Everywhere we turn, we are bombarded with cloud services that cloud service providers (CSP) promise will make businesses more money by reducing operating costs. If you believe the CSPs, cloud services will allow businesses to bring products to market tomorrow, cost next to nothing, be more reliable, be a breeze to manage and scale and you don’t have to worry about a thing. But does the reality match the hype?
It all depends on what line of business you are in. For some operations, it might actually help to get on with a cloud service to get to market quickly and at a cost that is proportional to use. In one of my previous organizations, we ran a cloud based service that clients could subscribe to. We charged them for use of our services on users per month. This allowed the clients to only pay for the number of users that utilized those services and they did not have to buy chunks in bulk.
But when we start talking about regulated services such as health care, financial services, or anything that stores personal/private information, it immediately becomes complex. Almost each country has its own laws and regulations about what data is protected and what is not. They also require different levels of protection, not to mention access to law enforcement agencies.
For a brief description of the different types of cloud services (SAAS, PAAS, IAAS) and deployment models (Private, Public, Hybrid, etc), read the NIST definition of Cloud Computing.
With cloud services, the biggest positive can also be its biggest negative. Since the services are usually on demand and can be instantiated anywhere in the world whenever/wherever they are needed, where the data actually resides can be a little fuzzy. The regulations of the country where the data actually resides may actually contradict the regulations of the country that the business resides in. For instance, a US court recently required Microsoft, with Head quarters in the US, to hand over emails that resided in a European country that protected them.
More and more countries require businesses to store certain types of information of its citizens within their own borders. While most of the major CSPs allow for regional data centers, they do not provide for country specific locations. Having infrastructure in a large number of countries will raise the cost and negate the main advantage of cloud.
Depending on the type of cloud service (SAAS, PAAS, IAAS) the responsibilities for meeting certain requirements may fall on the cloud consumer, CSP or may have to be shared. Not having a clear understanding and agreement of these responsibilities may result in businesses taking on a sea of pain.
Typically, the CSP will have regional data centers to host data and applications and the cloud consumer does not have to worry about setting up data centers or servers. In the case of a SAAS model, the location of the application and the data is completely transparent to the consumer. It will be very easy for an organization to get into difficulties with data residency requirements, unless it knows before going with a cloud vendor what those requirements are, how they affect it and how the CSP is going to provide the service.
While cloud services/applications can save costs and effort, it is very important to go with eyes wide open.