But are businesses ready for Goggle?
Microsoft must think so judging by its recently announced free (for Windows Live users at least) online versions of Word, Excel, and PowerPoint planned for 2010. Google countered by announcing its free open source operating system, Chrome OS, due in 2010 and initially aimed at the netbook market.
Microsoft currently offers their fee-based Business Productivity Online Standard Suite that bundles online versions of Exchange, SharePoint, Live Meeting, and Office Communications with a monthly per user cost of $15.
Google's current Apps Premier Edition (PE) aimed at business users includes Gmail with Postini Services, Contacts, Calendar, Docs (presentations, spreadsheets and documents), Sites (wiki), Chat and more for just a little over $4 a month for each user.
Business In The Cloud
Online cloud services, long dominated by personal (consumer) use, are beginning to pervade business. Employees increasingly access their personal email, chat (IM) and social networks sites in the workplace. Some businesses recognize this trend and have amended their acceptable usage policies to moderate cloud service use, while others strictly prohibit cloud services.Regardless of businesses tolerance for personal cloud services, core IT business services remain primarily within the domain of on-premise software safely nestled behind the corporate firewall. This is the model companies have long relied on to keep their information safe, secure, private and readily accessible. Unfortunately, this on-premise model is becoming more complex and costly to support.
In today's bleak economic climate, CIOs are faced with tough decisions for reducing IT costs and meeting demand without negatively impacting services. Cloud services offer alternatives to on-premise software that might help with this dilemma. Still, most businesses are unwilling to give up control to the cloud.
Show Stoppers
Business are not quick to jump on the cloud services bandwagon easily. They have issues and rightly so.Perhaps the first concern for most organizations is dealing with change. Change is not easy and can be costly even when done correctly. And when it's not done correctly, it can be disastrous.
Change makes people uncomfortable and many would like to avoid it. Change requires new procedures and training. And despite promises of improvement and added value, change is unnerving for some.
Change issues aside, the major areas of concern for implementing cloud services are:
- Accessibility
- Security & Privacy
- Data Portability
Accessibility
A major concern for cloud services is being able to access them when needed. Traditional on-premise critical services like email and ERP applications rely on a local area network (LAN) architecture. Cloud services add another layer by requiring Internet connections with ample bandwidth typically through a wide area network (WAN) services provider.To improve service reliability, businesses should eliminate single points of failure by deploying multiple Internet connections or even multiple WAN service providers. In addition to traditional wired WAN connections, organizations should deploy wireless WAN connections (3G/EV-DO/HSPA or 4G/WiMAX) to counter the infamous "last mile" wired WAN failures.
Even with all the redundancy, it does not preclude cloud service provider outages caused by external attacks on the provider's site (such as a DDoS) or service provider equipment failures. However, industry analysts agree that cloud service providers are typically better at securing and maintaining their systems than most businesses.
Businesses should address outages in their contract with the service provider. The contract should define the expected service level and remediation process in the event of an outage.
To prepare for inevitable service outages, it's a good idea for businesses to develop contingency plans that define what to do during an extended outage. Contingency plans should also be developed for internally hosted services as well as for externally provided services.
Security & Privacy
With reports of security breaches and compromised data, security is a critical factor for everyone. Businesses want their information safe and secure from unauthorized access, and regulatory requirements mandate information privacy.A practical, well-defined security policy is critical. This does not mean developing a nice neat document that's filed away and rarely referenced. An effective security policy must integrate with all aspects of IT and enforced by automated procedures and constant audit processes.
Major security policy components include:
- User Access - Also referred to as AAA or identity and access management (IAM), it includes authentication (typically user ID and password), authorization (approve or deny access to specific services/data), and accountability (user access logging). Since cloud services primarily rely on passwords for access, it's important to implement strong password policies.
Passwords should be unique (a different password for each service), long (ten or more characters), and arbitrary (no words, names or meaningful numbers) with varying characters (letters, digits, special characters). A secure password management tool is needed to effectively enforce this policy. - Data Encryption - Data should be encrypted in transit and when stored to render it useless if intruders intercept a transmission or break in to a server. Encryption is the best way to ensure the privacy of sensitive information. Cloud service providers should encrypt or otherwise obfuscate stored data. Connections to the service provider should also use encryption techniques like TLS or HTTPS.
- Patch Management - An effective software update process must continually patch software vulnerabilities to prevent exploitation by an intruder. Zero-day attacks are on the rise requiring continual diligence to mitigate risk. Software vulnerabilities exploited by malware must be patched quickly.
- Data Loss Prevention - Regardless of all the security provisions in place, the potential for corporation information ending up in unauthorized hands still exists. Regulatory requirements from HIPAA, SOX, GLBA, and PCI-DSS mandate the protection of sensitive information from misuse by both authorized and unauthorized users. Data loss prevention solutions can help businesses and service providers mitigate these risks.
Developing and maintaining good security practices requires significant resources with specific skills. Most businesses don't have or can't afford these resources and often underestimate the complexities of security.
After all, IT security is not the core competency of most businesses. On the other hand, IT security is (or should be) a core competency of cloud services providers.
Data Portability
A chief concern for businesses contemplating cloud services is getting their data for backup purposes and to make migration to another service provider easier. Data portability requirements should be negotiated upfront with the cloud service provider and documented in the contract as part of the exit strategy.Most cloud service providers provide options for customers to download their data stored on the provider's servers, or to store their data locally at the customer's site. Some service providers offer appliances that allow customers to host the cloud service and data storage within the customer's network.
Although cloud service providers do a great job at backing up and protecting their customer's data, businesses should have a least one or more backups of their data. Using ETL (extract, transform and load) functions, businesses could effectively build a backup data warehouse that could help migrate to a new service provider.
Bottom Line
If you're wondering if your business should use cloud services, you're not alone. Many companies are looking for less expensive solutions. It's difficult to justify the cost of SharePoint for wikis and document sharing when Google Apps PE can do much the same thing for a lot less.Yet, the same barriers remain. Microsoft is comfortable, it's known and it's always been there. But the sobering economic climate might lift these barriers and allow businesses to ultimately venture into the unknown world of cloud computing.
By Harry Hiles, HBH Technology LLC — 8 Aug 2009
An Introductory Overview of ITIL V3
