In the first part of this series on The Case Against Cloud Computing, I noted that in speaking with a number of people involved with cloud computing, they (rather paradoxically) discussed with great vigor all the barriers to enterprises adopting cloud computing. As a result, I thought it would be useful to discuss the list of issues they (collectively) raised and offer some thoughts about them, particularly with regard to the potential for mitigation. The first of the series addressed the issue that, today at least, it is not possible to do a straight migration of a typically-architected corporate application into any of the common cloud services-they all impose their own architecture.
In this posting, I'd like to discuss the second issue raised with regard to why enterprises are/will be reluctant to embrace cloud computing:
Cloud Computing Imposes Legal, Regulatory, and Business Risk
Most companies operate under risk constraints. For example, US publicly traded companies have SOX disclosure legal requirements regarding their financial statements. Depending upon the industry a company is in, there may be industry-specific laws and regulations. In healthcare, there are HIPAA constraints regarding privacy of data. There are other, more general requirements for data handling that require ability to track changes, establish audit trails of changes, etc, particularly in litigation circumstances. In other nations, customer data must be handled very carefully due to national privacy requirements. For example, certain European nations mandate that information must be kept within the borders of the nation; it is not acceptable to store it in another location, whether paper- or data-stored.
Turning to business risk, the issues are more related to operational control and certainty of policy adherence. Some companies would be very reluctant to have their ongoing operations out of their direct control, so they may insist on running their applications on their own servers located within their own data center (this issue is not cloud-specific-it is often raised regarding SaaS as well as more general cloud computing services).
Beyond specific laws, regulations, and policies, the people I spoke with described an overall risk question that they asserted enterprises would raise: the risk associated with the cloud provider itself. Some people noted that Amazon's cloud offering isn't their core business. interestingly, however, they described Amazon's core business as "selling books." I think Amazon's business efforts are well beyond books and this response may indicate an unfamiliarity with the total range of Amazon's offerings; nevertheless, the question of Amazon's core competence and focus on computing is valid, and might even be more of an issue if the company is spread across many initiatives.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.