Public cloud services are growing steadily in popularity among CIOs despite continued skepticism from some. But, warns Consultant and Wikibon Analyst Scott Lowe in “Four Tough Cloud Lessons We Learned in 2013”, while the cloud provides substantial benefits to IT operations, recent experience shows that it also introduces some risk to operations. Lowe cites four negative real-world experiences from 2013 and the lessons they provide.

One important lesson is that when companies put their data and applications in someone else’s data center they must abide by whatever conditions the service provider imposes. In one case Lowe ran across, a Red Hat engineer using a cloud service as a development platform received a warning that he was violating terms that he was not aware of and that “if the abuse is ongoing and continued your account will simply be terminated and your server deleted.” Since he did not know what the “abuse” was, taking appropriate action was not easy.

The second lesson is the negative impact the NSA’s spying is having on American business. The continuing revelations from the documents made public by Edward Snowden, which Lowe describes as “shocking and egregious”, are having a negative impact on U.S. businesses according to warnings technology executives from some of the country’s largest companies gave to President Obama in December. Cloud business that might have gone to U.S. service providers in the past is moving overseas in the hope of keeping sensitive data private.

The sudden shutdown of Nirvanix taught another lesson, as its customers scrambled to move their workloads either to alternative service providers or back in-house on two weeks’ notice. Nirvanix “really botched the closure” and should have given its customers more warning of its precarious financial situation, Lowe writes. But the lesson is that not all startups survive, and businesses have to plan for possible shutdowns.

Finally, the several major service outages suffered by DropBox, Azure, Amazon and other providers, some of which made major headlines during the year, demonstrate that no service provider can guarantee 100% uninterrupted service long term.

Lessons learned

The lesson CIOs should learn from these events, Lowe writes, is not that the cloud should be avoided in all circumstances, but that they need to consider and mitigate the risks of using cloud services as well as the benefits, just as they do with in-house services. Among the strategies he suggests are:

• Read and understand the conditions of use statements from any public cloud service providers you use, and monitor workloads to be sure they comply.

• Spread your business across several providers so that an outage or unexpected permanent shutdown of one does not impact all your business services.

• Develop an exit strategy for all workloads put in the public cloud so that you can move them quickly to another provider if necessary.

• Keep any highly sensitive information that you do not want to share with the NSA or other government agencies in house.

• Remember that your own security staff may be your weakest security link, whether your data is in the cloud or in house, so monitor the activities of privileged employees.

• Use low-risk providers, either domestic or foreign, who have the financial stability to survive the long haul, for mission-critical services.

Finally, CIOs should remember that we live in a world full of risks. They should review their risk portfolio and mitigation strategies regularly and have a balanced plan in place to reduce the operational risks to a level that their corporate board can live with.

As with all Wikibon research, Scott’s full analysis is available without charge on the public Wikibon Web site. IT professionals are invited to register to join the Wikibon community, which allows them to comment on research and post their own questions and relevant papers.