Now more than ever, companies need their employees to remain connected and productive. New, affordable cloud-based solutions enables companies to transform operations while trimming expenses and reducing the burden on IT support resources.
“An average 25-person business saves $11,556, or 82 percent, during the first year of replacing its premises-based email and messaging with a cloud-based one. This yields a two-month pay back period,” says Mike Maloney, vice president of business services at Comcast.
Smart Business spoke with Maloney about how to save money by moving your business toward cloud-based solutions.
What challenges are businesses facing with setting up and managing email and messaging?
Small and mid-sized businesses have limited IT staff and must balance their IT expenditures against other corporate priorities. Setting up and managing various pieces, including email and messaging, is expensive. Not only are the initial equipment expenses sizable, but ongoing IT support, server maintenance, licensing and software updates also add costs in future years.
How can businesses decide if the implementation costs of a cloud-based solution are worth it?
In 2009, the Yankee Group researched the real costs of email and messaging operations in a 25-employee business for one year. Its cost results found:
Licensing, maintenance, support $12,000
Licensing, maintenance, support $1,761
The upfront migration and implementation costs of the Microsoft/Comcast cloud-based platform of $2,001 still resulted in savings. Additionally, the cost savings grew to 84 percent over three years, for a total savings of $36,042.
The study assumed there were no custom-built exchange applications; no unified messaging platforms; standard email and messaging security; and a server already capable of handling on-premises email and messaging. In addition, the features and functionality were replicated in both email solutions, even though cloud-based technology typically has more applications and features.
With the help of telecommunications and computer professionals, employers can explore the cost and feature trade-offs between hosted and on-premises email. A hosted solution even can be appropriate for a small business with 10 or fewer employees that generally has no IT staff and where an on-premises email might be impractical.
What are some of the additional features found in cloud-based email and messaging?
Features that are commonly found with both on-premises and cloud email are addresses with company domains, shared calendaring, shared contacts, email storage of 2 gigabytes per year, anti-spam, anti-virus, mobile email, and email archiving and retrieval. Even with these shared features, there still are cost savings with the cloud because anti-spam and server-based anti-virus, which companies are typically paying for with their premise-based email and messaging, are included as part of the cloud.
Some additional cloud features include a collaboration solution such as Microsoft SharePoint, secure email backup and document sharing. The cloud’s secure email backup is important because many small or mid-sized companies employ tape drive based storage for this service, which comes with a fairly low level of security as tapes easily get lost, stolen or damaged.
Based on research into cloud-based email and messaging, what steps do you suggest mid-sized business IT departments take?
- Switch to cloud-based messaging and email platforms, empowering remote and mobile employees. A number of vendors, including Comcast, provide a compelling suite for businesses.
- Take the opportunity to start using cloud-based collaboration solutions. A collaboration solution, such as Windows SharePoint, can be used for sharing documents where multiple people can access a document simultaneously and incorporate a number of comments and edits. This software also is useful for sharing files that are too large to email such as those with high-quality graphics, technical diagrams or photographs.
- Budget a few IT days for training. Switching applications creates stress, so plan for training, even if these costs are only opportunity costs for your IT employees. Not all organizations will need this, but it provides a safety net for companies where the transition to cloud-based technology is more difficult.
- Develop a good change-management plan to help alleviate end-user pains. Switching from premises-based email to the cloud can be less onerous than switching vendors’ products, if you stay within the same company. Therefore, the change-management plan can be fairly simple, but make sure it includes employee outreach, reminders, training services, online guides, printed guides and contingency plans.
A hosted solution can provide a level of simplicity, reliability and functionality while offering a more professional-grade solution to emailing and messaging.
Note: The Yankee Group is a leading source of insight and counsel trusted by builders, operators and users of connectivity solutions for nearly 40 years. For more information, visit http://www.yankeegroup.com.
Mike Maloney is a Vice President of Business Services at Comcast. Reach him at email@example.com.
Insights Telecommunications is brought to you by Comcast Business Class
Cloud computing is revolutionizing information technology, and if it hasn’t yet impacted your business, it will soon, says Mike Maloney, vice president of business services at Comcast.
“Cloud computing is a new way of delivering resources, not a new technology,” says Maloney. “And the timing for cloud computing to reach critical mass couldn’t come at a better point.
In today’s belt-tightening climate, this new economic model for computing is enabling companies to accomplish more with less, and the move to cloud-based computing marks a historic point in the evolution of business.”
Smart Business spoke with Maloney about how to harness the power of the cloud for growth, profit and success.
What is cloud computing?
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. The cloud allows users to connect from anywhere at any time, making connections via a shared platform.
Until the advent of the cloud, computing tasks were not possible without the application of software on a computer. You bought a license, installed the application and then used the program. With the development of local area networks, or LANs, the client-server model of computing was born, offering an opportunity to begin sharing resources.
Today, cloud computing has leapfrogged the client server model by providing applications from a server that is accessed from a web browser.
Is use of the cloud catching on with U.S. companies?
In a June 2011 survey of U.S. companies, only about 28 percent were using cloud computing in a meaningful way. However, there’s a lot of enthusiasm for cloud capabilities.
More than 90 percent of IT executives believe that the cloud will provide some kind of business advantage to their businesses, 63 percent say they’ll realize cost savings and 29 percent say they’ll achieve increased flexibility.
