The fact that cloud computing has to fulfil some pretty strict preconditions is now understood by just about everyone: process maps, responsibilities, SLAs, KPIs and so on. The BSOA conference, held inCologne end of 2011, brought additional transparency in this respect, in particular in relation to service-oriented architectures. But one aspect of using cloud computing was not addressed: the ad-hoc use of it by users, without a strategy, without a concept and without a safety net. And the more people use cloud computing on an ad-hoc basis, the more untested services will make their way into business-critical areas!
Last BSOA conference was the sixth such event. On this occasion, it was held at SQS AG in Cologne. The close to 50 attendees discussed the importance of service-oriented architectures, including in the light of new trends such as cloud computing. One thing was clear to all those taking part:
- SOA is a terrific enabler for the cloud. Anyone whose process landscape is already service-oriented can position existing cloud services excellently in this map and assess the fit. At the same time, they can conduct risk analyses to prepare for the eventuality that the cloud service becomes unavailable.
- SOA without the cloud is conceivable, an important insight in itself. As long as the cloud relates solely to IT-enabled services, according to Gartner’s definition, SOAs are possible that can function perfectly well without the cloud, namely where the services are in part performed manually. But there’s more. A service-oriented architecture is in itself valuable, i.e. without needing to take the next outsourcing step – e.g. to the cloud.
These highly restrictive points of view, however, mostly result from a very strategic perspective which has enterprise clouding – i.e. the use by a company of certain cloud services, enterprise-wide – as its aim. In such cases, it should be clear to everyone that appropriate security policies are called for, that SLAs need to be drawn up, contractual details clarified with the supplier, business continuity plans for worst-case scenarios prepared, etc.
One extremely important conclusion was also, however, the following point: the cloud can also be used without an SOA, first and foremost as ad-hoc clouding. Everyone will be familiar with this option. Some examples:
- Company e-mail policies that are often far too restrictive occasionally lead to a majority of communications shifting to the major cloud e-mail providers (as they impose hardly any restrictions). Given that cloud services are, by definition, available via the internet, in most cases no installation is required. All that’s required is a Web browser and you can send and receive whatever attachments you like via your Google mail account. Who doesn’t want that?
- Editing documents together: How do you work on a document with other colleagues who may not be on your network? Restrictive firewall settings make commercial tools such as Jive or Sharepoint almost unusable… so why not use Google’s document cloud? Equipped with nothing more than a browser, anyone in the world can comment on my budget plans for the coming year.
- Data storage: Accepted, private data shouldn’t be placed on the company system… but people enjoy sharing their holiday pictures with colleagues. So, just post the pictures to the cloud and let all your colleagues see them from within the corporate network.
What’s the problem with such ad-hoc clouding? Just that, it’s ad-hoc, i.e. without a strategic basis, without any fallbacks, without planning. Ease of use, however, is leading to business-critical data increasingly finding its way on to the cloud via this route. So while corporate IT may be developing robust concepts, strategies and so on for the enterprise-wide use of the cloud, the central budget plans, business cases and screenshots from the latest workshop meetings are already being worked on in the cloud… untested, unprotected and without a safety net.
What can be done to counter this? Two things spring to mind:
- The ease of use and power of cloud services needs to be countered with an enterprise concept that is just as easy to use and powerful, including implementation, and that doesn’t bring with it the disadvantages of ad-hoc clouding. If there’s no option to work together on a document in line with corporate strategy, for example, Google docs is bound to penetrate even further into business-critical areas.
- Employees need to be made aware of the critical nature of some of their output, as well as trained in how the cloud works and what the organizational constraints are (which is how Google, for example, earns its money).
Without either of these measures it is going to become increasingly difficult to set up company-wide risk management that actually takes into account all the risks. For example, if risk management can’t see the risk of a cloud provider going bankrupt, the entire business could go down the drain! That’s why compliance between the enterprise strategy and the current state of affairs is so important, and which may call for a complete overhaul of the enterprise strategy.