Trust and Liability in the Cloud Age

Shawn DeVries and Dan Arrigan

Recently, we had the opportunity to take the message of cloudsourcing to a small group of technology executives, providers, and consulting firms. This small group forum was typical of technology breakfast seminars: someone (Appirio) acting as discussion lead on a particular topic (cloudsourcing) and facilitating this discussion through real-world examples, cloud roadmaps, and eye-opening industry trends.

Appirio employees are lucky enough to act as subject matter experts and discussion leaders among their respective local colleagues in IT and business. While these peer networking events are wide-ranging, from technical user groups to business roundtables, a common thread has emerged in conversations around cloud and SaaS: as a technical leader or business executive, how can I place trust in a cloud vendor to run 100% of my IT operations, and how do we protect ourselves against liability should something fail?

This is not a new topic, and has been discussed before among IT practitioners that have much to lose in a cloud outage or failure. The difference now versus two years ago is the momentum at which companies and organizations are moving to the cloud. In other words, companies are now moving beyond single, siloed, technical SaaS solutions and to the next “tier” of cloud adoption.

The conversation amongst the 20+ practitioners at this event was lively, with some of the typical objections and concerns raised around cloud computing. But in the end, the majority of the dialogue amongst the attendees was around trust and liability.

In this new age of cloud computing, how does a company trust a solutions provider and cloud vendor with running critical business processes in the cloud?

First, let’s talk about trust, but let’s use the executive relationship between two fictional companies as a starting point. The example scenario is typical of many vendor-client relationships. For this discussion, the meeting is an executive presentation of findings discovered through an assessment of “cloud readiness” by a cloud solutions provider.

On one side of the table is the executive management team from a large financial services firm that is looking to reduce their overall IT spend, but also improve their ability to respond to changes in the marketplace in a timely fashion. The vision of the CEO is to harness the power of technology to gain competitive advantage over their rivals in the marketplace. Something she is calling “the Money Cloud”. It’s up to the CIO to make this a reality. We will call this company “ABC GloboBank”.

On the other side of the table you have a global cloud solutions provider (say, CloudUniversal) that is positioning a whole suite of solutions to address ABC’s immediate needs, and provide a flexible platform for growth in the future. An ROI study has been performed by the CloudUniversal team to help ABC justify the partnership, and this meeting is in the Q&A stage after a very polished presentation of the study and future roadmap.

Let’s say that by the beginning of this meeting, all the tough technical points have been addressed. Nothing out of the ordinary here, at least from a technical or security perspective. The CIO is happy with the responses received on his IT team’s concerns: security, reliability, redundancy, authentication, user management, maintenance, integration, transactional efficiency, and flexibility to respond to the needs of the business. No major roadblocks are present, just the grumblings around change management, user experience, writing off the previously incurred cost of messaging infrastructure, weighing this past cost versus future costs, etc.

Additionally, the legal and regulatory teams are satisfied with the tools provided by CloudUniversal for legal discovery, tracking, and exposure to legal risk. At any given time, the legal team feels that the proposed approach will allow them to audit at a transactional level through a browser-based interface that is only accessible to a limited number of users within the legal department.

This is where the trust factor kicks in.

ABC GloboBank has to look across the table at CloudUniversal and truly believe that they can trust this well-respected company with maintaining the technology heartbeat of their company.

What if CloudUniversal is acquired by a foreign entity? What if they go bankrupt? Before, if something failed in the ABC GloboBank data center they knew that they could simply head down the hall and “wring the neck” of those responsible. Now, with data replicated across multiple, secure, secretive data centers, how does ABC maintain control? Who is held liable for damages, money lost, missed deliveries, data integrity issues?

Sound familiar? It should. These are the conversations happening every day, all over the world. From medium-sized manufacturers to large multinationals, the trust and liability conversation is front and center. Technology philosophies aside, it comes down to trust. Trust in the vendors, trust in the solution providers and system integrators, trust in the support staff, trust in the reliability, security, and scalability of the multi-tenant model that is the core of cloud computing.

