The increasing use of cloud computing and the rapid changes in cloud options can present challenges for CFOs and other executives who will ultimately sign off on -- or reject
Executives may be confident that their IT staff has done technical due diligence in assessing cloud providers, implementation options and technical choices for the organization, but what about nontechnical considerations? While cost advantages of cloud computing may appeal to executives, nontechnical issues can influence the bottom line for delivering business services.
Pass this five-point to-do list to your chief financial officer (CFO) to guide him when assessing possible cloud computing options.
1. Understand service risks
There is no single, monolithic cloud service or model of cloud computing. Different organizations opt to purchase a wide variety of services to suit their needs, from bare bones virtual servers to business processes as a service. Each of these cloud services has its own risks that CFOs should be aware of, including problems with vendor lock-in, data accessibility and integration.
Purchasing virtual servers on an as-needed basis is low risk; it's relatively easy to switch to another public cloud provider, implement a hybrid cloud or move all operations on-premises. If developers are using a Platform as a Service (PaaS) infrastructure that includes application and database services, they will be able to assess the effort required to move development functions to another platform, which can help inform your decision. If you use a cloud service provider for a core back-office function, such as human resource management, be sure to ask the provider about integration with other cloud vendors and how to access data if you switch to another service. The more you depend on a single vendor's proprietary system, the more it could cost you in the long run if you need to switch vendors or integrate with other service providers.
2. Plan for cloud outages
Understand the risks of a cloud service outage. If you absolutely require reliable, consistent access to virtual servers, consider investing in a cloud management service that can manage your access to multiple public cloud providers. Using multiple cloud providers can mitigate data accessibility risks; if there is an outage with one cloud provider, you can switch to another.
The more you depend on a single vendor's proprietary system, the more it could cost you in the long run.
Orchestrate your cloud outage plans in advance; planning and implementing a switch during an outage is challenging and comes with a number of potential errors. For example, are copies of your machine images accessible or are they only stored with the cloud provider experiencing the outage?
Also consider the need for multiple copies of data. Moving compute jobs to another cloud can be done quickly if you have images or configuration scripts available. Moving large volumes of data is time consuming. Consider replicating data between a single cloud provider's data centers, across cloud providers or internally to your own data center.
Cloud outages can leave you without access to your applications, and that can mean lost revenues if customer-facing systems are down and lower productivity if employees' systems are unavailable.
3. Assess service-level agreements
Service-level agreements (SLAs) specify what you can expect from a service provider. Typically, they include availability commitments and compensation for downtime.
Consider the time period in which availability is assessed. A guarantee of 99.9% uptime over a month is preferable to the same availability commitment averaged over a year. In the former case, you could be down three hours a month without compensation; in the latter you could be down 36 hours over the course of a year without compensation, with no regard to whether that 36 hours is consecutive or in just one month.
An SLA is a tool for compensating you if you do not get what you pay for from a cloud provider. Pay particular attention to the requirements for submitting a claim, which can include the need for detailed application logs to demonstrate an outage. If you do not collect this data prior to the outage, you may lose your ability to collect on a claim.
4. Review compliance policies and procedures
Compliance is a prevalent concern with public cloud computing. Cloud providers are earning security and process certifications such as ISO 27001 and SSAE 16 certifications, attesting to operational controls and Payment Card Industry Data Security Standard (PCI DSS) for security controls. In a cloud deployment, these certifications may be sufficient to address your concerns about security within the cloud but they do not address security practices within your organization. You may want to concentrate on procedures for moving data and application code in and out of the cloud. Are your data transfer methods sufficiently secure for your requirements? Are your document retention policies enforced on documents stored in the cloud? Do you have a data classification scheme and associated policies defining what data is allowed in the cloud and what needs to stay on-premises?
Clearly defining your security requirements will help guide your IT staff when implementing in-house security controls. A mismatch between your requirements and the controls you have in place can leave you with security vulnerabilities or costly but unnecessary controls.
5. Estimate all cloud deployment costs
The primary responsibility of a CFO is to control a company's finances. Cloud computing can offer substantial cost savings, but compute and storage costs can easily become a drain on budgets if not managed properly.
On-demand computing instances are simple and flexible, but they are more costly than other options. Spot instances, for example, offer lower prices but fewer availability guarantees. Similarly, high-performance storage is ideal from an application performance perspective but may not be needed or worth the cost in many cases.
Options like Amazon Glacier, an archival storage service, offers low-cost storage, but retrieval time -- as its name implies -- is much slower, measured in hours instead of fractions of a second. When projecting costs, CFOs must consider alternative pricing schemes for computing and storage.
Dan Sullivan, M.Sc., is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Dan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.
This was first published in November 2012