When it comes to cloud, substantial skepticism continues in many corners, but, at the same time, CIOs are becoming more comfortable with the idea of the cloud, at least for certain services. However, 2013 provided ample reminder that CIOs need to tread carefully and make contingency plans in the event that the unexpected happens. Here are four issues that CIOs should consider when planning how to mitigate the risk of corporate cloud use.
Data extortion becomes a real problem
For some companies, development environments are the lifeblood of the organization. For many reasons, they are also the kind of environment that can be moved into the cloud with relative ease,affording employees more flexibility than might be available in the private data center. However, CIOs need to bear in mind that when they move workloads to data centers owned by other people, they are bound by that provider’s rules and policies, which may not always be considered fair.
In one case, a Red Hat engineer discovered the hard way that a cloud provider may not always handle potential issues in its data centers in a way that could be considered friendly to the customer. In this case, the provider basically threatened to delete the customer’s “offending” virtual machines by saying that “if the abuse is ongoing and continued your account will simply be terminated and your server deleted.” Unfortunately, it seems that the customer didn’t actually know what was offending, so taking action was not easy.
There are multiple lessons here for CIOs considering cloud services:
- Even in the cloud, monitoring workloads so that they remain within provider guidelines is critical.
- Always read the provider’s policies and stay within their confines. If there are any questions or gray areas, get answers and clarifications in writing.
- Make sure to have an exit strategy so that it’s possible to quickly move to another provider should an existing one get on the wrong side of customer service.
NSA works hard to destroy American business and freedoms
Earlier this year, NSA employee Edward Snowden brought light serious Constitutional rights abuses taking place inside the NSA. In the months since, there have been continued releases of information that is, quite simply, shocking and egregious. Recently, a task force appointed by President Obama released the results of its investigation into the NSA issues and released a report that carries 46 specific recommendations. Some of these are significant while others are relatively minor.
In December, technology executives from some of the country’s largest companies told President Obama that the NSA’s activities are damaging American businesses as companies both foreign and domestic avoid doing business with American cloud providers for fear that they have been compromised by the NSA.
With so many jobs already having moved overseas and with the U.S. economic recovery in question by so many and with technology as a critical cornerstone for our society, having a government agency that actively works to derail our economy, Constitution, and rights was certainly a big news story this year and also provided a number of lessons for CIOs considering cloud services:
- You can’t trust that your providers are not actively sharing information – either knowingly or unknowingly – with the NSA and other government agencies. If you have information that simply cannot be compromised, don’t put it in the cloud.
- Unfortunately, your own IT staff may be your weakest security link, regardless of whether or not you’re using the cloud. Make sure you always monitor the activities of privileged users to protect your company.
A major cloud provider shuts down with little notice (Nirvanix)
In 2013, cloud provider Nirvanix closed its doors and provided its customers with a scant couple of weeks of notice. These customers had to scramble to find alternative providers. In this case, it’s more than clear that Nirvanix really botched this closure, although I imagine that finally admitting that the company is going under has to be difficult.
That said, Nirvanix’s customers deserved better treatment and more of an opportunity to migrate their services to other providers or bring them back in house. A closure handled with such little notice has the potential to weaken confidence in all cloud solutions, particularly while the service is working to gain traction with skeptical CIOs.
The lessons here:
- Again, always have an exit plan ready to go! You never know when your own provider might have to make a similar decision.
- Consider low risk providers, such as Amazon, Microsoft, and Rackspace. These guys are here for the long haul and are not likely to go anywhere anytime soon.
- Spread the risk if you can. Deploy services to multiple providers to make it easier to make a change should it become necessary.
Outages remain a key concern
Like it or not, cloud providers can never actually guarantee 100% uptime, no matter how many times they try to claim that they can. It’s simply not possible to guarantee that there will never be downtime. Even the best data centers achieve “only” the desired 99.999% (5 nines) uptime.
As such, there can and will be outages that can derail a CIO’s best-laid plans. This year, there have been a multitude of public outages across both consumer and enterprise cloud providers, including DropBox, Microsoft’s Azure, and Amazon.
Remember, just because an application is being moved into the cloud doesn’t mean that it is automatically imbued with high availability magic. Architectural needs must be considered when it comes to availability, just as is the case when applications are running in internal data centers.
- More than ever, CIOs must double down on risk management when moving into the cloud.
- And, again, differentiate among different providers to 1) avoid lock-in and 2) prevent a provider’s outage from taking down all of your services.
Action Item: Moving to the cloud should no longer entail massive amounts of risk, particularly as cloud providers continue to strengthen their platforms and as vendors shake out. However, CIOs must remain ever vigilant when entrusting business-critical applications to third parties and running software in other people’s data centers. Ensure that there are always contingency plans in place to deal with both outages as well as outright failure of a provider’s business.