Everyone is singing the praises of cloud computing, or at least all the vendors who are trying to sell services. Just how safe is my confidential data on the cloud anyway?
To put cloud computing business security risk in concrete terms, I will tell you the parable of the Widget Company and Cloud Computing. Has anything like this happened to you?
Once upon a time, Widget Company, a $300 million dollar global company in the plastic widget business, decides to outsource their Oracle ERP application platform to Cloud Co., a cloud vendor who provides on-demand Oracle database services. The CFO encourages the board to approve the cloud outsourcing project because it is projected to reduce support costs for their Oracle application by 20%, allowing the company to grow while avoiding an investment in a large, new and very expensive Oracle system. The board signs a two year contract for services with the agreement that the cloud vendor is responsible for paying the annual Oracle maintenance contract. Both the legal and finance departments’ review the contracts and give their blessings.
At first everything seems to be working and management is pleased with their decision. Then reality sets in. After three months, users increasingly complain server access is slow. Cloud Co. responds to the complaints by first informing Widget’s IT department that their DSL Internet connection is probably not large enough for the anticipated user load, so they upgrade to a higher speed connection that increases their network connectivity costs by 30%. When the increased bandwidth still does not fix the problem, Cloud Co responds by applying a patch recommended by Oracle. After the installation of the upgrade, Widget Company finds that one of their mission critical applications is no longer compatible with Cloud Co’s offering and several months of customer data is lost due to the problems. Oracle claims no responsibility because the application does not meet their development standards. Productivity and staff confidence in the application plummet. After the two companies’ lawyers argue for a while, Widget decides to pull out of the contract, which still has a year to completion. Cloud Co. agrees to end the contract.
Widget Company’s management and IT department breathe a sigh of relief until they realize that the data backup from Cloud Co. will take months of costly integration to re-implement on the old servers – which are fortunately still running, just in case. However, Widget incurs additional costs when they discover they need to upgrade their Oracle licenses and pay for a year of back maintenance to get critically needed support.
Six months later Cloud Co goes out of business – Widget was not the only company unhappy with their services. Eight months later, a Widget Company sales associate reports that their main competitor seems to have insider information about Widget’s customer list. After a bit of legal discovery, Widget’s management discovers that after Cloud went out of business their assets were sold to a salvage company that resold the old backup tapes to a shady operation in the Ukraine, which then sold the customer list to their competitor. At this point after spending over $500, 000 in sunk costs and with little hope of successful legal actions against the guilty parties, Widget’s management team is completely fed up, fires the CFO along with most of the IT department, and vows never to try cloud computing outsourcing ever again.