When You Put it That Way - Guernica

The vendor will also be responsible for incurring all of the infrastructure, maintenance and high availability costs. In most cases reliability will be far better than current on-premises solutions and you will also have service availability across multiple geographically dispersed locations without incurring the cost of maintaining them. Overall, you will be able to provide better levels of service to your staff, at only a fraction of what you are currently spending, making it hard to argue that the cloud is the best option for providing this type of service. There is of course the concern about control. There will be some “control lost” using a cloud solution and this may be more true depending on the vendor and terms of service provided for the solution. As an example, most administrators will argue that they have less control because they are less able to do comprehensive troubleshooting to support the specific service today. In reality, however, most cloud based services offer (and the best ones guarantee) certain levels of service, some of which exceed 99% availability. If the service is in fact more reliable than the service you are providing today, than perhaps that level of control is outweighed by the overall reliability of the solution (if the service is always available, there will be less to troubleshoot). This is one example of weighing the overall benefits against the perceived loss of control.

 

In these examples, the first two options (driving and private air travel) are similar to on premises IT solutions. These are methods of travel that will certainly work, but they are not necessarily the best options for me or my business. The third option, which is to fly on a commercial airline is an example of standardized, cloud based service. While I am giving up some perceived levels of control and flexibility, the overall value and the quality of service that I am getting make it the most reasonable alternative.

"When You Put It That Way" 

Saftey (Security) is my top priority… until it’s not my only priority

Finally, one aspect that I’ve yet to discuss is security, and this is one of the most common concerns when moving to the cloud. This is also an area of the cloud where we can use the travel analogy to recognize the benefits of utilizing the cloud versus on premises solutions. In my first example (driving my own car), I am literally “in the drivers seat”. This not only means that I am able to tailor my trip (or solution) so that it meets my needs or requirements, but the responsibility of safety and security also fall solely on my lap. I have to insure that my car is running well and safe to drive, I have to insure that all of the routes are through safe areas, and I have to insure that I am driving at safe speeds, obeying traffic laws and wearing my seat belt. Now on paper at the start of my trip I put together a plan that includes having my car tuned up before I leave, always driving the speed limit, sticking to my planned route, and always wearing my seat belt. Now, this is a very sound plan and seems like it is pretty safe and secure, but already I have made a few concessions with regards to my safety and probably don’t even realize it. For example, my car does not have the highest safety rating available, or may not even be considered in the top tier for the safest cars available. So if safety (or security) is my top concern I could go out and buy a safer car, but that just isn’t financially viable so I accept this risk and move on. This is very common in most on premises data center environment today. When looking at the types of security of solutions available on the market today, most of us don’t have the money to buy all of the “best of breed” solutions available today, but instead we balance the cost of security with the levels of security we require. There are other examples of where I may have “cut corners” with regards to safety or security. Another example would be the types of diagnostics and testing I run prior to beginning my trip. I certainly won’t go out and have my car’s safety rating “re-certified”, and the “tune up” I have done on my car was done either by myself, by my chosen mechanic, or by me personally, none of which probably follow any documented standards for safety or service. To draw a parallel to the cloud, when I utilize a cloud service, I am hopefully choosing a vendor that has obtained 3rd party security certifications, exercises absolute change control, utilizes best of breed security solutions, and constantly monitors and audits their environment. I’m sure you can continue to identify some concessions that are made with regards to safety in this scenario so I won’t continue to list them.

