Other peoples computers you have no control over.
Migrating to an outsourced IT service including cloud is a great opportunity to outsource responsibility for IT and employees while simultaneously increasing efficiency and decreasing cost. At least, that’s the theory. The reality can be a lot more sobering. The SSP outage should serve as a reminder that while cloud can be …
Other peoples computers you have no control over.
Indeed. But for a rare change, the name say it all without misrepresentation. Whether meteorological or IT-oligical clouds are shady, nebulous, fluffy, insubstantial, opaque and temporary.
But for some reason, company IT bosses fail to explain that to the board: "Yes, we're going to adopt a new IT delivery model, that means we stop doing difficult stuff, and Shady Enterprise Services Inc will take one or more of our business critical processes, and temporarily provide an insubstantial service for that, with opaque terms, fluffy pricing, and a nebulous commitment to reliability. We see this as a win-win."
> you get what you pay for.
Oh, if only...
Many EULA clauses would simply be void under UK law, if they were for consumers, of course. But the bottom line is that the only way cloud can be cost effective is for cloud providers to have economies of scale, which means, implicitly, that they are too big to argue - or even negotiate - with. Though not too big to fail, as so many news reports have shown.
I keep hearing about all this 'cloud computing' and that all the trendy IT shops are using it. I like to think that my IT shop is just as trendy as the next so I want in. Now I have neither the time nor the attention span to read through pages and pages of Ts&Cs or whatever you call them. The cloud computing PR guy said there will be a huge savings which subsequently leads to a higher bonus for me. Win win!!
Where do I sign?
Good question. The insurance might not cover loss of data or, if it does, it may require the customer to ensure it has suitable protections from its outsourced provider.
That means the customer could get into trouble from its own customers, get a fine from a regulator, suffer loss of business & reputation but not be able to claim under insurance or against the provider.
Shhhhh, you're not supposed to talk about that.
As pointed out, you are signing up to a service which in many cases explicitly excludes any promise regarding security - and are them putting information on it which you have a legal requirement to keep secure. There is a fundamental disjoint there - unless there are specific (and plausible) security measures/guarantees in place on the part of your cloud provider, then it would be unlawful to use the cloud for anything subject to any of our (UK & EU) privacy laws.
For some reason, comments I've made to the manglement on this haven't gone anywhere.
As an aside, Microsoft allow you to specify where you data will be held - so for example we (as a UK business) can explicitly keep our data in the EU. There is a flaw in this though which still hasn't been properly explored ...
ALL this MS cloudy stuff uses a single signon system, and that means that the keys to the kingdom are not kept in the EU. When they had a global TITSUP event with Office 365, it became clear that the problem was in fact down to some of the sign-in servers being down, and they were (according to comments) located in the USA.
Now MS fought the US government over the access to emails held in Ireland case because it makes good PR for them. I can't help thinking it was PR, because with the way things are setup, I fail to see how the US parts of the system can be thought to be immune from a US TLA rocking up with a "give us access" letter - ie "we don't care where the data is stored, just log us into the user's account".
We have been given 12 months to remove a firm of solicitors on three sites from the cloud back to their own replicating servers in each site as the insurers will no longer cover data loss, breaches of security and business interruption if they remain on the cloud. We have started this and we have had a massive improvement in fibre performance and we are saving them a fortune with MS & Linux boxes.
The UK gov is pushing the Cyber Essentials Plus standard on all companies that provide gods or services to UK gov (inclding MoD, etc). One of the interesting things about this standard is that you have to certify all networks that you use, and ensure that any cloud providers that you use are also certified (or have a equivalent overseas standard). This could be a maor problem since most cloud providers do not seem to be certified to anything; means that any company wishing to business with the UK gov had better avoid cloudy solutions and keep the IT in-house.
> since most cloud providers do not seem to be certified to anything;
But not all. Eg. https://www.microsoft.com/en-us/trustcenter/Compliance/default.aspx
Includes one for UK.GOV (towards the bottom).
[This is no way a suggestion that Azure is "secure" (whatever that means), just that there is at least one provider that is getting certified.]
Usually run by beancounters and well meaning twits.....
I once worked for a company that had a perfectly acceptable M$ ecosystem in house....
Perfectly sane sysadmins and "it just worked" (TM).......
However, we were then bought by some cheapskate, didnt like spending money on things like internal IT - he treats his entire company as if its all coming from his back pocket...but he is Italian so, it has to look nice....
He decided to outsource everything to google.... but for 10,000 people worldwide, it just doesnt work.
Google Apps is fantastic for consumers, great for small companies but just doesnt work for medium-large corporates, couple this with the remenants of the IT folks not understanding anything about stuff other than Microsoft and having to use some unsupported tool that would connect to google to download messages into a sudo mailbox on localhost so that Outlook would still work (slowly - default settings was to poll google every 4 or so minutes for new email, and the same setting to poll the local app for new mail - meant that it could take upto 8minutes to get an email sent accross the office).
The CTO who thought he knew something about things post 1995 (which he doesnt) decided he didnt like those of us who couldnt stand the crappyness of this setup and used SSL IMAP with Thuderbird/Lightning instead of outlook and shut that solution down "because it was insecure" (eh; webmail....hello....)
So, outsourcing.....cheap, doesnt work, loses productivity.....cuts morale....generally pretty crap....
Unless of course, you are a very small and new company testing the waters of whether you are viable or not and need something more than a one-man band IT department.
Ahh cloud computing...
An expensive resource that you have no real control over located on the far end of a network connection that you have no real control over, and if anything does go wrong on the cloudy system at the end of the unreliable link the best you can hope for is a partial credit of your monthly service charge...
What's not to like about that?
And that "somewhere" determines what your legal rights are and how difficult it will be to honor any legal obligations you have for data protection.
And if that's the USA they seem to be basically f**k all. THE PATRIOT Act is still in force.
Assuming you're a competent IT Manager/FD who wants to do this because you actually believe it's a good idea let me suggest a couple of things.
Benchmark the T&C's. let me suggest the bigger they are the more weasling they are going to do.
How does their backup and restore policy compare to your current process? You do have a tested backup and restore process, don't you?
Start backwards. Plan the ETL from your selected cloud in the event of a massive failure of either their hardware or their business.
Fair question. I wrote about this for Databarracks a couple of years ago. Search for "The Real Challenges and Benefits of Cloud Computing to Law Firms" and then did a "One Year On" follow up. The solicitors regulatory body has a paper on cloud too.
...as you said, maybe one for another article.
Few of us generate our own electricity or bake or own bread. Maybe we'll see the same with IT infrastructure. It sure is tempting.
But we do need some regulations here, just like with bread and electricity. If you sell poisoned bread, you don't get away with giving us another loaf for free. If your electricity blows up my home theater, you don't get away with giving us a few kWh for free.
So why can you delete all my data by accident and get away with it?