How can the cloud environment impact businesses?
When it’s deployed properly, it should give a business extra value over a long period of time. It should be able to address the quick-changing needs of businesses better than traditional IT services do, and the cloud should enable business innovation. When you go to the cloud you reap the benefits of speed, agility, price, innovation, simplicity, a managed system and availability. Most of all, it’s about scalability. Whether you’re talking SaaS, DaaS, IaaS or any of the services, you can quickly scale up your activities to meet demand, add new users and cut costs.
What are the shortcomings of the cloud?
The biggest concern may be security, which includes privacy, compliance, and legal and contractual issues. To be considered protected in the cloud, your data must be properly segregated from that of another company. Data protection, then, is a requirement for any enterprise that seeks to protect the core of its business. Businesses must also address other key areas, including physical security where data are stored, and customers must be sure that they will have regular and predictable access to their data and applications.
Cloud computing can offer the enterprise or mid-sized businesses a significant business advantage, but it’s up to you to understand the opportunities and risks involved. When evaluating any cloud model, make a detailed checklist to ensure you answer all the key questions fundamental to a successful deployment and utilization. Smart customers ask tough questions before committing to any cloud vendor.
What other factors should companies consider when looking at cloud use?
For any company looking to move to the cloud, it’s important to note that you are transferring new operating risk and requirements on to your network. Upon moving to the cloud, 100 percent of your application has to travel the WAN every time users want to access it. So it’s critically important to invest in your network infrastructure to ensure you have the uptime and reliability you need.
As you conduct your evaluation of network providers you should look at four key criteria:
- Absolute speed. What is the absolute speed of the underlying transport that is available to you as more traffic from all users begins traversing the network? Traffic doesn’t necessarily grow linearly, but it will grow with your users and the number of applications you add over time. Your ability to turn up bandwidth quickly is critical.
- Network reliability. Now that you have 100 percent of your traffic traversing the network every time a customer or employee accesses the application, the reliability of your network becomes that much more important.
- Scalability. This is critical to scale up to add applications, users and sites. The network must provide immediate opportunity for growth. In this new cloud-based approach, you can easily manage capacity by adding bandwidth, and that changes the conversation with your network service provider.
- Application-specific bandwidth control. Not all applications are created equal. You must be able to deploy application-specific bandwidth controls so that you can decide where to prioritize your traffic to address load conditions, or just to ensure that those mission-critical real-time applications get the bandwidth they need.
These criteria serve as a starting point, but you should pull back the covers on any communications company to examine the network infrastructure and the core attributes in the heart of the operation.
Mike Maloney is vice president of business services at Comcast. Reach him at Michael_Maloney@cable.comcast.com.
Insights Telecommunications is brought to you by Comcast Business Class
Cloud computing is the marketing focus of many IT companies.
Ads touting the benefits of cloud computing and the “cloud readiness” of software products are visible in airports, print media and on TV, and surveys predicting the rapid adoption of cloud computing solutions appear regularly. But how do cloud computing solutions affect the production of electronic documents and information in a litigation setting?
Smart Business spoke with James P. Martin, CMA CIA CFE, managing director of Cendrowski Corporate Advisors, regarding the issues that can arise when attempting to obtain information when a party has information stored in the cloud.
What is cloud computing?
Cloud computing describes an IT model in which computing resources can be obtained and utilized on an as-needed basis; this is why cloud computing is often referred to as ‘utility computing.’ The end user is provided a turnkey solution that is supported and maintained by the service provider at a remote location.
Cloud computing is enabled by rapid, reliable Internet communications, and, in fact, ‘the cloud’ is a term referring to the pool of resources hosted on the Internet.
What are some common cloud solutions that should be considered in litigation?
Cloud computing applications include hosted email products, such as Gmail or Hotmail, picture hosting services, text message services, hosted document processing, as well as social media services such as Facebook, Myspace, or dating sites. These sites would potentially have data that could be relevant to the litigation.
How does a cloud solution affect electronic discovery?
Moving to a cloud computing solution does not remove an organization’s document retention requirements, and many cloud solutions tout their ability to help the organization meet statutory requirements. If the cloud vendor performs services to the public, access to the data stored in that solution would be subject to the restrictions of the Stored Communication Act.
It is also important to understand that this is an emerging area of law. Third-party solutions are evolving rapidly, and social media services are creating issues and carrying information that was inconceivable a few years ago. The legal system is dealing with emerging issues related to these new technologies and case law is changing rapidly.
What is the Stored Communication Act?
Data hosted by a third-party service provider may be covered by the Stored Communications Act (18 U.S.C. §§ 2701-2712 (SCA). This act was included as Title II of the Electronic Communications Privacy Act of 1986.
The SCA states that ‘a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service.’ The SCA was primarily written to protect the end user of computing services from government surveillance. In civil litigation, some courts have concluded that contents of communications cannot be disclosed to litigants even when presented with a civil subpoena.
How can a litigant obtain information subject to the SCA?
The SCA defines three categories of information; each category has different requirements to obtain the information. In litigation, the parties will tend to need access to ‘contents,’ such as email conversations and documents, which has the highest threshold. Contents generally require a subpoena with notice, a court order with notice, or search warrant.
