The Cloud Questions

The Board of directors (BOD) is responsible for steering the organization in the right direction by adopting well accepted governance practices. Major expectation from the BOD is that it should set the right direction for the organization to ensure that the enterprise objectives are achieved at an optimum risk and with an optimum utilization of resources.

The cloud computing wave has raised the expectations of stakeholders literally sky high. Everyone expects the magic of cloud computing to make the organization efficient, agile, innovative, and competitive at a reduced cost and at the lowest possible risk. The often quoted example is that of the electricity. Nobody wants to own a generator, stock diesel and produce electricity for their own consumption. We are so used to getting the fully metered electricity on demand, available everywhere and as much as is needed. Availability of information processing facility through cloud computing is expected to do the same.

No capital expenditure, on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service are the essential characteristics of cloud computing. In short, the way electricity is available at the push of a button, we expect information to be available with same ease without any capital investment.

This model works for type of information we search on Google but when it comes to corporate information, or even personal information, our expectations change. To get such information on tap, we have to give a lot of data. If it is our personal data, or corporate data, we are concerned about its accessibility, confidentiality, integrity and availability. Even if one looks at the IaaS model where one is hiring only the hardware, one still has to worry about the location of the cloud data center, transboarder data flow, multitenancy, and data disposal. The PaaS and SaaS have all these concerns and many more.

Decision to adopt the cloud is thus not a technological decision but a business decision. How much of the business data, processes, information and knowledge can be exposed to the outside world? Cloud computing necessarily requires us to share the resources. That is how we get the tremendous flexibility without upfront investment. If the business grows exponentially, the IT costs do not have to grow at the same rate. You hire the infrastructure or services as needed and stop using them as soon as the demand reduces. However, the data, information or processes that are deployed on the hired infrastructure have to be well guarded. Otherwise they may be accessed, copied, leaked and your corporate ‘intellectual property' may be lost forever. BOD should ask the following questions to the management team before they commit to adopt any model of cloud computing.

• Ask for business cases giving both sides of the coin, the value and opportunity costs as well as the risks. Are there strategic advantages in embracing the cloud?
• Make sure that the cloud plan benefits the stakeholders. It should optimize the risks and resources and help achieve organizational objectives.
• Will the organization be exposed to large risks? Is there an acceptable risk management plan?
  
  Has a new organizational structure been envisaged? There could be sharing of responsibility with the cloud service provider (CSP). However, the accountability rests squarely with the organization. Completely new RACI (responsible, accountable, consulted, informed) chart will have to be drawn.
• Have the processes to be handled by CSP clearly identified? Many business processes may be too complex and sensitive to be shared with CSP.
  
  Have the SLA, OLA, legal agreements clearly spelt out the expectations? Remember, organization is fully accountable for any lapse of the service.
• Will the work force easily adapt the changed work pattern? Is the organization culturally ready to change the age old way of doing things?
• Is the organization ready to give up some investment in IT which has not reached the end of life?
• Has the organization accepted the fact that the decision to go to the cloud may be irrevocable?
• Will the business case, built to justify the cloud, be periodically revisited?
• Will there be periodic review of the cloud strategy?
• Will the return vs. risk figures be measured and reported?

Cloud computing is here to stay. Most of us had already started using it without knowing it when we first joined Hotmail, Yahoo or Google mail. Corporates are also fast catching up with the advantages of the cloud. However, since corporate information is much more sensitive, valuable and vulnerable, careful planning is required.

The advantages of cloud are overwhelming. A startup can use the computing power of many super computers without having to set up the infrastructure. Perhaps we are being over cautious about the risks. But better be safe than sorry. The governance guidance by ISACA that focuses on meeting stakeholders' needs by value creation through benefit realization, risk optimization and resource optimization, gives excellent direction for planning entry into the cloud.