Clouded judgement

“To err is human, but to really foul things up requires a computer.” The anonymous wit behind that bon mot was appealing directly to our inner technophobe. Mercifully, most of us have finally accepted, with varying degrees of enthusiasm, that computers can make our working lives easier and help us run our companies more efficiently. Yet the idea of Cloud computing seems to have reawakened ancient prejudices. How can taking a load of data, much of which is confidential and vital to your business, and sticking it on a ‘Cloud’ - a digital one, not those fluffy white ones that host angelic harp players - be a good idea?

It’s a good question - and one that the advocates of Cloud computing often struggle to answer without resorting to technobabble. The question seems ever more pertinent as we read, virtually on a daily basis, of yet another company that has been hacked, cyber-attacked and compromised, either by socially conscious hacktivists, cybercriminals or the digitally adroit agents of sinister foreign powers. So it might be best, at this point, to strip away the hype, myths and rumours and get back to the basics.

As John Dryden, chief technology officer for IT Lab, a dedicated IT service provider for SMEs, has pointed out in an online forum, when you get right down to it, Cloud computing isn’t that complicated or frightening. “In very simple terms, Cloud is taking a server out of your office and putting it in a data centre where someone else looks after it.” As he notes, computer technology has almost come full circle. With the old IBM mainframes, you rented computing power. Now you rent a small part of the Cloud vendor’s ‘virtual’ server capacity - typically, they will have racks and racks of servers running on a physical piece of hardware.

Dryden listed three core benefits in the order of which, in his view, they are most likely to appeal to owners of SMEs: “One: opex vs capex - you rent the server for a monthly fee, so there’s no big upfront cost. Two: supportability - a small team of experts look after the vendor’s Cloud offer, you don’t need a dedicated IT person or team with the relative skills employed in-house, you do however still need an IT services company to help you select the right solution and act as the middleman but at a much reduced cost. Three: flexibility - if you need another server you can have one in minutes, no extended procurement process and waiting two weeks for it to be delivered etc.” Dryden concluded this list with a simple analogy: “Do you build your own car or buy one from a manufacturer who has the expertise?”

Some wide-format PSPs, who rely on in-house IT teams to develop services to attract new business or embed them with clients, may argue that as they need to have an IT department anyway, why bother with Cloud? The answer is that it could enable your IT experts to focus on something that adds value to the business, making the function a potential revenue generator as opposed to just a cost that it is so tempting to trim/cut/slash when times get a little harder.

As obvious as it sounds, it is worth restating that Cloud computing will only be as good as the service provider you choose. Before making your selection, do your usual due diligence. Does anyone you know use them, and what do they think of them? What is their business really like? It would be useful to know how long they’ve been in business, how many clients they have - and would you be one of their larger or smaller customers? Do they use contractors or employees? Where are their services are located and, if you rang at 10pm with a problem, would anyone be there to help?

The most common risk when using a Cloud provider is interruption to service and outages. All Cloud-based companies experience these. Your service level agreement should ensure that you are guaranteed a certain level of uptime and, also, reimbursed for any downtime. On that subject, it is important to examine in detail how your providers bill you. The rhetoric may be about ‘pay as you go’ but if you have to give notice not to use certain server capacity the service may be more expensive - and less flexible - than you expect.

It’s also worth looking at the data that is most critical to your business and ensuring that a copy of that application should be available somewhere - possibly at your office or at another back-up location.

Mike Foreman, general manager at AVG Technologies, says of Cloud computing providers: “You don’t want to be the company’s first client - or it’s last.” If the Cloud bursts and your service provider goes bust it could prove disastrous.

As David Barker, technical director at 4D Data Centres, which provides Cloud computing services to SMEs, told the ‘Guardian’: “You are trusting a part of your business - and critical or sensitive data - to a third party, so it is important that you are comfortable with who they are and how they will protect your data. You should also consider how you ‘exit’ from the service, if you decide to move elsewhere or provide the service in-house. It can be easy to get your data into the ‘Cloud’ but getting it back out again can be more difficult. If the worst happens - and your provider goes out of business - then your data is sat on the assets of the provider, not an asset you own, and you’ll have to battle with the administrators to get the data back.”

So your contract with a provider should specify a certain window of time - weeks or months - for you to retrieve your data if the worst happens. You also need to ensure that the data is readable. One way is to insert a clause in the contract to make the vendor set up an escrow account that contains a locked, up to date version of the data software that can only be accessed by the user if the supplier declares bankruptcy.

When picking a Cloud computing supplier, it is important to assess risk in the broadest sense. As Paul Hill, a consultant with System Experts, says: “Many companies don’t have a solid process for determining how to evaluate a third party vendor for risks nor how to assess the likelihood of a breach at a third party. If a company attempts to assess the risk, the task will be delegated to someone who will concentrate on a very narrow aspect of the service provided.” To properly assess the hazards, Hill recommends using frameworks such as ISO 27002, which consider a broad range of controls, including HR practices, physical security, access controls, cryptography usage; authentication; and key management.

Yet in some ways the biggest risk is often overlooked. Cloud computing is no panacea. The key is to be clear about what you want it to do for your business and invest accordingly. As Benjamin Sims, a technology specialist at Funding Options, says: “The question really is about what you want to achieve. In technology, I’d always recommend starting by thinking about what business problems you’re trying to solve. This might be anything from ‘I need to send and receive email’ to ‘I need a complete system to run my business’.”

That risk also points to the biggest opportunity - if managers know how they want Cloud computing to help their company, they can create more time to deal with the important stuff, like winning new orders, encouraging innovation or running the business. Service providers insist that Cloud computing can help SMEs generate revenue and, although they’re hardly unbiased, they are probably right. The fact that a majority of SME owners - according to a Microsoft survey - are a bit Luddite about Cloud computing only provides a clearer opportunity for the enlightened few to outsource some tedious, processing tasks and focus on things that really matter to their business.

Put it that way, and the benefits of Cloud computing seem undeniable. After all, which managing director of a print service provider, as they handed over the keys to their office at the end of their career was seized by one overwhelming regret: “I wish I’d spent more time on IT”?