One wrinkle is that the SCA defines a ‘court of competent jurisdiction’ as any district court of the United States, and the U.S. Court of Appeals; it is silent on whether state courts may issue orders to providers outside their districts.
Are there any exceptions to these requirements?
Yes, the SCA includes several exceptions. Importantly, contents can be produced with the permission of the subscriber. Also, contents can be released in emergency situations related to the commission of a crime, death, or serious physical injury, or if it is submitted to the National Center for Missing and Exploited Children.
Also, the SCA applies only to companies that provide the service to the public. For example, consider a consultant who is provided an email account by a company where he or she is assigned for work. Court decisions have determined that the company providing such an email account is not covered by the SCA, as it does not provide services to the public.
How are courts dealing with discovery in a civil matter?
In a recent decision, the court noted that a subscriber could grant permission for the provider to release contents and reasoned that the information held by the provider was under the control of the subscriber, and therefore had a duty to exercise this control and retrieve the content. The court allowed a subpoena to the subscriber directing it to provide permission to produce the information. Courts continue to evaluate aspects of the SCA, and case law continues to build around these issues.
Investigators attempting to access information held by a third party will need to evaluate an appropriate course of action depending on the type of information to be received, as well as the relative cooperation of the subscribing party.
JAMES P. MARTIN, CMA, CIA, CFE, is managing director for Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or
Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC
The use of cloud computing is growing, and it seems like every company is jumping to incorporate this technology trend. However, companies should thoroughly evaluate their cloud computing needs before diving in headfirst, says Brian Rosenfelt, principal and IT consultant at Skoda Minotti Technology Partners.
“Businesses need to evaluate whether cloud computing fits into their strategic technology plan,” Rosenfelt says. “Look at your business goals and determine what you’re trying to solve. Does cloud computing fit in with those goals and help you solve a problem or make your infrastructure better? Although a lot of people are enamored with the cloud right now, it’s not appropriate for everybody.”
Smart Business spoke with Rosenfelt about what companies should know about cloud computing and how to select the perfect provider.
What is cloud computing?
Cloud computing is essentially the delivery of computing software over the Internet. However, it’s important to understand that the cloud can mean different things to different vendors and customers. For some people, the cloud is Facebook; for others, it is a full software app or email.
What should companies keep in mind when selecting a cloud provider?
The most important thing is the service-level agreement. You need to understand what the provider will offer you from a service and support perspective. For example, if your provider is hosting your email and it’s not working, can you get through to someone? It’s really important to dig deep into what level of service they will provide.
Another important thing to look at is the history of the company. Some of these providers are young companies and have only been in the business a short amount of time. Just because they’re new doesn’t mean they don’t provide good solutions, you just need to look at how they are backed and what kind of reviews are out there about their services. The last thing you want is to have them run out of money, cutting off access to your data that is housed in their data center. You should also have a clear understanding of how redundant their systems are. One of the reasons for moving to cloud computing is so your data is replicated to multiple data centers ensuring that your service won’t be interrupted.
What should a business consider when changing cloud providers?
First and foremost, you need to be able to talk to someone at the new provider who can work with you to help migrate your data. In addition, you need to have an open line of communication with both your old and new providers, as your confidential data is with your current provider. You own it and need to have control over it.
Ask the providers if there will be downtime when making the change. If so, communicate that to your staff. Also ask about a fallback plan. If the migration doesn’t work well, can you fall back to your old provider during troubleshooting?
What types of services are good candidates for cloud computing?
Typically, the best types of services for the cloud are email, file storage, backup services, and software delivered as a service. Those are some of the more commodity-type services and the type of technology services that businesses need to be highly available. Email is a critical lifeline for most businesses, and moving it from an on-premise server to a cloud provider can make it more available and reliable. File storage is similar.
How secure is data in the cloud?
In general, cloud computing is as secure as computing would be in your own office. There are still servers and firewalls. But when that computing is out in the cloud, a larger infrastructure is supported, and the larger cloud providers can be a target of security incidents. Most large cloud providers like Amazon have an in-depth set of security protocols. So what you as a business want to do is make sure your employees understand the nature of the cloud. For example, if an employee is using public WiFi on his or her laptop and accessing the cloud provider, there’s a risk the data could be intercepted. Or if employees are at a hotel using a common computer, they should log out of the website and close the browser when they’re done. It’s about using common sense and best practices when accessing the cloud. Additionally, companies should have corporate policies that address cloud access.
The last piece is to make sure your cloud provider uses encryption so when something is transmitted from a computer to the cloud service, it can’t be intercepted. Ask the provider what security means to them and how they handle it.
In general, cloud computing is secure. When you hear about servers going down, most of the time it’s because of a power outage and not a security breach. For most small businesses, cloud computing is more secure than what they would be able to do within the scope of their infrastructure.
How can a business ensure its cloud solution fits into its backup and disaster recovery plans?
Businesses need to ask where their data is and have a very clear picture of how they can get access when they need it. Their backup and disaster recovery plans should specifically address data in the cloud and illustrate how it can be retrieved.
The plan should also provide for what happens if someone is working on a file and it gets deleted. Make sure the cloud provider is able to access prior versions of files and restore them. Also take into account compliance issues, especially in industries such as financial services, in which there are special restrictions for who has access to certain files. Make sure your plan includes documentation that specifically addresses cloud computing.
