Is cloud computing the savior of business? Is it a threat to data security? Does it signal the demise of the corporate IT function entirely? These are some of the questions executives are asking about the use of remote servers in the cloud, which enables organizations to access on-demand computing capacity, software and business functionality.
Cloud computing is a young phenomenon, and it is suffering through the growing pains typical of its age. It’s also subject to many overblown claims in the marketplace, from ardent supporters and detractors alike. Although the upside of cloud computing is considerable (see “The promise of cloud computing,” Outlook Point of View, April 2011), numerous challenges lie ahead—among them, safeguarding data security and privacy, defining the contractual relationship with providers, dealing with lock-in and exit strategies, and managing the cloud services.
New research from the London School of Economics and Accenture—based on surveys of more than 1,000 business and IT executives, as well as in-depth interviews with more than 35 service providers and other stakeholders—takes a rigorous, data-driven look at cloud computing trends and usage. It is telling that the IT executives interviewed were almost uniformly more cautious about realistic timeframes for cloud implementation than were the business executives, who are especially interested in agile and cost-effective IT solutions in the near term. This caution is rooted in several implementation challenges.
Challenge #1: Safeguarding data security
Our survey asked IT executives to identify the biggest risks in cloud computing. The top answer, named by two-thirds of respondents, was “data security and privacy.” Potential adopters are concerned about the security of data outside the corporate firewall. A related issue has to do with offshore data housing, which can pose problems of legislative compliance when data crosses borders. In the short term, most companies can avoid these issues by using domestic cloud facilities.
The cloud carries some new risks, however—notably, as one of our interviewees put it, “People hack brands or hack applications regardless of what the infrastructure is underneath.” Because a cloud provider hosts multiple clients, each can be affected by actions taken against any one of them, as in distributed denial-of-service attacks—server requests that inundate a provider from widely distributed computers. This is what happened, for example, in the wake of the WikiLeaks activities: when attacks came into the provider hosting WikiLeaks, all other clients were affected as well.
However, some of these risks are mitigated to a degree by new security applications such as encrypted file systems and data-loss prevention software. Cloud providers also have the ability to invest in more sophisticated security hardware and software, such as using analytics to examine unusual behavior across vast numbers of virtual servers. Beyond this, a provider’s scale enables effective responses to large-scale server attacks through high levels of redundancy.
Concerned enterprises can also mitigate risk by employing hybrid clouds—a situation in which most servers are in the cloud, but key data is hosted internally—and by improving data governance.
Challenge #2: Managing the contractual relationship
Cloud computing contracts are a mix of outsourcing, software and leasing. Some observers have argued that contracting for cloud is simpler than traditional approaches to IT sourcing because only one contract is required instead of multiple agreements for software, hardware and systems integration. In reality, however, few software, platform or infrastructure providers meet all of a client’s functional requirements, so contracting for cloud services typically involves ecosystems of providers that must be integrated to provide complete solutions.
Cloud contracts generally focus on service-level agreement (SLA) guarantees, but the network of interactions within the overall ecosystem increases the complexity of SLAs. Software-as-a-service providers, for example, often share a single platform for all users, and so they cannot provide each client with a differentiated SLA. At present, relatively low compensation is offered by providers for breaches of SLAs, but competition should improve this situation, as should the development of cloud standards.
Our research also found that cloud providers are currently not adequately focused on providing enterprise contracting requirements. As one respondent told us, “The problem with cloud services today is that many of the service providers have not evolved to the point that they are comfortable being custodians of data.” That is, many providers have historical roots in product development, not service provision, so they often do not adequately understand what it means to have service liability.
In response, companies should evaluate cloud SLAs in relation to their company’s risk management profile and the ecosystem of cloud providers. When the offered SLAs are insufficient, companies can seek to exploit multiple cloud providers for the same service. In this way they can fashion their own guaranteed uptime by creating virtual points of presence at extremely low cost. Also, companies can engage a service integrator to perform management and contractual functions.
Challenge #3: Dealing with lock-in
Exit strategies and lock-in risks are key concerns for companies looking to exploit cloud computing. There is always a switching cost for any company receiving external services. However, cloud providers have a significant additional incentive to attempt to exploit lock-in. If computing were to become a very liquid commodity, and if switching to a lower-cost provider were too easy, margins would rapidly become razor thin.
When contracting for a cloud service, executives should be aware of two forms of lock-in. The first form, technology lock-in, concerns the cost of moving a business service from one cloud platform to another. Once a company is on a particular platform, it is often more cost-effective to purchase additional services compatible with existing ones—thus increasing lock-in. A second form, institutional lock-in, occurs when technologies become embedded within organizational routines and users’ work practices. Particularly for users of software-as-a-service, such institutionalism can have a serious impact on the ability to switch cloud providers--which increases the severity of lock-in.
Providers are likely to focus on increasing lock-in as competition reduces margins. Competitors, however, will focus on reducing switching costs for dominant players. Specialist services and service integrators can help meet these challenges.
Challenge #4: Managing the cloud
Although many dramatic predictions are being made about the impact of cloud computing—among them, the claim that traditional IT departments will become obsolete—our research supports the conclusion that cloud impacts are likely to be more gradual and less linear. Nevertheless, the cloud does carry with it significant disruption to business as usual, leading to two particular management challenges.
First, once introduced into the enterprise, cloud services can be easily updated or changed by business users without the direct involvement of the IT department. And it is in the provider’s interests to develop functionality that expands usage and spreads it across the organization. So maintaining overall, strategic control of services can be difficult. This independence of the business when it comes to IT services also means that IT must work harder to gain the ongoing attention of the C-suite and to extend its strategic role.
Second, organizations are still slow in developing management capabilities and principles for operating with cloud services. Such strategies should focus on the multiple contracts needed for a cloud ecosystem. Effective supervision of usage, SLAs, performance, robustness and business dependency is vital. Monitoring the external provider’s services must be done, but internal cloud monitoring should also be introduced. Support provided by cloud providers can be variable, and organizations should develop their own support services, either internally or with third parties.
Conclusion: Resolving the tensions
Our interviews have exposed potential tensions between enterprise executives, who express the desire for command and control over business services, and IT executives, who must adopt new modes of operation when it comes to leveraging the power of the cloud. Other tensions exist as well: for example, if cloud suppliers are looking to commoditize their services, how will clients achieve the customized services they desire to support business agility and differentiation?
These tensions are not insoluble, but they do suggest that providers and clients alike must consciously address a suite of cloud challenges in the planning, contracting and management of services.
About the authors
Professor Leslie Willcocks, Dr. Will Venters and Dr. Edgar A. Whitley are in the Outsourcing Unit of the Department of Management at the London School of Economics and Political Science.
For more information, contact us.