It’s only a small question, but the answer is ‘big’ in every sense of the word, as FSN writer Lesley Meall discovers.
April is the cruellest month, according to the poet T S Elliot. But other months can also be less than kind, as Microsoft and many of its customers discovered recently, when the uncommonness of the 29 February led to a leap year bug that affected security certificates for the Windows Azure cloud computing service. As is often the case, in chains of dependency, one thing led to another: there was an extended outage (as much as 8 hours for some users) and the service availability dashboard collapsed under the weight of related enquiries. Microsoft (MS) has taken all of this on its sizeable chin, apologising for the inconvenience, acknowledging that it should have made better use of social media to communicate during the outage, and offering customers a service credit.
But the unavailability of this or any other cloud-based service prompts some scary questions about the potential consequences of their failure, and the apparent lack of due diligence and governance amongst many users of cloud services. FSN has previously considered some of the shortcomings in service providers boilerplate contracts – and their tendency to be weighted so heavily in favour of the service provider that they are as good as useless to a business that has lost access to a mission-critical service for any length of time – and you can read about this here. But the temporary loss of cloud-based services is just the tip of a potentially huge iceberg. What would happen if Windows Azure or any other cloud-based service were to disappear and never reappear?
Users of MS Office Live Small Business (OLSB) email and web hosting and users of the cloud sync backup services for HTC smartphones wont have to wait long to find out, as both of these services will cease to exist come the end of April. HTC is advising its smartphone users to download their contacts, messages, location footprints and call history data as a .zip file, and then find an alternative backup service. OLSB users can choose between migration to another third party service provider or use of (the six months free access being offered to) MS Office 365 – though if they want to use the latter, users will need to manually copy photos, text, and other content to their new websites and update the DNS records, or pay a non-MS provider to automate this process.
None of this sounds ideal, does it; even if you are not about to lose a service you have come to rely on. At least these shutdowns come with some warning – a year or so from MS and a month or so from HTC – and you will probably have advance notice if a service is going to lapse as the result of an acquisition. But in a worst-case scenario, a cloud service could simply evaporate with no notice period whatsoever. After all, the cloud is awash with start-ups based on little more than a good idea and the services of other cloud service providers. As Jay Heiser, a vice president and researcher with the analyst Gartner observes: ‘There are parallels between the run-up to the financial services meltdown, and the willingness of cloud buyers to accept complex but non-transparent offerings,’ (on which more, later).
So what can businesses do to mitigate against the risk that the service they rely on may one day disappear – forever? Well, this depends, because the cloud is made up of various service models and delivery models (and the National Institute of Standards and Technology of the US Department of Commerce outlines all of these here), and a host of factors impact on the risk that a service (or a provider) will evaporate, and on the implications of this. But you can learn a lot about the challenges you might face if you were to lose a (community, public, private or hybrid) cloud-based service (whether it offers infrastructure, a development platform or software application) by focussing on some of the challenges associated with a change of service provider.
Cloud service providers may have done a great deal to make it easier for individuals and organisations to get ‘on-demand’ access all sorts of IT resources. But so far, they have done significantly less to make it easier for those users to move between different service providers, or even services from the same provider – as some soon-to-be ex-OLSB users could testify. Cloud computing does not yet deliver the utility model its ‘on-demand’ nature hints at. As Neelie Kroes, the vice president of the European Commission who is responsible for the Digital Agenda for Europe says: ‘To offer a true utility in a truly competitive digital single market, users must be able to change their cloud provider easily,’ and at the moment, there are a number of factors that can make it difficult to change providers.
These range from the contractual costs that a user can incur if they want to terminate a service contract (which is unlikely to be an issue if the service provider ceases operating a service), to the very many questions relating to the ownership, format, and availability of data stored and accessed via public cloud services (which are all highly likely to create issues if the service provider ceases operating a service, or ceases operating as a business). For example, if you have built cloud services using cloud platforms, and these use proprietary architectures and interfaces, this will make migration especially difficult, and a similar lock-in problems can arise if you have been using cloud-based software applications that store the associated data in proprietary formats. Then there is the software itself.
Encryption, co-location, data replication and backup are all very well, but what use are they if you can no longer access the software you need to work with your data? This is one of the areas where the cloud does not compare well alongside more traditional resource delivery and data storage models. If you are using traditional shrink-wrapped software and a product or a provider disappears then you can at least continue to run your existing version. Even software linked to discontinued hardware can be kept on the go with judicious maintenance and the support of spare parts suppliers, or the use of emulation technology (witness the thriving ecosystem surrounding the IBM AS/400 server). But the unexpected loss of a cloud service provider could also mean the unexpected loss of its software and any associated data.
Having a trusted third party provider hold the software source code ‘in escrow’ is one possible route to a sense of security. But how many small business users have the knowledge and resources to take a proprietary software application and set it up on their own intranet, or arrange for a third party provider to host and maintain it? Exploiting the online data dictionaries and other information that some SaaS vendors provide for the purposes of data integration is another possibility – but it creates the same knowledge and resource challenges. Taking out insurance against the failure of a service or a service provider is another option, but this is not a panacea, and it can be so costly and so complex (from the point of view of technology and ‘legalese’) that it can eliminate the benefits that made cloud seem appealing in the first place.
On top of this, threats to the availability of all sorts of public, private, and hybrid cloud services are becoming increasingly difficult to assess, because of the common links in the chains of dependency that characterise ‘the cloud’. Gartner analyst Jay Heiser likened this to the financial crash, in a 2010 blog here, and the theme has recently been picked up by Bryan Ford, a Yale University researcher, in Icebergs in the Clouds: the Other Risks of Cloud Computing (available here). As Ford states: ‘Non-transparent layering structures, where alternative cloud services may appear independent but share deep, hidden resource dependencies, may create unexpected and potentially catastrophic failure correlations, reminiscent of financial industry crashes’ – and we know what happens when greed wins out over governance.