Brian Rosenfelt is a principal and IT consultant at Skoda Minotti Technology Partners. Reach him at (440) 449-6800 or visit www.skodaminotti.com.
Insights Accounting & Consulting is brought to you by Skoda Minotti.
Executives are jumping on the outsourcing bandwagon as cloud service providers promise unlimited scalability, reduced expenditures for hardware and IT staff, and the ability to offload software and routine maintenance at a moment’s notice.
In fact, Gartner analysts predict that 35 percent of enterprise IT expenditures will be managed outside the IT department’s budget by 2015.
But overzealous executives eager to jump to the cloud may encounter security issues down the road, as the security practices of the cloud service provider are often unclear — up to and including where the data is stored. A survey by Symantec shows that only 27 percent of companies have set procedures to approve cloud applications that use sensitive or confidential information.
“It’s easy to deploy data and applications to the cloud, but most executives don’t have a handle on the true risks associated with those decisions. So they fail to build the proper assurances into the procurement process,” says Brian Thomas, IT advisory services partner for Weaver.
Smart Business spoke with Thomas about the risks of outsourced computing services and why companies should seek an auditor’s assurance during the procurement process.
What are the specific risks associated with the cloud and outsourced computing?
Possible issues include data integrity, confidentiality, privacy and security, system availability and reliability, and data retention and ownership. But the threat level and mitigation strategies vary depending upon the importance and sensitivity of the data being processed by the cloud service provider.
It may not matter if you can’t access your sales prospects for a few hours if your hosted CRM application goes down, but business would come to a halt if your hosted e-mail or e-commerce system crashes. Therefore, the provider’s server redundancy and service-level contract guarantees may be the most critical risks to address, where in other cases, the primary concerns may be security and privacy issues. Certainly, regulated companies need to pay particular attention to how the cloud service provider addresses their regulatory risks.
How can executives identify outsourcing risks?
When considering cloud computing project ideas, executives should ask a lot of questions. First, they must understand the nature of the cloud services being procured and the sensitive aspects of the systems being hosted or managed by the provider. After getting an understanding of the types of data and systems that will be exposed to the cloud, executives should ask ‘what if’ questions of their project teams. Such questions should be focused on general risk areas including data integrity, confidentiality, privacy and security, and system availability and reliability.
Executives should also get an understanding of their company’s exposure to risks related to data ownership and retention. Examples of questions to ask include, ‘What will happen if we lose connectivity to our cloud service provider for an extended period of time?’ And, ‘What happens if our cloud service provider is acquired by another company?’
How can executives use an outside audit to ensure the performance of service providers?
A third-party assessment by a qualified professional is the only way to know whether a cloud service provider has designed and implemented effective measures to identify and mitigate relevant risks, as self reporting is inadequate and providers may simply tell you what you want to hear.
You can save money by having your auditor review a cloud service provider’s service organization controls (SOC) report. There are three reports available under the AICPA’s standards for service providers. SOC 1 is based on the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and is best suited for companies that previously used SAS 70 for Sarbanes-Oxley or financial audit compliance. SOC 2 addresses the design and operating effectiveness of a service organization’s controls over the security, availability, processing integrity, confidentiality and privacy of a system. This may be more valuable for executives evaluating the controls a cloud service provider has in place to address risks beyond those relating to financial reporting.
SOC 3 involves the same scope as SOC 2; however, the report contains less detail and is intended for broader (marketing) audiences.
When are SOC 2 and SOC 3 appropriate?
Executives should request that their cloud service providers submit a SOC 2 report where applicable. The scope is generally best suited to address the concerns of users of cloud services. SOC 2 reports provide details of the procedures executed by the auditor to test the controls in place at the cloud service provider, and the results of those procedures.
If a cloud service provider only has a SOC 3 report available, that may be sufficient for getting comfortable while evaluating the service provider during the procurement process. However, executives responsible for the cloud services should request that the service provider submit a SOC 2 going forward to ensure that they can monitor the provider’s efforts to address any failed control activities.
Are there other certifications that can help mitigate risk when transitioning to the cloud?
If the provider cannot provide a SOC 2 report, see if they are certified as ISO 27001 compliant or if they have obtained assurance reports from a security firm addressing the ISO 27001 standard. If the provider processes, stores or transmits credit card information, it is required to meet the Payment Card Industry’s Data Security Standard (PCI DSS). Be careful when using these other forms of assurance. Their scope is generally narrower than SOC reports and may follow less rigorous quality assurance standards. However, in the proper context, they can be useful for executives attempting to get information about the activities performed at the cloud service provider.
Brian Thomas is an IT advisory services partner at Weaver. Reach him at (713) 850-8787 or firstname.lastname@example.org.
Insights Accounting is brought to you by Weaver
Service providers are touting the benefits of cloud computing, and more and more businesses are moving to the cloud. But beyond the benefits, there are also dangers, and companies should consult with an attorney to ensure that the language in the contract will protect them, says Bill Cramer, senior counsel at Dykema Gossett PLLC.
