Virtualization, the Cloud and the Reality of Having Your Data ‘Out There’

A new era brings new risks

Thursday, November 08, 2012 , By Dean Simone

printPrint   |  Comment  |  Order  |  Email this Story  | 

Not very long ago, information technology (IT) functions existed to keep companies' computers running. Today, senior leaders increasingly rely on IT to help keep their businesses running. For the rapid evolution of the function, credit a combination of opportunity and risk: opportunity presented by the information economy, and digital threats that have emerged in that opportunity's wake.

As those threats grow and metastasize, IT functions find themselves enmeshed in an ongoing guerilla war with those who would breach their firewalls for gain or ideology. All senior executives, regardless of their functional specialties, need to regard these threats as a strategic imperative, and learn the lay of the battlefield in order to adapt and shape their response.

110812_DataSecurity_DeanSimone
Dean Simone leads the
risk assurance practice at
PricewaterhouseCoopers.

Just as real-world risks run the gamut from natural disaster to shifts in consumer sentiment, the range of emerging IT risks is broad and growing almost daily. So where to begin? We could narrowly focus on a "threat of the day," such as the Gauss virus, which can spy on financial transactions, email and social networking, and may be also capable of attacking critical infrastructure. Or we could go wide and focus on the potential for a nation-state to launch cyber attacks and steal critical information.

In the first case, we'd quickly bury ourselves in technical detail; in the second, we could risk becoming consumed in abstract speculation. Neither would be especially helpful in focusing on what's important and actionable for executives in today's quickly evolving IT environment.

What we need instead is to examine broader concepts that underlie the risks and provide opportunity, for good and ill, within that environment. For early 21st century IT, examining these concepts leads us inevitably to virtualization.

Virtualization is the new reality. It's a game-changer with the potential to transform many aspects of business as we know it: decoupling employees from the traditional office, decoupling products from brick-and-mortar stores, decoupling customer service centers from the constraints of geography, and, in some cases, decoupling capital budgets from the cost of maintaining physical data centers.

By breaking traditional bonds and unleashing potential energies, virtualization creates a much larger whole than we could ever have imagined before. Moreover, it also presents a challenge for business leaders, who must reach beyond traditional assumptions, patterns and behaviors to find new ways of doing business and managing risk.

The Cloud

As challenges to traditional business patterns go, cloud-based computing (a.k.a. cloud computing or simply "the cloud") is a whopper. It's one of the two or three "big ideas" in IT today, and like any other big idea, it presents both massive opportunity and massive threat.

The cloud is the Great Decoupler, both the embodiment of virtualization and an enabler of even more virtualization. Its promise is simple: You can get what you want, when you want it, at a low cost. Your information -- and nearly infinite possibilities for examining, exploiting and expanding upon that information -- lives in a virtual environment accessible by your people virtually anytime and anywhere, from any computer, smartphone or other Internet-connected device, almost anyplace on Earth.

Clouds come in three varieties: public, private and hybrid. In public clouds, your data is hosted by a third-party service provider whose computing resources are shared by other organizations, and you are billed on a pay-as-you-go basis. In the private cloud model (used especially by regulated industries, such as health care), a company runs its own cloud and spins up its own applications. In the hybrid model, companies utilize both public and private data environments. Within all three platforms, a shared pool of infrastructures, services and information lives on the Internet, can be accessed on demand, and can be configured or scaled based on need.

The various permutations of combining platform, infrastructure, and application services are immense, offering unprecedented opportunities for flexibility, economy, and optimization. Using a shared, cloud-based model, companies can simultaneously expand their access to enhanced IT services and reduce their capital expenditures -- because you're essentially renting services and computing space rather than having to build and maintain them yourself.

Cost-wise, this can have huge impact, not only on IT capital expenditures (e.g., upgrading hardware) but also in data center facilities management, where, in some locations, just the energy cost of running servers and environmental systems can exceed $100,000 per month. The cloud also lets you reduce the human resource costs of recruiting, paying and retaining highly skilled IT assets. The cloud model also gives you the flexibility to increase IT spend at certain times in a business cycle to have "just in time" IT when you need it, and then reduce it when you're done.

The cloud has already changed business, and will only continue to do so. A recent report by Harvard Business Review Analytical Services and Microsoft notes that 85% of surveyed business leaders expected their companies to make moderate to heavy use of cloud services over the next three years. (Harvard Business Review Analytic Services and Microsoft, How the Cloud Looks from the Top: Achieving Competitive Advantage in the Age of Cloud Computing, 2011.) Simultaneously, those business leaders expressed significant concerns about potential risks of cloud usage, with nearly a third saying explicitly that the risks outweigh the benefits. Among their top concerns: legal/compliance issues, business continuity, vendor lock-in and data security.

Regulatory and Business Continuity Challenges

On the regulatory front, American and European standards are developing along separate tracks, so multinational companies may find their operations are answering to two record-keeping, policy and compliance environments -- an issue that creates challenges when developing a coordinated cloud strategy across business units in different geographic locations and regulatory jurisdictions.

On the reliability/business continuity front, the burning question is what to do in the event of a cloud outage. Failure can take place anywhere in the cloud, whether it be in an application, infrastructure or platform. And when the cloud fails, you will see routine applications grind to a halt. Highly complex networks, like clouds, can and do fall prey to "non-linear effects" -- complexity-speak for a seemingly inconsequential and remote incident causing havoc totally out of proportion to its apparent capabilities or characteristics: e.g., the tree branch that falls onto a power line and causes a massive blackout. The potential for such effects raises some fundamental questions.

How will your business survive if your IT is taken off-line for a couple of days? A better question might be, what do you do when you lose service? What's your plan to either quickly restore operations or to operate at a reduced (less than full-service) capability level for an extended period, and what are your existential applications and must-have data?

The classic "five 9s of reliability" or 99.999% is probably not going to happen in any cloud, so you'll need to plan for the possibility of catastrophic failure. Ask yourself, how much slack will you need? Where will you put it? How will your vendors react to your concerns and your assessment of risk?

1 | 2 Next Page ►

Risk Management e-Journal
cover
The Risk Management e-Journal publishes paper abstracts on the topics that matter most to risk professionals. See what your risk manager colleagues are reading about today.

 

 

 

Get Free Updates on the Dodd-Frank Act
DoddFrank
Register for Morrison & Foerster's FrankNDodd service to receive Daily News Alerts on the Dodd-Frank Act, gain access to regulatory highlights and commentary, and use the exclusive FrankNDodd Tracker tool.