Cloud computing risks

Cloud computing – the hidden risks

The internet cloud is a term / symbol that IT professionals have been using for many years to describe the part of the network that is not controlled by the company, representing an unknown and unmanaged path that data is sent and received via. In general, Cloud computing customers do not own the physical infrastructure (e.g. servers, storage, network and the data centre facility) that some or all of their IT services are dependent upon.

The adoption of this model can avoid upfront expensive capital investment by renting usage from a third-party provider and therefore realise the return on investment over a much shorter period. These types of cloud computing customers consume resources as a service and pay only for resources that they use. Consumption is usually billed on a utility (e.g. water or electricity) basis with little or no upfront cost. This model of Cloud Computing is typically known as “Public Cloud Computing” and is often used by SME’s for lower risk applications or the public. Typical examples would be hosted corporate email services and public hosted email providers such as a hotmail, Gmail or Yahoo.

Private Cloud Computing provides restricted firewall protected access to company applications and data for people that work within the company and for people that the company permits access to whilst still benefiting from the advantages to be gained by using IaaS (infrastructure as a service) the Cloud Computing utility model. Why build and operate and expensive to run data centre environment within your own corporate real estate to house your companies IT infrastructure when there are many service providers that have purpose built data centre environments that are far better suited to protecting your companies intellectual property.

Many IT Directors and CIO’s have already come to realise the benefits of moving out their IT Server estate from their companies offices and consolidating their server farms using VM into data centres managed by specialist data centre / collocation service providers. The expensive data centre space can be returned back to the business and the collocation running costs can be accurately budgeted many years in advance. These collocation providers usually offer a wide array of services from completely lights out hands off fully managed applications running on the providers own infrastructure to secure caged space which an organisation can populate with their own hardware and software.

The Private Cloud Computing (IaaS) model allows organisations to reap the benefits of the public Cloud Computing model in a secure environment, enabling organisations to greatly enhance / extend their IT infrastructure and avoid the heavy upfront capital investment normally associated with doing so. Negotiating the contracts with these specialist data centre / collocation providers should be a very detailed exercise that looks closely not just at what the service level agreement do and don’t say but also on the provider’s ability to deliver the services.

Here lies the problem, understanding what’s involved in setting up and operating a data centre is an extremely complex task that requires and in-depth mechanical and electrical knowledge as well as extensive IT expertise. Normally, an organisations senior IT personal would be involved in the contract negotiation but who on behalf of the organisation is able to ask the right M&E questions that uncover whether or not the provider is a safe pair of hands that your organisations intellectual assets can be trusted with.

Taking the time to thoroughly investigate the data centre provider’s ability to provide a consistent high level of service in accordance with their published SLA’s will enable your organisation to make an informed decision by providing the answers to questions such as:

  • Are the maintenance procedures for the generators, UPS’s, air conditioning systems documented, up to date and adhered to?
  • Is there sufficient skilled and trained resources available on site at all times to meet the objectives defined in the SLA?
  • Are there any M&E and or IT single points of failure that could impact the services your organisation will be dependent on?
  • Is there a fully documented and implemented security policy and what standards does the policy really comply with?
  • What is the capacity of the generator fuel storage tanks and are contracts in place to replenish the fuel regardless of time of year?
  • To what level of the operation of the data centre is being monitored and how are issues communicated and resolved?

The above are just a few representative examples of the types of issues that can lurk behind the text of a contract and may well prove that your chosen data centre / collocation partner is not able to provide the level of service that your organisation thought they were. Being able to claim SLA service credits for loss of service and or consistent service level drops is little or often no compensation for the impact incurred to the business and is not a situation that any CIO or IT Director wants to finds themselves in.

What’s the answer?

Riskenomics and BSCM Operational Risk have developed a Data Centre / Collocation provider Risk Management Methodology based around dependency modelling – a proven approach used within a number of high risk high value companies.

Our approach involves a comprehensive risk analysis of a data centre which includes a full assessment of the engineering, processes and resources used to operate the data centre. The results of our assessment can be easily comprehended by the use of our highly visual dependency models, immediately highlighting problem areas and detecting critical interdependencies.

On completion of an assessment, our dependency modelling system Riskenomics, enables the user to easily update and maintain the models online via a web browser. Thereby enabling an organisation to keep track of all the risks and the changes that are made by their chosen data centre / collocation provider and how those changes could have a positive or negative impact on the success of their business.

Our data centre assessment methodology coupled with Riskenomics transposes complex business risks into simple to understand and maintain dependency models.