CFOs are increasingly becoming aware of the pitfalls associated with the adoption of non-trivial, enterprise cloud computing solutions, which is an important factor in helping them make appropriate cloud decisions for their organisations. Commonly quoted pitfalls relate to concerns about data privacy, uptime, and security, total cost of ownership, vendor lock-in and jurisdictional considerations.
Hybrid cloud is becoming the norm
Organisations that have successfully implemented standalone enterprise cloud software systems feel that they may have won the war against complexity in enterprise IT. That feeling may not last too long, however, once the need for integration between these separate cloud systems arises. Factors driving the need for this integration often include consistency of user experience between systems, elimination of data silos and enterprise reporting across disparate systems, to name but a few.
Not too far down the path of integration, it soon becomes apparent that the IT costs increase as do the challenges of managing the increasingly complex ecosystem. Gartner in it’s 2012 predictions, states: "Cloud consumers should budget for additional integration costs which can range from 10 per cent to 30 per cent — and sometimes as high as 50 per cent — of the total cost of cloud IT projects." The message is clear: Know your cloud strategy, roadmap and future cost exposures.
Hybrid cloud, as its name implies, is made up of a number of separate systems, cloud or otherwise. While remaining separate entities, they are integrated in one form or another.
Gartner states: “Within five years, it will be primarily deployed by enterprises working in a hybrid mode”. My view is that is it will most likely be a lot sooner than five years.
The paradox of simplification in the cloud
The paradox in implementing cloud is that on the one hand, it simplifies enterprise IT by abstracting away all the underlying complexity, while on the other hand, once integration with other systems, cloud or otherwise, is added into the mix, this simplification rapidly turns into added complexity.
The hybrid cloud ecosystem soon becomes a complex set of moving parts which require meticulous design, implementation and operation, all of which are typically abstracted away from the users – leading to the apparent sense of simplification.
In the midst of this environment, the traditional IT security models are not always up to the task. One example of which being the focus on perimeter security that may have been appropriate for conventional on premise IT systems, but is often inadequate in the cloud paradigm.
Essentially, managing this mix of technologies, platforms and solutions becomes harder, not easier. While individual cloud instances may be built on a scalable, robust and resilient security model, the hybrid cloud environment may be less than robust due to its complexity. That’s the paradox.
The shift from IT technical risk to systemic risk
Conventional IT risk assessment methodologies typically revolve around the identification, categorisation and ranking of the technical and functional risks.
Often framed around the logic that the risk of a specific event = (Impact on the organisation x probability of that event occurring) + risk adjustment, these risks are often categorised into functional areas, or other groupings that are relevant to the organisation. This process typically underpins conventional risk certification frameworks such as ISO 27001.
Most importantly, focusing on the diverse range of individual risks does not necessarily account for the interaction between risks, and it is these interactions that often manifest themselves as systemic risks. Systemic risks are typically the greatest threat to organisations.
In the context of your hybrid cloud, the systemic risks of the overall cloud ecosystem needs careful consideration so do not rely solely on the individual technical or organisational risks.
The bigger question facing all CFOs trying to come to grips with the cloud computing phenomenon is whether everyone that takes security seriously, share the same, broader systemic view of risk and security? If not, then maybe it's time for you, as CFO, to start asking some obvious questions of your organisation.
Rob Livingstone is Principal of Rob Livingstone Advisory Pty Limited and a Fellow at University of Technology, Sydney