“Service providers like to emphasize the potential financial benefits by saying that inside every cloud is a silver lining,” says Cramer. “However, inside some clouds, there is golf-ball-sized hail. When you give up your computing needs to a third party, you give up control and expose yourself to potential liability.”
Smart Business spoke with Cramer about contractual issues to resolve before moving to the cloud.
What legal issues do companies need to be concerned about when moving to the cloud?
You need to protect yourself in contracts with your service provider. With your own network, you control your security. But if you move your computing needs to a third party, you lose that control.
The contract should address how the hardware is protected from both outside and inside intruders. Does it require security guards or alarms? Does it limit access, require background checks, and have entry and exit logs? How does it protect data from electronic intruders? Does it have passwords to access systems? Does it encrypt data when it is stored and transferred to and from the Internet?
The contract should require segregation of your data from other companies’ data, because you don’t want your data mingled with that of another company. And if you are subject to regulations such as HIPAA or PCI, make sure the provider is contractually obligated to meet those standards.
Further, how often does the provider update system software? If it doesn’t keep its software up to date, your information may be at risk. You should expect your information to be at least as secure off site as it is in your own building, and your contract needs to set out what the provider is doing to protect it.
How can a company address uptime requirements and remedies?
While with your own network, you don’t have control over unexpected failures, you do have control over how you respond. But once you move into the cloud, you lose that control. Specify in your contract how information is stored online: At a minimum, there should be some level of redundancy, and preferably some level of error correction such that failure of a hard drive doesn’t take your system offline.
Second, where is online information stored? Are there multiple copies at multiple locations, so if there is a catastrophic failure at one site, is there a secondary site where service will continue so you can maintain your business?
Third, if the cloud becomes inaccessible for a short period, is there any definition of ‘short period?’ A service provider may promise 99.9 percent accessibility, but over a year, that’s more than eight hours of unscheduled down time. Further, some providers don’t start counting such interruptions as down time unless the interruption lasts more than five minutes.
Fourth, does the provider make periodic backups of data and have an applicable transaction log so it can recover data if there is a software problem? Fifth, the provider should have a cluster of computers with multiple redundancies so if one is taken down for maintenance, it doesn’t affect service.
Finally, your contract should specify what level of support you can expect when there are problems.
What should the contract cover regarding liabilities to third parties?
You may become liable as a result of a breach in security, resulting in notification requirements, which can be expensive. You may be accused of patent infringement because of the provider’s services. It’s important to spell out in the contract that the provider is on the hook to indemnify you for your costs, as well as to provide for your defense if you are sued.
How should the contract address remedies?
The contract is empty unless it ultimately provides a remedy. Typically, contracts have limits of remedies, for example, if service fails, you don’t have to pay for that service. But you need to put a dollar value on what it means to your business to be offline for a minute, an hour, or a day. The provider may offer credit for down time, however, that credit has to be enough to incentivize the provider not to fail. For example, an hour of unplanned availability should result in more than an hour of credit, so that the provider has an incentive to get it right.
What if the move to the cloud fails?
You need to have a graceful retreat. Even with a competent service provider, a good internal team and a solid migration path, it still may not work as you expected. Start slowly, preferably with a pilot project that won’t cause too many headaches if it fails.
The contract needs to have a migration path to retreat, to recover data and software from the provider and bring your information back to your facility. This can be difficult if you didn’t expect it. It may take weeks to retrieve your data and software from the cloud, and during that time, how do you conduct your regular business?
To ensure all your bases are covered, look to a law firm that has experience dealing with the specifications, technology and provisions of service that can examine the contract for missing but essential terms and terms that carve out big exceptions in the provider’s obligations.
Bill Cramer is senior counsel at Dykema Gossett PLLC. Reach him at (214) 462-6418 or email@example.com.
Insights Legal Affairs is brought to you by Dykema Gossett, PLLC
Cloud computing is one of the hottest topics in business today. This technology lets companies utilize massively scaled information technology infrastructure at a remote site instead of their own data center, resulting in increased redundancy, security and significant cost savings.
“The cost of purchasing and maintaining the infrastructure internally and the salaries of people to operate the infrastructure continues to increase, while the cost of obtaining it on a larger scale from cloud service providers continues to decrease,” says Michael Dickson, CPA, CISA, CISM, CRISC, director, business technology services at GBQ Partners LLC. “The result of these two trends is an intersection of the cost models for computing.”
Smart Business spoke with Dickson about how the cloud works and how to select the right cloud service provider.
What is cloud computing?
There is much confusion about what cloud computing is, because there are so many different kinds of cloud service offerings. Cloud computing is nothing more than a new name for an old concept (time sharing).
Cloud services enable you to connect to a provider’s application (Software as a Service — SaaS), deploy, run and manage your own applications on a provider’s computing resources (Infrastructure as a Service — IaaS), or you can deploy, run and manage your own applications that were created using programming languages, databases and tools supported by the provider (Platform as a Service — PaaS). In each of these models, the provider and management have different responsibilities as it relates to owning and managing the operating and application systems.
Remotely hosted applications, like Office 365 and SalesForce.com are perfect examples of using SaaS. The applications are developed, owned and hosted on providers’ infrastructure, and users subscribe to the services they need and connect over any network (company or home network, WiFi, Cellular, etc.).
