If you watch TV, read the news or plug in to almost any form of media lately, you’ve likely heard about the coming of the "cloud." Far from a harbinger of doom, cloud computing is supposed to be the next step in the evolution of information technology — and it will reach your company soon (if it hasn’t already).

Your IT organization is probably already considering how the cloud computing model can be leveraged for your company. This article will provide you with the tools you need to understand cloud computing basics and the risks that come with it.

What is Cloud Computing?

It depends on whom you ask, but cloud computing is basically a distributed, on-demand model of IT. A good way to think about cloud computing is how it differs from a more traditional IT model. Your company probably maintains (or has outsourced) servers that store data and distribute it throughout the company on one or more managed networks. You (or your service provider) have diagrams showing exactly where your technology sits in the world, where it intersects with other people’s IT and with the Internet at large, and where your data is stored. And you have probably sunk a considerable amount of capital into establishing and maintaining this IT.

Cloud computing flips this traditional model on its head. The "cloud" is a clever way of referring to an IT infrastructure that is more nebulous (pun intended) to the person who pays for it. It is often based on virtualized and distributed technologies, with shared and abstracted resources and automated self-management functions. In other words, you don’t know where those servers are, where the data sits, or how it is all connected behind the curtain — you just log in and use the service.

There is a considerable upside to the cloud. Built into the model is scalability and flexibility. There is little, if any, capital expenditure to make up-front, while you enjoy the ability to buy as little or as much of the service as you need. Pricing is simple and linear. Because the cloud often relies on the Internet and not a dedicated network for connecting its far-flung servers, the cloud can be accessed from anywhere, at any time.

This description of cloud computing is a broad generalization, of course. There are a number of variations of cloud computing that run the spectrum from "public" models (i.e., sharing of infrastructure with the general public) to "private" models (i.e., dedicated infrastructure) of the cloud, complete with hybrids, shared private clouds, and other in-between models as alternatives. The risks of the cloud are more or less a function of the degree to which the infrastructure remains abstracted and shared.

What’s the Catch?

This brings us to the crux of the issue — namely, is cloud computing right for your company, and if so, what kind of cloud are we talking about? For starters, taking the following factors into consideration will send this dialogue in the right direction.

  • Location of the data: Knowing where your data resides and is transmitted will be critical to managing compliance with privacy laws, your internal policies and regulatory requirements specific to your company, especially if it is being disseminated into countries whose governments may intercept it (whether legally or not).
  • Service quality and reliability: As the recent Amazon debacle taught us, the cloud has some kinks to work out when it comes to ensuring the availability of IT services to users. If you can’t see what’s under the hood, you won’t be able to fix it. And that’s not a good place to be for a mission-critical function of your company.
  • Security: Your company’s most sensitive information — customer data, financial data, trade secrets, strategic plans, to name a few categories — should be protected from hackers, malware, rogue employees and the like, which means a cloud solution needs to be as secure as a dedicated IT environment. Without meaningful details about the security controls your cloud provider uses, it is difficult to draw this conclusion with any confidence.
  • Document retention: Using the Internet to store documents could make it tricky to comply with your company’s retention and destruction policies — after all, is anything on the Internet ever really destroyed?
  • Contracting with a cloud: A typical cloud computing contract looks a lot more like the terms of use you might see from an online e-mail service intended for individual use — disclaimers galore, no liability for the provider, and all the risk on the user. This is probably because the most commonly used cloud applications are services like online e-mail and social networking sites. This won’t cut it for a business that is concerned about any of the risks described above, which needs meaningful rights and remedies, service level guarantees and audit rights, to name but a few of the contractual levers found in a suitable IT services agreement.

Forecast Is Partly Cloudy but Clearing Expected

The outlook for cloud computing in the corporate world remains somewhat unclear. The question is how to manage the risks of the cloud model for your company while still harnessing the benefits of the model. If you need to be able to lift the veil and define the IT infrastructure in order to comply with privacy laws, ensure service quality and protect your company's crown jewels, will that ultimately undermine the value proposition of the cloud?

Only further dialogue and deal-making between cloud providers and sophisticated businesses will answer this question. In the meantime, don't stray from the solid fundamentals of IT procurement, and use the process to move the cloud along the maturity curve.

  • Do your due diligence: Get to know your cloud provider. Look at its financials, consider its reputation in the industry, and seek referrals from trustworthy sources.
  • It’s all about the contract: Insist on suitable confidentiality, security and privacy undertakings by the cloud provider; rights to perform IT and security audits that are commensurate with the risk profile of the service being provided; reasonable limits of liability that make the provider financially accountable to you; and meaningful remedies for service failures. (A lawyer could go on ad infinitum here, but you get the idea.)
  • Competition, competition, competition: Use a competitive process to select your cloud provider, and you are more likely to get a solution and contractual terms that match your needs.
  • Outside the box: Where there’s risk, there’s opportunity. Ask your cloud provider to be creative to help solve your risk puzzle. As part of a definable industry, there are companies in your position that are looking to harness the cloud with similar concerns. Consider models other than a pure "public" or "private" cloud that serve a community of customers.

Tempered with discipline and focus on where the cloud can help you most, a move to cloud computing can bring considerable benefits to your company.