At a conference in Manchester one of the speakers said to me "Everyone seems to be migrating to the cloud without really understading the risk. I mean, instant availability is great but if 10 years ago you said to a MD you can access files from ANY computer what would they say? Are we not just controlling a very small risk and trading off our security" .. As a big advocate of the cloud my heart sank a little because, he was right! So 10 years ago you are happy with your existing server and your IT manager came to you ... what would happen ?
So we have a fictional company. Let us call it a recruitment company with 20 staff. The IT manager wants to migrate away from the local server to the cloud. In the meeting, there is the IT Manager (IT), Managing Director (MD), and Finance Director (FD).
IT: "Maintain and updating our server is becoming a pain. I want to migrate all of our data off our server to 'the cloud'"
FD: "What will this cost?"
MD: "Hang on, what the hell is the cloud?"
IT: "So we take all of our data, instead of putting it on our local server we put it on another computer in a data centre, its backed up, protected, replicated and available from anywhere by anyone at any time! Plus I don’t have to do backups, updates or checks, it is all done in a secure environment by the cloud provider."
MD: "So we lose control?"
FD: "Is there a cost saving?"
IT: "No, we control who can have access with an app, a username and password. The main advantage is in the event of a disaster all our data is hosted elsewhere and we can work from anywhere!"
MD: "So in the very rare event of a disaster we are protected. Ok, I get that, what if this “cloud” has a disaster?"
IT: "That’s the amazing thing, it can’t! They spend millions in multiple data centres, protection, anti-virus, physical protection and it’s all financially backed with a 99.9% uptime guarantee!"
FD: "Don’t we get that up time at the moment?"
IT: "Well, yeah, but I cannot guarantee it."
FD: "How much to guarantee it?"
IT: "Well, millions! We would have to build at least 2 data centres and then buy all the protection they have?"
FD: "So how much is the cloud option?"
IT: "It's priced per user, per month. It’s a good model and lets us predict exactly how much we will be spending per month, compared to replacing the server every five years - we would save in the long run, but regain control!"
MD: You said its available anywhere by anyone, how is that control?
FD: "Yes, plus exactly how much is it?"
IT: "Well yes, its available on any internet connected computer, you just log into the web site and then you can see only the files you have access to!"
MD: "Hang on, how is that safe? What is to stop someone logging in from his grandmother’s computer that is full of viruses? Or logging in from home and copying loads of IP data? If they are on the server here at least we can physically restrict access."
IT: "Well yes, but that is a good thing! In the event of the office burning down everyone can work from home!"
MD: "Work from home? If the office has burnt down that is going to be a small worry! Plus if the office burns down can’t we just restore from backup?"
FD: "I am not keen on this, sounds expensive"
IT: "Yes we can restore from backup, we have a plan but if we lose everything we would have to buy a server and restore all the data, that would take up to a week! With this option we can carry on “business as usual” from day 1."
MD: "We lose so much control by giving everyone access from everywhere, is it safe?"
IT: "Well its controlled by username and passwords, in the event of someone leaving we disable their account. I know we do that now, but someone can be cut off just as quickly."
FD: "What are the actual cost savings?"
IT: "It is about more than cost savings, it’s about being mobile all the time, giving staff the ability to work from home, and its being available instantly in the event of a disaster!"
MD: "We can work from home now, just a case of connecting a VPN, it really is not that hard. I don’t like the fact that anyone from any device can login. It seems that we are trading off security for convenience of access and controlling a risk that is very small anyway. What do the costings look like?"
IT: (Grabs the white board marker). "Ok so the cost if priced per user per month at £8, we have 20 users so that’s £160 a month, or £1920 a year."
FD: "Hang on, stop there, didn’t you say the server life cycle is about 5 years?"
IT: "Ah ha, yes! So our last server cost approx. £8000 for the hardware and then £2500 for software and licenses. Now if you take that over a 5-year period..."
FD: "£2100 a year, so we would save approx. £180 a year?"
FD: "That’s not that much, plus every time we take on a new staff member our cost will go up for cloud service, but not if we have a server, have I got that right?"
IT: "Well yes but ..."
FD: "So will we save on staff costs, this is so good and so easy, will we still need internal IT?"
IT: "Well, I hope so ... I still need to setup accounts and do day to day support."
FD: "Not to mention the control we lose over our data, having staff access from anywhere, unsupervised on any device that they like, sounds like a bad trade-off for me."
IT: "What if we setup so it can only be accessed from certain company approved devices?"
MD: "Then what is the point in the system at all?"
IT: "Maybe I’m not explaining this right .. it really is the future!"
MD: "So, just to summarise, we do save some money if the server life cycle is five years. So let’s say £900 savings. However, we could potentially lose control of where people access information from, the security of their devices but we do gain flexibility and speed of recovery in event of a disaster?"
IT: "Well, yeah"
FD: "How many businesses are you aware of that have had so much down time after a disaster?"
IT: "Just because I cannot name any doesn’t mean they don’t exist."
MD: "True, but you admit the likelihood of such a event bringing the company down is very, very low."
IT: "It’s a “no” isn’t it."
MD: "It’s a no."
Lesson to be learned ? Understand the risk before migrating your systems to another platform, what is the end goal and is it worth the risk ?