Asserting Control over the Cloud

Cloud applications and infrastructure are becoming ubiquitous. There are cloud applications (SaaS), cloud software stacks (PaaS), and cloud infrastructure (IaaS) options including storage and compute resources. The advantages of cloud computing are well known including easy of deployment, turning CAPEX into OPEX, flexible and elastic resources, convenience, and the ability to focus on business value over technical problem solving. The disadvantages are also widely known. Usually, IT (and analysts) will talk about problems such as security, availability, or business continuity. These are all important but are basically proxies for the “big problem” – lack of control.

Control is an essential component of responsibility. If someone is responsible for something, whether it’s to insure privacy, smooth operations, protection of company digital assets, or driving business value, they need to be able to control their environment. In many cultures, especially western culture, it is considered inherently unfair to make someone accountable for something controlled by someone else. This sets up the single biggest objection IT has to cloud computing; they are still responsible for what happens in the IT environment even when there is a third party cloud provider actually delivering the infrastructure, stack, or application.

Everyone has to give up control sometimes and usually it doesn’t end in disaster. That’s because many IT issues are a matter of annoyance or inconvenience. It’s the difference between not having access to information right now and having it go away altogether. Asserting control over minor issues with no real risk is petty and counterproductive. Lack of control becomes a big problem, however,
when mission critical applications, the kind of applications that help run the company, are involved. When the business requires high levels of security such as exists for some information in financial services, legal services, and healthcare, then cloud problems become big problems.

There are three typical ways to assert control over the cloud computing environment. First, is to harden the cloud environment or, more accurately, get the cloud vendor to do so. This gives the illusion that all is correct. The sense of control is derived from having done the due diligence. The second strategy is to avoid cloud vendors entirely. That’s also not a great option. To forego the benefits of cloud technology, instead of figuring out how to leverage it responsibly, is not using technology to the best advantage.

Many companies will elect to have some applications on-premises and some in the cloud. Splitting up applications like this solves many of the big problems but creates a number of other ones. For example, critical information is now parceled out between the cloud and on-premises application. In addition, a lot of information is trapped on-premises that doesn’t need to be; often not all data in the same application needs to be that secure even while some does. Companies then end up with information bubbles – batches of information needlessly rendered inaccessible to mobile devices because other information needs to be managed that way.

So how does a company assert control while getting maximum benefits from the cloud? By deploying hybrid solutions. A hybrid solution has a cloud component and an on-premises solution. Hybrid solutions are not one application in the cloud and another on-premises. It’s the same application where the data is partitioned between the on-premises and cloud instances. Common information that has no serious security aspect (such as state tables) is synchronized or shared between the two. Only the information that that must be kept in the physical control of IT is kept on-site. To the average end-user, the application looks and behaves the same even on mobile device except that some data is not. This doesn’t have to be an end-user application either. It could be a virtual file share or even a database.

This approach strikes a balance between keeping certain types of information under tight control and the accessibility and other advantages of cloud services. It solves the big problem without creating too many little ones. There is a catch though. Not all that many applications, stacks, or infrastructure can be made into hybrids. Either it exists in one place but not the other – cloud or on-premises – or the instances of each are incapable of synchronizing information between them. The few there are, however, point the way to the future where on-premises and cloud applications will only differ by who manages them.