Examples of IaaS are products like Amazon’s Web services and Rackspace’s cloudfiles. Subscribers pay for the amount of computing or storage they need, relying on the provider to manage and maintain the infrastructure.
What companies are best suited to take advantage of a cloud?
A company that is looking to replace legacy software or hardware or is planning a significant expansion is in an ideal position to take advantage of cloud service offerings.
Some companies are driven to look at cloud solutions simply because they are having trouble retaining an IT staff with appropriate technical skills and/or are driven by cost reduction measures to look at the options.
What are some key items you need to understand about cloud computing?
You need to understand the benefits and risks, because they will vary for each company depending on which service type you are considering. The key is to understand your specific risk posture by assessing the application landscape, the type of data processed and understanding the unique accessibility, confidentiality, security and compliance requirements of your specific situation. This will drive the decision on what should be ‘put in the cloud.’ Moving into the cloud doesn’t have to be an all-or-nothing proposition. You can start by putting a low risk commodity application in the cloud, and keep your high-risk core business applications on site until you get more comfortable with how it works for you.
What are some keys to making cloud computing safe?
It’s safe if you choose your provider carefully and structure your agreement properly. The biggest misconception is that you don’t know what’s happening to your data when they are in the cloud. If you select the right service partner, they will have implemented the appropriate security and physical and logical access controls to prevent others from gaining access to your computing environment.
A reputable data center will have engaged an independent auditor to express an opinion on the appropriateness and effectiveness of controls put in place to ensure the availability, reliability, security and processing integrity of their data center environments. These reports used to be called SAS 70s but are now referred to as SOC (Service Organization Controls) reports.
What are the benefits and risks associated with cloud computing?
The big benefits are cost savings and increased reliability/availability resulting from economies of scale. If a business has a peak time, it can take advantage of extra processing capabilities for that peak period, but doesn’t have to maintain and own all of the computing capabilities all year round. Computing is becoming a utility. Like electricity or natural gas, you pay for what you use.
Another benefit is having access to new applications and technologies that the cloud service providers can purchase, implement and leverage over multiple customers as they update their service offerings.
For risks, the biggest concerns are related to access to data and being locked into a service provider for a multi-year term. You need to look carefully at the terms and conditions to know how your data are stored and how they might be made available back to you or to a successor provider in the event of a dispute.
People also fear they will lose control of their computing capabilities, and that can be good or bad, but it needs to be addressed. They’re fearful that if they get into a fee dispute with their provider, or become unhappy the level of service provided, the service provider holds all of their eggs in their basket. You can mitigate these risks by structuring the agreement to address users’ rights to data in the event of a dispute and by implementing solutions that provide real time back-up outside of the cloud.
Make sure your data are encrypted, access controls are strong, and you know who owns the data.
Michael Dickson, CPA, CISA, CISM, CRISC, is director, business technology services at GBQ Partners LLC. Reach him at (614) 947-5259 or firstname.lastname@example.org.
Distinguishing cloud computing reality from cloud hype can be a daunting task. Smart Business met with Christian Teeft, vice president of Engineering at Latisys, to examine some of the key assumptions, myths and drivers that decision makers face as they build their cloud IT infrastructure strategy.
Defined: cloud computing
Cloud computing is IT infrastructure that is delivered as a service, is elastic (users consume as much or as little of a service as they want at any time), is sold on-demand and is fully managed by the provider. In short, cloud computing makes it possible to increase capacity and add capabilities as needed — without the user having to invest in new infrastructure, train new personnel or license new software. Some say the cloud is ‘[anything] as a service’ (XaaS).
The problem with this definition is that it’s very broad — little surprise there is so much confusion and noise in the cloud marketplace. So let’s drill down. There’s cloud ‘Infrastructure as a Service’ (IaaS), for businesses that outsource to data center providers and prefer to spin up and down compute resources to meet variable demand — configuring compute, memory, storage and additional services — without a dedicated physical machine (e.g. online retailers with seasonal demand). There’s cloud ‘Platform as a Service’ (PaaS), for businesses that require pre-integrated application components that they can assemble to quickly create back office systems that run and are delivered via the service provider’s platform (e.g. rich Web, mobile or social media applications). There’s also cloud ‘Software as a Service’ (SaaS), which includes the delivery of a single application through the browser to an unlimited number of customers via a set of pooled hardware resources.
We focus on IaaS as we differentiate and debunk the following assumptions.
Differentiated: private cloud vs. public
In the public cloud, apps and data run on the same shared public pool of resources — available to anyone with the swipe of a credit card. This type of environment is well-suited for certain applications such as test and development, mobility and social media, as well as some e-mail, file sharing and collaboration systems.
But when security and compliance matter, when workloads and applications are mission-critical, or when hands-on expertise is needed to tailor, migrate and optimize your environment, a private cloud solution is best.
Public cloud IaaS is cheaper than private, but you get what you pay for. Your workloads, applications and data may sit on the same server or network as a hacker from China or a spammer from Russia. You also have no visibility into the hardware your environment is running on or control over the Quality of Service (QoS) you receive. Leading private cloud providers build their platform using brand name servers, blades, firewalls and load balancers that are built for multi-tenancy and provide greater security and isolation. They also create separate resource pools so customers can choose the performance level best suited to their application. With the public cloud it’s truly ‘one size fits all.’
