Quest for the Cloud

At the Enterprise 2.0 Conference last night, Google showed the picture of a “Real Google Cloud” below.  There was no mention of where it is physically located, but the sheer size and scale makes the “Google Cloud” seem really, really heavy (once you think about how many datacenters Google really has).

The Google presentation showed that while the company is routinely knocked for “not reaching the enterprise” as some of the other industry players, they really understand Cloud.  What will become a larger reality is that as more and more enterprises enter the Cloud computing world, Google’s “Cloud-Cred” starts to tip the scales. As we’ve seen time and time again, the Internet (and therefore the Cloud) is the ultimate level playing field and nobody understands this better than Google.

It was an interesting discussion that illustrates one very key point:

Any Cloud solution is an on-premise installation for someone (i.e. the service provider)

This is particularly important when going through the process of selecting or evaluating a Cloud vendor.  While “Cloud Computing” appears really easy and quick to set up, you still need to make sure that the solution meets the IT practices and policies you have in place for on-premise solutions. This includes, but is not limited to data security, archiving, governance, and compliance.

The enterprise customer is ultimately responsible for any consequences of running the system (customers reap many benefits from operating in the Cloud, but they need to accept some level of inherent risk for doing so).  If there is a data breach at the service provider, it is ultimately the customer who is responsible, even if none of the systems were run by or possessed by them.

This is where the Terms of Service (TOS) comes in.  The contract between the enterprise and the service provider states and guarantees/disclaims specific obligations.   If your Cloud TOS is dramatically different than your internal IT policies, your company could be left holding the bag.  Sure, there is some work that can be done with lawyers (read: long, expensive, likely fruitless litigation), but the room at Enterprise 2.0 last night was unanimous - if something goes wrong, it is the enterprise that holds the bag.

This is not to say the Cloud vendors in yesterday’s session were disclaiming all responsibility for a properly functioning infrastructure - they were simply stating the realities. Even with a TOS that nails the vendor to the wall, it may not matter in the case of a serious data security breach.  Monetary penalties will do little to restore the reputation and brand image such an incident would damage.

(Interestingly, there was very little discussion about hybrid on-premise/on-demand solutions to deal with this.   The one vendor that did discuss this was EMC - their Atmos storage solution can not only balance how much should be stored on premise and in the Cloud, but also has policy management to ensure the right stuff is stored behind the firewall.  More on this hybrid solution in a future blog entry.)

The general feeling from my brief conversations with some attendees is that the benefits of moving some infrastructure into the Cloud  justify the additional due diligence required to make sure it is done safely.

However another related theme was that many times senior management is only peripherally aware of these issues.  It typically falls to the CIO or IT Group to recognize these dangers and to solve them on-thy-fly.  In the rush to gain the advantages and efficiencies of the Cloud, IT would be very wise to push back on demands from higher up and do the proper due diligence to ensure the company is protected now, and in the future.