree to which the CSP will collaborate with customers and the flexibility of those service providers with regard to transparency, access to human capital resources and willingness to adjust Ts and Cs, are important indicators as to how much risk the CSP is truly willing to share.