Debunked: cloud is best for all applications
Certain applications are clear matches for the burst-ability and elasticity of IaaS cloud: file sharing, social media, testing and development, e-mail, server virtualization and SaaS. But there are many applications where the answer isn’t as clear-cut. Legacy enterprise commercial off-the-shelf (COTS) applications require significant due diligence due to the hierarchical nature of their architecture. These applications might be a good fit for the cloud, but traditional hosting may be more practical and cost-effective. It is important to carefully evaluate the costs associated with transitioning to the cloud and be realistic about what you’re trying to achieve.
Debunked: cloud is cheaper than managed hosting
While it’s true that in the cloud you pay for only what you need to use — avoiding the need to engineer your infrastructure for peak levels of activity — the additional layer of orchestration on top of a managed hosting environment is just that: an additional software component that providers deliver to users to enable self-management, faster provisioning and granular control. This means that the same configuration consuming the same amount of resources for the same period of time is going to cost more in the cloud than it would in a dedicated environment. Cost savings are realized by leveraging dedicated hosting for predictable workloads and the cloud for variable workloads. Be sure to fully understand the ongoing usage and access fees associated with the infrastructure you are deploying to avoid any surprise charges. And challenge your vendor to tailor a hybrid dedicated and cloud solution to your specific needs.
Decision time: develop a chart
There are several important questions that must be answered as you develop your cloud IaaS strategy. Do you really need to move to the cloud? If so, which applications should be moved? And should those applications be hosted in a private cloud, with more security, reliability and support? Or are your work loads better suited for a cheaper, less regulated public cloud option? What types of templates should you start with, and who on your team will be responsible for the on-demand management of these resources?
It is important to do the research required so you can answer all of these questions, and it helps to align with a service provider that offers hands-on consultative support to right-size a hybrid dedicated and virtual solution. A provider that is equipped to assess your workload history with you and talk through potential solutions, leveraging their experience in terms of business goals, configuration development and the physical migration itself is best.
Christian Teeft is vice president of engineering at Latisys. Reach him at email@example.com.
Mobile cloud computing, where applications are driven from the “cloud” and not from the handheld device itself, is becoming a vital part of the business landscape. Is your company positioned to take advantage of this emerging and potent technology? Mobile apps powered by the cloud will include productivity applications that accentuate collaboration, data sharing and multitasking. Now is the time to adopt cloud computing strategies as there will be a seismic change in how information is distributed and applied.
“A lot of companies are dipping their toes into this new environment to see how their customers react,” says Toni Paoletta, Corporate College’s IT Program Manager. “Eventually mobile devices will replace desktops.”
Smart Business spoke with Paoletta about the shift to mobile and how business owners can take advantage of the new frontier.
What are some of the driving forces behind the shift to mobile devices?
Mobility is the key word. Mobile devices allow companies to take their products and services and place them directly at their customers’ fingertips. We have seen Internet-based tools and services reformulated to work on smaller devices. For example, customer relationship management and inventory control can now be managed remotely through the use of a mobile application on a smart phone. In the past, you had to log on to an Internet browser, connect to a Web site and log in credentials to access a company’s services. Now you can have a mobile application on your smart phone that is able to access the same software, services and data instantaneously.
How big will the shift be?
The shift will be huge. Being able to control everything from the road is the wave of the future. The convenience factor of smart devices — they’re small, portable and have excellent battery life — will drive the need for customized mobile app development. The emergence of new smart phones and tablets has created a huge explosion in the mobile device market and a need for new, innovative apps that can function on these various platforms.
How does the mobility and prominence of the cloud impact the IT industry?
All IT industries will need to know how to deploy, support and maintain their company’s intellectual property that is made available through these mobile apps. Not only will companies have to support their current physical infrastructure, but they will also have to support and secure their cloud infrastructure. This will mean investing in increased storage and additional servers.
Besides infrastructure considerations, companies need to consider the deployment and sustainability of mobile devices and the applications that reside on these mobile devices. If a company develops a mobile application for its customers, it must consider platform issues, interoperability, updates and security.
How does the shift towards mobile devices affect a company’s IT personnel?
IT personnel will need to become familiar with mobile devices and understand the capabilities of those devices, how to keep these devices updated and identify how they are going to fit within the company’s current IT environment. For example, an Apple iPad utilizes wireless Internet. If you have employees accessing data with an iPad from within the office you need a wireless infrastructure within your corporation that will support that access. Other considerations are software and operating system updates. How will your company manage these operating system updates on mobile devices? Are you providing a public cloud to your customers; meaning your software and services are available through a mobile app? If so, your security infrastructure will be critical to protect other applications, data or services available within the cloud. If you use a private cloud, how will you maintain access when there is a change in human capital within your organization and the app to connect to that private cloud resides on the employees’ personal smart phones? All of these questions need to be considered.
In order to address these issues, IT professionals need to expand their current skill set and become familiar with smart devices and how to access information in new ways.
What opportunities are available for application developers?
The sky is the limit for application developers as it relates to mobile app development. I think everyone who has a smart phone today has thought of an application they would love to write, whether it is a game they think would be cool, or a business app that would provide a solution to fix a problem. For instance, our college recently launched a mobile app called ‘Tri-C Mobile’ that provides students with information about courses, events, campus news, sports schedules and even the campus directory all through their smart phone. It is vital for people to start thinking about how they can transfer their business knowledge to a mobile device so people can access that information from anywhere.
