Cloud computing and personal mobile devices are the key disruptive technologies behind the mobile, social-media-aware, always-on, real-time society that is developing. However, cloud computing is not yet an established service environment—many facets have not stabilized and present significant risk and hidden or unknown costs. Often, return on investment assessments of cloud based services do not factor in these risks and costs and vendors are reticent to promote awareness of these issues.
In addition, cloud computing suppliers promote their services as providing a high-performance, service-rich environment that can bring agile IT services to the enterprise at reduced cost. Organizations assessing cloud computing opportunities are often caught up in the excitement of new technology and ignore the full spectrum of issues. They typically move to cloud computing because of business cases that are incomplete and that ignore the true total cost of the outsourcing service. These assessments inevitably ignore the many potential risks that accompany cloud computing use. Some of these risks are as follows:
Significant information security risks
There is growing uncertainty about the storage of PII data on servers affected by foreign legislation. Canadian legislators and the public are becoming increasingly sensitive to foreign data storage issues, yet U.S. owned cloud vendors express frustration in supporting our national interests.
Despite vendor claims, cloud solutions such as the Desire2Learn learning management systems do have major failures and these failures have resulted in significant teaching issues for several Canadian universities.
In many cases, cloud vendors have refused to accept contractual liability for loss of data required by Canadian Freedom of Information legislation.
Ephemeral service offerings
Cloud vendors will shut down their service if it is not profitable. There is no clear legal recourse to recovering your data and services in these circumstances.
In an emerging environment, acquisition of smaller companies by larger companies is common. For example, SFU currently uses FluidSurveys for research and other surveys. Since many of our surveys include PII data, the University specifically selected this product because it was owned and operated by a Canadian company. Recently, the company was purchased by a foreign organization. What happens to our data now?
When depending on externally provided services, we need to carefully plan exit strategies. What will happen to our data if we no longer subscribe to the service? For example, any data stored in a different jurisdiction could potentially become the property of that jurisdiction and they could be entitled to keep it forever. Texas is an example where this occurs. We need to negotiate full repatriation and deletion clauses for all of our data and address who pays for repatriation and deletion of the data.
Lack of an established legal framework
Costly legal fees are required to establish the provision, operation, succession, and retirement of cloud services. Complex and sometimes expensive contract negotiations have delayed the implementation of certain cloud services in many Canadian universities.
In addition, there is an opinion that the control of one’s PII is a human right. This argument has not been tested in Canadian courts but legal scholars are growing more convinced that this opinion will have to undergo judicial review.
Outsourcing of IT work is a traditional area of concern of staff unions and they have already shown interest in bringing their concerns into the collective bargaining process at other universities. Also at other Canadian institutions, faculty associations have brought protection of private data cloud computing concerns to negotiations. In our assessment of any cloud solution we must be cognizant of any potential labour issues.
Protection of intellectual property in the cloud is hampered by widely disparate legislation in countries where cloud vendors host systems. Research that is deemed acceptable in Canada is not always considered acceptable in other jurisdictions. Information hosted in other countries could, indirectly, place researchers at personal risk outside Canada’s borders.
Network performance across the Internet is outside the control of the University. Any cloud computing business cases must consider what happens if Internet connectivity is degraded or lost entirely. Furthermore, increased Internet network bandwidth is required to support the larger data transfer required by strategic cloud services and the costs associated with this may be significant.
Despite claims of superior security capabilities by vendors, their assertions cannot be applied to the network connectivity between the University and Internet service providers, leaving a weak link in the cloud security model.
Future service cost concerns
Outsourcing services to the cloud is much easier than repatriating these services back in-house. Currently, cloud service providers are offering attractive financial incentives for organizations to move their IT services to the cloud—in some cases services are offered free of charge. Once IT services have been migrated to the cloud, organizations will be in a relatively weak negotiation position should service providers decide to increase the cost of their services.
Operating versus capital budget focus
A factor often overlooked is that external cloud computing services will move the University’s cost base from a capital intensive position to one that is heavily operational cost based. This significant change requires assessment from a funding perspective and the potential impact on the financial structure of the institution. Although most private sector businesses welcome a move to operational expenditures, much of the University’s funding for information systems is capital based. Outsourcing information systems services to cloud computing services will demand a shift from capital budget to operating budget funding.
These risks, like cloud computing itself, are still evolving and maturing. Adopting externally-based cloud computing requires careful consideration of these risks, weighed along with the true total cost of ownership of the solution.
Once all these costs and risks are assessed, an exit strategy must be developed. The reality of cloud computing is that any outsourcing decision needs to be revisited regularly just as any other information systems decision needs to be revisited as the business needs change. There needs to be a clear exit strategy if the cloud service no longer meets the business needs, environmental factors (e.g. laws) change, the service is acquired by a foreign company, or the cloud service provider goes out of business. The costs associated with implementation of a back-out strategy might also be significant.
Next section: Cloud Computing Strategies