Does cloud make rain?

With all the hype and attempts at defining what cloud is (and isn’t), and how big it is, one might be forgiven for letting out a stifled groan. It is much more than hype, though. While cloud uptake may be falling behind vendor expectations, it is taking the world – and South Africa – by stealth if not by storm.
What is cloud?
Despite sound advice to the contrary by pundits like Dustin Armhein, I think it is useful to ask this question before diving in. We know about the X’s in XaaS and the ‘five characteristics of cloud’, namely: shared, virtualized infrastructure, self-service access, elastic resource pools, consumable output and user-based usage tracking. 
For this discussion we are more simply concerned about whether “cloud is not yet making much rain” – and part of that relates to monetisation models. A lot of services are being adopted, but often on the free end of the ‘freemium’ spectrum. Many massively adopted free or dirt-cheap cloud-based applications are already finding utility in the enterprise, often by masquerading as personal services. Google and LinkedIn come rapidly to mind, followed closely by the numerous cloud storage options. Entry-level web hosting for a handful of dollars a month is a further example. These are not our primary focus, but the stealth-adoption aspect is worth noting.
What is driving uptake?
Let’s take a look at what is going down in South Africa currently that is actually consuming a chunk of the enterprise ICT budget. Much of the adoption of cloud services is on the ‘lite’ side: applications such as managed firewalls, email and web content filtering, virus and spam detection and fax-to-email services are cases in point – the so-called “Communications-as-a-Service”. These do not involve committing the company’s IT crown jewels to an unnamed server in an unknown remote location. These are also services that your ISP may have been providing for years, and which were not even referred to as ‘cloud’ services – but clearly tick most of the boxes. 
Ironically, these are services that are widely adopted for the enhanced security they offer – in stark contrast to the oft-cited fears of security breaches and loss of control that inhibit wider adoption of cloud-based applications.
And then there is the one business application that really has made it in the cloud to date, namely CRM, best typified by Salesforce and MS Dynamics.  
Smaller is bigger
The above are examples of applications that are already being adopted, and equally so by businesses of all sizes. Many cloud services are especially well suited to small and medium enterprises (SME’s), relieving them of the need to invest heavily into their own server infrastructure, and related skills and administration hassles.   Services are provisioned incrementally, growing as your company grows, so you only pay as you use – there is no need to support your own server with all the bells and whistles. 
We will know that the vision has been fulfilled when we see a higher level of uptake of enterprise applications such as online accounting or ERP (such as Sage Pastel My Business Online); there has been growth in some areas, and good growth at that, but off a very small base. A similar observation may be made about Office 365 – and it is interesting to note Microsoft’s sworn commitment to the cloud as a fundamental strategic thrust.
Theoretically, when evaluating the cloud option for things like ERP, decision-makers would ask the same three questions the CIO always has to ask: (1) Can it save me money? (2) Can it make me more productive? (3) Can it help me give better service to my customers?  And if you can check at least two boxes, you would presumably go ahead and make the switch. Consider these:

  • Saving money: I only pay for what I use, and a can avoid a big capital outlay. Sometimes that alone makes it attractive to a cash-strapped SME – even if the total cost over time is similar (or possibly even larger since the user has no idea how long they will need the service for).
  • Productivity: I can assign resources and provision them more quickly to my internal customer, and avoid costly skills that I might otherwise have to employ.

If this is not convincing enough, it may be that the desire to ‘hug your server goodnight’ is the real reason for retaining the services in-house; or perhaps there are other reasons that relate more to valid concerns about corporate governance and taking responsibility for your data and services.
When is security secure?
The industry has taken pains to educate the market as to the extent to which their security concerns have been addressed, or are simply ill-founded. The industry providers’ reputations hang on this, and they have gone to great lengths to ensure that their environments are secure and safe – in fact a lot safer than that which an SME might provide in their own environment. Security has become a selling point. Some ISPs see off-site backups as the low hanging fruit to attract customers into their data centres for a single outsourced process that is easy to motivate and also easy to cost-justify. Once there, they may be attracted to move other functions and applications across. 
Strictly speaking, the bigger the cloud service provider the more secure they have to be – if only for their own sake. If your name is Google or Amazon, the stakes are high, and any individual company that chooses to use their cloud services should take some comfort that they have addressed any latent vulnerabilities, although the recent Heartbleed scare demonstrated a close shave that even some of the larger players some were late to detect and expunge. 
Depending on the nature of your business, and your customer data, it is also important to consider where your data resides – the question of “data domicile”. South Africa does not seem to have a broad legal framework in place in this regard, but there is the Protection of Personal Information (POPI) Act as a specific instance. 
SMEs may often be less aware of corporate governance requirements than large companies, especially those in highly regulated industries such as banks. Ultimately, it all depends on the nature of the information you are dealing with, and the sensitivity around that information. If data domicile is an issue for you, your hosting service provider will generally give you the option of local-only hosting. 
One caveat: thinking that just because your data is in the cloud your security is someone else’s problem is a bit naïve – security must always be your problem no matter where your data is located. 
The hybrid option
So, if public cloud services are really well suited to SMEs, what induces larger companies to adopt them? The answer often lies in the ‘hybrid cloud’ approach: first implementing applications in a private cloud environment, getting familiar with the architecture, and then gradually or selectively implementing some elements in the public cloud environment. It is not a case of “all or nothing”. Over time you may elect to expand the range of applications or implement a hybrid solution, which allows bursting into public cloud when the situation demands.
So for some infrastructure and applications you may be comfortable, and for others you would rather ‘hug your server goodnight’. It all boils down to the risk and your perceived risk – and whether you perceive cloud services to be a more secure solution rather than the opposite, and ticks some or all of the other boxes. 
Author – Brian Neilson (Director at BMI-TechKnowledge). Based on insights from Clinton Jacobs, senior IT analyst at BMI-TechKnowledge.