So I’ve made a few concessions already with regards to safety but these concessions are risks that I accept before beginning the journey. Once my trip begins I am even more likely to compromise safety and security. Let’s say for instance I hit some traffic or get a late start one day and need to make up some time. I will probably elect to drive a little bit faster than the posted speed limits or even divert from my planned route to try and makeup time. Maybe I decide to drive through some bad weather like snow or thunderstorms so that I don’t lose any more time. At the beginning of my trip I had the best intentions to keep safety as my top priority, but as I started to put my plan into practice safety or security, took a back seat and I decided to make some additional concessions. This is similar to what happens in the real world today. Many organizations are faced with deadlines, outages, or changing priorities which cause them to deviate from their original plans or prompts them to circumvent the necessary change control process. Those of us with IT experience have all been in situations where if something doesn’t work, we say “let’s take away the firewall or elevate permissions and see if that works”, with the “intention” of using it as only a troubleshooting step, but sometimes, we eventually accept this as a solution. In cloud models, vendors have a responsibility to their customers to provide the highest levels of security and reliability. These vendors develop and strictly adhere to well defined processes to insure they are able to deliver on these guarantees. 
There are many more examples of the hazards of self-imposed security. Most of the examples, outlined for the previous scenario, also apply to the second travel scenario as well (private air travel). When we fly on a private plane, we are in fact getting more sophisticated security as well, such as those travel restrictions placed on us by the FAA, but we also have the opportunity to circumvent some of this security. For example, when you fly a private plane, your luggage may not be screened nor will any items brought on board by other passengers or the plane’s crew. In addition, we have the ability to pick and choose what security and safety measures are followed both before and during the flight. This may mean skipping a few safety checks to expedite departure time, or even risking flying through less than optimal weather conditions to alleviate costs that will be associated with delaying or cancelling the flight. Even in the most sophisticated private data centers and technology environments, there are some security measures that are breached or not implemented due to cost or priority. For example, if making a critical deadline means circumventing some change control, or providing elevated access to a contractor, we are more likely to take these risks when put under the pressure of our day to day jobs. In a cloud environment, vendors are incented to make security a priority, and should have well documented and enforced change control and security measures in place. There is a significant cost and level of effort required to maintain these protocols and processes, but this cost is incurred by the cloud vendor and it is in their best interest to continue to insure that these processes are enforced and adhered to.

Finally we have our third option and that’s commercial air travel or the cloud. We’ve all heard the cliché about air travel being safer than driving, but the fact of the matter is the percentages of fatality and injury rates related to automobiles are drastically greater than the relative percentages of air travel injuries and fatalities. When flying commercial I think we can all agree that we are subject to much more sophisticated and thorough (sometimes very thorough) security protocols and procedures. Every passenger and all baggage (both passenger and crew) are thoroughly screened before being placed on the aircraft. All equipment is maintained and checked periodically and required to be certified prior to departure. All processes for providing and guaranteeing security and safety are well defined and enforced. These processes and procedures are in place not just because of the moral obligation to protect the lives and safety of passengers, but also because it is ultimately in the best interest of the airline, or the entity providing the service. Not only do 3rd party agencies like the FAA and TSA enforce these security standards, but the airline itself has a lot to lose if there is a catastrophe, or a public disclosure relating to compromised security. This also holds true with regards to cloud service vendors. It is paramount that the highest levels of safety, security and reliability be provided because even one incident could essentially jeopardize their existence. For this reason, cloud vendors undergo rigorous 3rd party testing and certification on an ongoing basis to guarantee that customer data is safe and secure in their data centers.

For sale: 2008 Gulfstream G550

As organizations consider moving to the cloud, there is an overwhelming apprehension because it is a new way of doing things and there are certainly a lot of questions that need to be answered before technical and business decisions makers can feel comfortable adopting the cloud as part of their environment, solution or service. This apprehension is natural and healthy, but ultimately business and IT leaders will realize that the cloud is an important vehicle in making IT a strategic asset to their organization as a whole. The cloud provides the most cost effective, innovative, efficient, reliable and secure infrastructure and services available today. It is important to understand that the cloud is not outsourcing of these IT of services, but instead it’s a way of providing better levels of service in a manner that allows them to focus IT on driving and enabling the business and goals of the organization, instead of getting bogged down with the business of running IT. Just as organizations today rely on services like air travel to enable their most valuable assets, their people, to perform their job effectively; the cloud gives organizations the opportunity to insure IT supports the business, without requiring the business to support IT.