Quest for the Cloud

As I wrote last time, developing an Enterprise/Web 2.0 product inside a security conscious company is interesting because you get to see “the other side of the coin”. So while we are developing cool new applications and addressing as many issues as possible, even the great mighty Google generates concerns for corporate IT. I just received an email from our IT department informing us about how Google Apps does not meet corporate IT policies, and usage of such a tool for internal purposes opens up quite a bit of risk in terms of confidentially, security, and traceability.

If You Can’t Beat ‘em, Join Them

What’s really great is that our IT group recognizes that people will use the Web 2.0 tools they like and it is unrealistic to block and stop every possible egress for the company’s data. Whether it is IT putting its trust in the users, or the fact they may not have any choice, it is now up to us users to make sure we aren’t putting confidential content into something like Google Apps. It would be interesting to find out if IT trusts us or knows we’re going to get into trouble anyways.

Vendors so far have taken different approaches to the problem, and there isn’t really a “right” answer (yet). Like any new, nebulous problem, the vendors’ marketing messages vary not only by content, but even by category – such as by what “type” of Cloud to deploy with:

Full Cloud: This is a completely SaaS-based solution – think GMail, Salesforce.com, any other solution that does not require on-premise software, nor any client on the user’s machine.

Private Cloud: A completely on-premise Cloud hosted by the company itself. This provides some of the benefits of Cloud computing without exposing users or content to the Internet. Consider solutions such as Office Web (the new online version of Office 2010 that can be internally hosted by customers). For users of a Private Cloud, they must be within the corporate network, whether that is on-premise or via VPN. This does not necessarily mean virtualization, although some vendors consider this a form of “Private Cloud”. The downsides include increased support requirements on IT and lack of integration with traditional systems (more on this later).

Hybrid Cloud: This model attempts to gain the benefits of Cloud Computing while preserving some of the more positive benefits of on-premise software. Users still connect to the Cloud, but perhaps some corporate content doesn’t leave the company, or at least it is audited. This is the most optimal solution for the customer, provided it works. Nothing comes for free, and the software vendor needs to invest more heavily in abstracting the complexity of systems in two locations that are managed by two different teams.

While I could handle using a hosted/Private Cloud version of Google Apps, it limits my ability to work with business partners and contractor teams. The Hybrid Cloud idea would let me continue to collaborate with whomever I needed to, but Google would have to provide some seriously enterprise-grade management and auditing features to keep track of me - not an easy task, and not one I’ve seen anyone solve yet.

Making Google Apps “Safe for IT”

So back to my “warning” email: If there was a way for the IT Group to track the content being contributed to Google Apps and know when I started violating policies, Google would have a chance to be more pervasive in the enterprise.  Isn’t that what any vendor wants? (Although with the Apples and Googles dragging their feet sometimes, perhaps there are exceptions).

IT would have a bird’s eye view on my activity and I may feel like Big Brother is watching me, but in reality, that’s what my employment contract says already: IT has the right to view my mail and anything on my company-issued laptop is the property of the company. The problem is that it is virtually impossible for IT to watch everything that everybody does every day on their laptops, so I am not watched as closely as I could be.

To make the Cloud “Safe for IT”, software vendors will be judged far more harshly and will have to go above and beyond the efforts required for enterprise-class on-premise software. To make the solution compelling for IT, the product also needs to abstract the complexity of such a hybrid topology so that it is no harder to manage or maintain than anything already in the server room. Initial products will focus on getting the formula right - a great user experience with seamless integration between the Cloud and the enterprise, but the rubber hits the road once those painful but necessary IT requirements are properly satisfied. It’s a question of “when”, not “if”.

In the meantime, I’m thankful that IT departments are starting to “get it” when it comes to the usefulness and popularity of Cloud-based offerings (whether they are Google Apps or FaceBook).  The fact that the IT department in the company I work for is one such company - well, that’s just a bonus.