How can business owners take advantage of and plan for these developments?
They need to think about what work they wish they could do if they were stuck at home, in traffic, or waiting in a line at the airport. They need to ask themselves how they can take advantage of these smart devices — these mini-handheld computers. They need to find software developers with business knowledge that can translate into innovative mobile apps. Every day you hear about companies launching their new ‘app.’ Whether it’s American Greetings’ ‘Ecard’ app, or Benesch, Friedlander, Coplan & Aronoff and its ‘Benesch Apportunity’ app to recruit new attorneys, mobile apps are going to change the way we do business. Businesses across the globe are leveraging the cloud to bring their business to their customers via mobile apps. It’s time to say goodbye to being tethered to a box; and say ‘Hi’ to mobile computing.
Toni Paoletta is Corporate College’s IT Program Manager. Reach her at firstname.lastname@example.org or (216) 987-2962.
A growing number of businesses are using cloud computing to access resources over the Internet, store data and run applications. However, in abandoning traditional on-premise computing and data storage for a cloud-based solution, many companies fear what will happen if the remote data center housing the cloud experiences its own crash.
“As Amazon’s recent outage at its Dublin data center showed, it is possible, though unlikely, that a data center might go down,” says Indu Kodukula, executive vice president, products, and chief technology officer of Sungard Availability Services. “That is a risk that companies are able to mitigate with a managed multisite availability solution.”
Smart Business spoke with Kodukula about how managed multisite availability is changing what’s possible in the cloud, and how your business could benefit.
What is managed multisite in a cloud environment, and why is it important?
If you look at managed multisite availability, each term essentially defines what the service is. ‘Multisite’ is the next logical evolution of our cloud platform. Instead of having one, we now have multiple sites where the cloud is available. That allows the cloud to be geographically redundant.
No matter how unlikely, a cloud infrastructure that is housed in a single data center has the potential to be the victim of either natural or man-made disasters. To provide a better level of availability, a cloud provider needs to be able to keep services and customer environments up and running, even in the event of an entire site disaster.
‘Availability’ fundamentally refers to the fact that most applications can only tolerate a certain amount of downtime that is directly related to the business value of the application. Most cloud developers use the cloud to run development and test environments. To ensure high availability in a production setting, a cloud environment should be built from the ground up to run production applications and customer environments, which have a higher availability threshold than development and test environments. A multiple-site cloud environment provides availability for an application that is commensurate with what’s appropriate.
The last aspect is ‘managed.’ In contrast to many cloud service providers that essentially provide DIY service, a business should find a provider that builds the environment for information technology (IT) from day one.
Why is it important to have a cloud environment with IT capabilities?
If you are looking for a cloud environment for production that provides all the capabilities and processes expected with IT — change management, security, operations control, the ability to resolve problems and issues — those are all part of the managed services that should be provided on top of the cloud environment. That means companies can have a tremendous level of comfort and that they can trust the production environment and get the level of availability they need.
That is very different than the DIY model that many cloud developers provide, in which you could be left to fend for yourself.
Is cloud computing for everyone?
There are several points that companies typically walk through when making the decision to use the cloud. The No. 1 reason that companies want to use the cloud for their applications is to align their spending with business value. Increasingly, enterprise IT has become very capital intensive. Companies don’t know up front what business return they would receive from a capital investment in enterprise IT, but they would make the investment anyway and hope that it all works out.
Using the cloud is fundamentally different, because you only pay for the data or compute resources that you use or store, you don’t have hardware to buy or install and, in a managed environment, you don’t need internal resources to manage your IT. Here, the service provider takes responsibility for maintaining the software, servers and applications.
Therefore, companies utilizing the cloud for enterprise IT can make investments that are in line with the business value. Then, they can invest more capital into infrastructure and resources as the application supports it and as the business becomes more successful.
However, there are multiple concerns. The moment something moves outside your firewall, you don’t own it anymore. So you have to decide what to keep in house and what to move to the cloud. Others are concerned about performance and availability of data in the cloud. The multisite availability feature is most useful for applications that can tolerate only about four hours of downtime a year, need geographic redundancy, or are responsible for keeping the business up and running if you don’t want to have the internal responsibility of running the application yourself.
How can businesses get started?
The first step is to do a virtualization assessment. Then, there is the option of what processes to virtualize. Next, take the virtualized application and decide what to keep in house and what to move outside your firewall.
Look for a cloud service provider that will guide you through the process, helping you understand and decide what applications should stay in house, either because they are not ready to be virtualized or they are too tied into business, and which applications can be moved safely. The goal is to create a roadmap for moving applications to the data center.
What applications are good fits for the cloud?
If you have an application that supports your business and has such strong growth that it will need 10 times more resources next year than it does today, the elasticity the cloud offers is a great option. If the application also uses modern technology, which is easier to virtualize, that combination makes it compelling to move that application to cloud.
The business argument for moving older technology, like ERP, to the cloud is much less strong.
Indu Kodukula is executive vice president, products, and chief technology officer with SunGard Availability Services. Reach him at email@example.com.