Those Hidden Cloud Costs
Rogue implementations represent a major portion of the problem.
Experience with the cloud is relatively new to most enterprises. Those who have entered the cloud market do not have years of cost control experience. Many enterprises can be overpaying for cloud services, not because they are overcharged but due to over-subscription of services.
Some departments may be rogue implementers. Recovering data from the cloud when there is failure can be slow, so why pay for it if it is not possible to recover in hours instead of days? Is the enterprise cloud storage being used efficiently? Can the cloud providers respond to e-discovery requests by the deadline date or even find the data? If not, why use the cloud?
Symantec has released a report, "Avoiding the Hidden Costs of the Cloud, 2013" that covers these issues. When 94% of the organizations surveyed are at least discussing cloud implementations, then the costs need to be addressed on a broad scale. The survey was ambitious, reaching 3,236 organizations in 29 countries. Every country surveyed produced 100 to 300 responses. The survey has reliability with less than a 2% margin of error.
The first and I think most interesting hidden cost is rogue cloud deployments. These are deployments where a department or group decides to subscribe to cloud services directly, thereby avoiding IT. Subscribing to cloud Unified Communications (UC) may be very attractive when the IT department is still in UC evaluation mode. There may be other rogue deployments; it could be that some marketing staff decided to use Dropbox to share information with outside vendors. It really does not matter why; it should not be done.
Source: "Avoiding the Hidden Costs of the Cloud, 2013"
When you analyze the chart above, you notice that the rogue problem is not improving. Half of the respondents reported the rogue problem has not decreased while 29% stated that it has become more frequent. This is not the provider's fault. However, providers could report to IT when subscribers independently initiate cloud services. This is unlikely to be done for free services and is not in the best interest of the sales person for paid cloud service providers.
With a rogue cloud deployment, sensitive enterprise information moves beyond the control of IT and is not secure. About 75% of the respondents to the survey reported having this situation. The survey says it is more common in enterprises (83%) and less common in SMBs (70%). This may be because the organizational silos common in enterprises make it easier and probably more desirable to go rogue.
What makes the rogue implementation dangerous is that 40% of the rogue deployment created significant potential exposure of confidential information. This included account takeovers, stolen goods and services, and even defacement of web sites.
When asked "Why are they doing rogue implementations?" one in five said they did not realize they should not do it. This is an internal problem that goes beyond IT. The CXOs should be made aware of the problem and institute specific policies to avoid rogue implementations. The single biggest incentive to go rogue is the slow processes that IT makes the internal customer go through to accomplish an implementation. Those implementing rogue deployments point out that they saved time and money.
Some other findings in the survey include the fact that 68% of the respondents could not restore lost data because the backup or the archive did not work. Imagine if the e-mail or voice mail files were lost. When it came to e-discovery requests, 66% of the time the deadline was missed. 41% of the time the request could not be met. Another finding is that cloud storage is inefficiently used. Storage utilization was found to be low at 17%. Finally, only 40% of the cloud provider's SSL certificates complied with the enterprise internal standards.
The report concluded with four recommendations:
1. Focus on policies covering people and information, not the technologies.
2. Policies must be monitored and enforced through education.
3. Look for tools that are not specific to a particular platform. The tools should be agnostic.
4. Watch for duplicated data in the cloud and remove it.
Also see my blog on cloud cost control, We Need Cloud Expense Management.