What is the "cloud" and why to we care?

Everywhere you turn today you hear about “the cloud”.  From advertisements promoting how efficient and cheap it is to dire warnings from legal experts about the dangers of compliance issues related to it.  Honestly most of us don’t understand how “the cloud” differs from what we have going on right now.  More importantly, most of us don’t know why we should care.

I care, mostly because I work for a hosting provider and I’m paid to care.  But beyond that, I’m a geek at heart, and while I only understand a small bit of the technology behind it, I’m fascinated by what smart people are able to do with technology. 

Wikipedia defines cloud computing as “the delivery of computing and storage capacity as a service to a heterogeneous community of end-recipients.”  If you’re like me, the first thought that comes to mind after reading that was, “huh?”  A better explanation comes from Campus Technology.  Although it’s geared towards educational institutions, it’s a good read; their piece likens the cloud to a combination of your household utilities, you don’t know how the electricity is generated, but it’s always there when you need it.  In the background, the cloud is using data to provision the right resources to the heterogeneous applications hosted on multiple servers to allow you to access your application or data quickly and efficiently.  You may not understand how the email service works, but it’s always there when you need to send an email.  And now, the cloud has expanded beyond traditional software and a service (SaaS) models to entire platforms and infrastructures (PaaS and IaaS respectively). 

The benefit to the business is that it no longer has to carry the cost and the man power to support the hardware, software, maintenance and other heavy lifting when it comes to applications.  You can use Google docs from any internet connection on any machine, without an individual license for each machine.  Some cloud host can provide the hardware and server software licenses to host your email, accounting, word processing or virtually any other software.  The cost savings is huge.  And because the third party can host data and applications for multiple customers on the same group of machines, it’s a lot more cost effective for them.  As an added benefit, competition amongst cloud hosts mean that the efficiency of the machines being used to host the software and applications is always improving to provide that competitive edge.  Cheaper and more efficient – what’s not to love?

And that’s where all those harbingers of horrors come in.  Did you catch the part where the third party can host data and applications for multiple customers on the same group of machines?  That means no more air-wall between your company’s data and that of third parties.   The data can be accessed from multiple machines with the correct interface, often just a web browser.  It no longer is completely contained on company owned and thus company controlled machines.  The redundancy involved in providing cloud services is a great thing from an IT perspective as it means your data will always be available – but it also means that you can’t just hit delete and have a guarantee that it’s truly gone.  And then there’s the taxing issue, if you were buying those servers and licenses sales and use taxes are fairly clear.  When turning software, platforms and infrastructure into services, it becomes a murkier issue.  While most of that falls on the host, your company may be on the hook for use taxes it didn’t know it was supposed to submit.

With your IT department jumping on the cloud bandwagon and your finance team cheering at the cost savings, how do you protect your company without raining on the parade?  First, as with any critical element make sure you’re dealing with a reputable company.  The cloud may be new, but hosting isn’t.  You should be able to find a hosting company that has a history of providing security, efficiencies and value.  Get an idea as to the level of security protocols in place.  Packages of data should be firewalled and protections should be in place that prohibits other users from accessing your data.  Know where the servers are located and what jurisdiction will govern the data.  For example, the EU has much different data privacy laws that the USA, and where the servers are – not the host’s corporate office or your location will govern. 

Second, make sure that any sensitive data has encryption and authentication built into the application.  Be practical about what your requirements are – if you’re storing customer payment data require PCI level security measures as a baseline.  If you’re storing HR data, require authentication and account logging.  Don’t require Fort Knox for archives of your publically available website.

 Finally, make sure the TOS has appropriate protections – but keep in mind, SaaS and PaaS providers aren’t likely to negotiate much, if any.  And they really shouldn't, their business model is to sell a one size fits all type solution for low margins to a high volume of customers.  Having unique terms for even 10% of their customers will dramatically change the business model and raise the prices. If the TOS don’t match your needs, find a provider that has the terms you do need.  If none do, then reassess whether the terms you are looking for are really needed for practical reasons or academic.  Ask yourself if the cloud is really practical given your company's risk tolerance.  For IaaS, you should be able to negotiate the majority of the terms. 

It’s pretty clear that “the Cloud” is here to stay, at least until the next thing comes along.  By staying on top of the privacy, security and compliance issues you can do a lot to protect your company while taking advantage of the cost and efficiency improvements the cloud can bring.