“Let me state, first and foremost, that I believe the cloud can and ultimately will be trusted,” Stephen Elop, President, Microsoft Business Division said in his opening remarks during an Economist sponsored debate on whether or not the cloud can be trusted. “There is little debate about whether the cloud is a great technology evolution. The benefits of increased productivity, cost savings and improved efficiency, plus the ability to support and empower a broader range of users via the cloud are clear.”

Carefully researching the benefits of cloudsourcing is a vital stage in the development of relationship between corporations such as ABC GloboBank and CloudUniversal

And there are concrete ways in which a cloud solution provider can begin to earn your trust right from the start:

• Transparency, ranging from tours of their data centers to real-time updates on performance
• Commitment to securing independent industry certifications, for instance Statement on Auditing Standards (SAS) 70 Type II Audits
• Providing complete availability of your data, anytime, anywhere
• Best efforts to ensure application portability, use of standards-based technology where possible
• Pay as you go contracts that force cloud providers to "earn" your business every year.

When you invest in the cloud, you’re not simply getting a knife that is cutting-edge technology when you initially purchased it yet dulls over time and before long is no longer useful. Cloud technology not only keeps your blade sharper than anything you’d buy on the shelf, it constantly increases its capabilities.

“Investing in and delivering this rapid innovation without invoking an upgrade tax is a change that customers welcome and is the foundation of trust in the cloud,” Marc Benioff, Chairman and CEO, salesforce.com said in his debate with Elop.

With the cloud, your single blade soon turns into a Swiss Army Knife before your eyes, without replacing hardware, without installing installing updates, without any interactions on your part. The excitement and trust around cloudsourcing absolutely grows as a company embraces it.

For more information on moving to the cloud and to get you started asking questions, read our new whitepaper on the “path to cloudsourcing”.

Five reasons why Google is more than ready for the enterprise - Blogging for Computerworld

Ryan Nichols

Now that Microsoft has finally embraced cloud computing and taken a version of its flagship Office suite online, pundits have started to question whether Google "has what it takes" to compete in the enterprise. The Microsoft marketing machine has been hard at work in this area, but I think discounting Google's focus, resources and innovation in this space is a mistake.

Now I have a vested interest in this topic - my company Appirio is one of Google's partners. It's that experience working with Google's largest enterprise implementations that gives us some amount of insight into how Google operates that I wanted to share with this community-here are 5 reasons I think Google is more than ready for the enterprise...

Read more here...

Mythbuster Monday (Part 3 of the Series): There is a Higher Risk of Lock-In with the Cloud

Narinder Singh

The next myth in our Monday Mythbuster Series is the idea that lock-in is a bigger issue in cloud computing than with alternative models like on-premise solutions, hosted solutions, etc. It’s a topic we still see often in the press and even in sales cycles. Interestingly enough, it’s one we hear much less often once we engage with our customers in actual implementation and development projects. Perhaps that’s because they realize “lock-in” (like privacy) is a relative term and a fact of life in IT. In fact, the lines between “lock-in”, standardization, commitment, and partnership are subtle ones.

“Lock-in” - whether to a vendor, a platform, a development environment or language - has been an issue for decades and used by numerous vendors as a reason why customers should or shouldn’t move to a technology. “Don’t use Microsoft technologies or you’ll be locked in!” Yet today there are more than 8 million Microsoft developers (although this is something many are trying to change). “If it’s not built using industry-standards, you’re locked in!” Maybe, but SQL is a standard and you don’t see a lot of companies regularly switching their databases. And there’s the newest one...”If you don’t control your data and apps in house, you’re locked in!” Tell that to the companies paying millions to upgrade or rip out their legacy SAP and Lotus Notes systems (which we lovingly refer to as the asbestos of software).

My point is not that you shouldn’t be concerned with lock-in. It’s to say that lock-in is not any more of an issue with the cloud than it is with traditional software. There are however, some key differences between cloud and traditional software that companies should consider.

With traditional software you have the option to run unsupported, legacy versions of old applications as long as you want at no charge. You can’t do that with SaaS. Yet with SaaS there’s a natural buffer for abuse by the vendor that you don’t get with on-premise. SaaS vendors don’t get all their money up-front, they have to continue earning your business. And if one of the large scale SaaS providers does have a major issue, there’s a tremendous market opportunity for third-parties to come in with migration tools that only need to be written once since SaaS applications have a single application version and supporting infrastructure. Compare this to the exponential problem of trying to write migration tools for multiple versions of on-premise applications and all the flavors of infrastructure they run on, and you’ll see why migration tools for cloud apps will be more commonplace in the future.

The Real Considerations Around Lock-in

While lock-in exists, there are things you can do to balance risk with the benefits of the cloud:

• Choose cloud solutions that have full, open APIs - We’ve said this before, not all cloud vendors are created equal. This is one of the reasons why Appirio has a strategic focus on a relatively small set of leading cloud providers. Platforms from Amazon, Google, salesforce.com and Workday have a broad, open set of APIs that more people in the cloud ecosystem are writing against than other market alternatives. Robust APIs create “checks and balances” because they allow for the potential of a single migration solution to be applied to an entire customer base. This helps ensure the SaaS vendors can’t hold customers hostage (e.g. Oracle and their approach).
• Plan implementations and development around the application needs - The more proprietary APIs, protocols and languages you use, the less portable your code and data will ultimately be. But often the more you leverage these proprietary services when building or deploying an application, the faster and more easily you can move to get to a better solution. Lock-in risk should be weighed against the productivity and time-to-market benefits enabled by these more tailored tools.
• Develop the right kind of code, the right way - The more code you write or customizations you make, the more it costs to maintain and the less portability you have (this holds true in both cloud and on-premise environments). Therefore code should be used to develop and extend a solution that creates unique business value. Is that enhancement you are asking for helping create value or just creating work because its trying to reflect the way you’ve done things in the past? Code is powerful when used the right way because it represents what is unique to your business, but when applied without precision it becomes an anchor. When it is necessary, using things like components and SOA help make it more pluggable and better partitioned - resulting in something that can be moved or migrated more systematically. The cloud should make this process easier.

The Future of Cloud Lock-in

As the market matures, lock-in should become even less of an issue with cloud solutions. For one, more tools will become available to make it easier to move data to or from leading cloud providers. The evolution of standards will help here, as will the growing volume of customers on these leading platforms, making it a significant market opportunity to third-party vendors (and likely, an area of investment for VCs).

As we look into a future - one where cloud solutions will play a dominant role and where the concept of lock-in won’t ever completely disappear - consider one thing: If some degree of lock-in is inevitable, isn’t it better to be locked-in on the most advanced version of the product vs. some obsolete technology that becomes unsupported all too quickly? . Being well served by a great solution and great partners is the best protection against the cost of switching because you won’t need to switch. From that perspective, it’s a lot like marriage. Should one worry more about how to best ensure they can get out of it, or focus on making sure they find the best and most compatible partner for the long run???

Learning from an audience of cloudsourcing candidates - Blogging for Computerworld

Ryan Nichols

Last week, I summarized our webinar with Mark Newhall, an expert at corporate transformation powered by cloud technology, on the topic of "the path to cloudsourcing." Joining us for that discussion was an audience of 80 IT decision makers and influencers interested in cloudsourcing. Our interaction with these cloudsourcing candidates was just as informative as our discussion with Mark.

In this post, I wanted to summarize what we learned about the leading edge of cloud adoption, and respond to some of the questions we received.

1) Cloudsourcing is getting established as a consumption model

About half of cloudsourcing candidates already have more than 25% of their IT landscape in the cloud. For this part of the market, adoption is shifting from a few edge applications to become a much more significant part of their IT landscape...

Read more here...