A restaurant owner who does not dine in his own establishment is automatically suspect. Is his menu and chef not good enough that he elects to eat somewhere else?
And so it is with cloud services providers. Among the first things that potential customers should perhaps ask them is this: Are you yourself on the cloud, and if so, is your entire organisation happy with it?
It is admittedly a complicated issue. Many cloud providers pre-date cloud computing and so still have on-premise legacy systems that they are loath to throw away – not to say on-premise solutions that customers still want to buy and many in the organisation still want to sell.
Take Interactive Intelligence
, a provider of call centre software solutions and technologies for unified business communications. “We sell our software as premise-based, but we have also started to sell software through cloud,” says Simon Lee, Regional General Manager for Asia. The cloud currently account for “about 30%” of company revenues.
“As an organisation, we also use cloud-based applications like Salesforce.com,” he adds. “But I will say the back-end office systems like our accounting system, which have been in place for years, we are still on that.”
Pure Vs. Hybrid
“Companies that are pushing cloud software should be doing it themselves,” agrees Andrew Milroy, Vice President, ICT Research, at industry research group Frost & Sullivan. “But a lot of companies that are [selling the cloud], including Interactive Intelligence, have an on-premise legacy, which is what they’ve been doing for years and years.”
Frost & Sullivan itself faces a similar situation. “I get frustrated at how little we have on the cloud,” says Milroy. “I know we use Concur for expense management, as Interactive Intelligence also does. Some things we use, but far, far little. We have an enormous legacy of cumbersome, difficult legacy technology that the company still lives with.”
But Milroy says there are pure cloud organisations that are among the world’s most successful companies. “Amazon, everything they do is on the cloud,” he points out. “Facebook, Salesforce.com, NetSuite . . . these are the more recent organisations, and that’s all they’ve ever been about.”
Amazon, Salesforce.com and NetSuite also sell cloud solutions. “All our processes are on the cloud,” Ronen Lamdan, Director, NetSuite Asia, told participants at the CFO Innovation Asia Forum in Singapore in June. Because of this, he says he has complete visibility into actual and forecast sales as well as key back-office operations and financial business processes, including accounting, inventory and order management which makes possible, up-to-the-minute forecasts and planning.
So should companies opt for the “pure” cloud purveyors rather than the hybrid ones? As always, there is no set answer. It all depends on the depth and breadth of the cloud services on offer, the results of the cost-benefit analysis of choosing cloud over premise, and the potential customer’s comfort level with the cloud provider’s security measures, service quality and other factors.
But be aware of some inconsistencies as the hybrid providers struggle with balancing the product mix of lucrative on-premise lines and not-yet-as-profitable cloud offerings.
“I think that a lot of the time somebody with a vested interest in on-premise infrastructures will say: ‘Don’t go for this public cloud. It’s insecure, it’s not properly customised. We can build you a private cloud that offers you the same [benefits] and also addresses your security concerns,’” says Milroy.
“And they’re going to make a lot of money from it [building a private cloud rather than a public cloud],” he adds.
False Security Argument
Various surveys have shown that security and data privacy are top of mind for Asia’s companies, including a new survey by CFO Innovation involving Hong Kong enterprises (see Finance and the Cloud: Is Your Company Being Left Behind?)
. Stoking fears about security can be a potent selling point, warns Milroy, but he argues that “the security argument is false.”
“I think it’s wrong to say that on-premise is more secure than off-premise, that the public cloud is less secure than the private cloud,” he says. [In the public cloud, servers and services are shared by users in various unrelated companies; in the private cloud, servers and services are shared by users in a single group of companies.]
“If you think about it, a pure public cloud offering where you go straight to some data centre managed by Amazon or Google are going to use best-practice, up-to-date, security technology,” says Milroy.
“Whereas your on-premise business, you’re expertise isn’t in security. You’ve actually got more security breaches with on-premise, which is on a distributed system . . . If I go round an office that has a lot of servers on it, lots of PCs in it, lots of USB ports, I could stick my memory stick into something and cause a security breach.”
Milroy observes that the major security incidents have all involved distributed systems, including the security breach at Sony last year that resulted in the leak of the personal detail of nearly 77 million PlayStation Network users.
“The only real examples we have of some email hacking [of cloud systems] are free offerings with Google,” says Milroy. “Similarly with Amazon, some outages, but again, those are the people that go for the cheapest options. You can go for options with Amazon that offer you fail-over and more redundancy and so on that can address the availability challenges.”
“I’m not saying Amazon is the perfect solution,” he stresses. “I’m just saying that, from the security perspective, I don’t think it’s valid to say that on-premise is more secure than off-premise, that legacy is more secure than cloud. I don’t there is evidence to say that. There’s no study that argues definitively either way at the end of the day.”
Milroy does subscribe to the oft-cited idea that the cloud helps cut IT costs, which is typically the company’s second-largest expense category after salaries and wages. “You’re basically paying for a service that’s an operational expenditure rather than a capital expenditure,” he says.
But here, too, the difference between a public cloud and a private cloud looms large. “You can switch [the public cloud] on and off,” notes Milroy, and pay only for the time you are switched on. In a private cloud, the group companies would have paid for the construction of the data centres and other infrastructure, the provision of cloud services and maintenance of the operations.
That’s the theory, at least. A public cloud services provider like Salesforce.com is not really switch on-switch off. “You still have an annual arrangement with them,” Milroy explains. “The way they license is not dissimilar from an on-premise arrangement. You don’t have to build the infrastructure, but for the software, you might still be paying an annual license.”
From his perspective, Milroy says the real issues that companies should worry about with regards to the public cloud are those around integrating what’s on the public cloud and what’s on-premise.
“A lot of what you’re getting [from cloud providers] is vanilla,” he explains. “Sure, there are adds-on, but typically there’s not as much customisation as you might get for something that you develop on-site.”
“There are still some latency and quality-of-service issues around the public cloud,” he adds.
Cloud services providers like Interactive Intelligence say they recognise and are dealing with these issues. “Security, reliability and control are the three most serious reservations companies have with moving their contact centre and UC [unified communications] infrastructure to the cloud,” says Asia GM Lee.
The company response is a CaaS (Communications as a Service) solution that creates a “single-customer, multi-instance virtualized environment” that gives customers “increased security, isolation and flexibility.”
Clients are given the deployment option of keeping all voice traffic within their own network and can migrate from CaaS to on-premise, which is apparently still what many companies want.
“I would not say that customers will immediately throw out their investment to move on to cloud,” says Lee. “Sometimes, it’s just the right timing where their system is due for replacement or for technology refresh. Or they may need an upgrade because of expansion.”
Should they upgrade their old equipment, replace it entirely with a new set or move to the cloud? In some instances, it may not be an either-or situation. “They may go to the cloud to complement whatever they are using or to serve as a back-up or disaster recovery for their primary site,” says Lee.
A customer may tell Interactive Intelligence that it will need an additional 20 users for six months for a new campaign. “We can turn it on in a day or two,” says Lee. In an on-premise model, “you have to go through an evaluation process, or go through the justification, management approval, capex approval – that can be painful.” Because cloud computing is opex, “it is easy to justify.”
Less Visible Risks
But at least for now, cloud computing solutions are for the most part not as capable of fine customisation compared with their on-premise counterparts. In part, this is because the on-premise purveyors do not want their products to be too rapidly cannibalised, even as they are forced by market trends to offer public cloud versions of their solutions.
Some risks “remain less visible,” warns Peter Koo, Partner, Enterprise Risk Services, at Deloitte China. Among other things, he points to the lack of transparency of service provider standards and application programming interfaces (APIs), which increases the risk of vendor lock-in; unclear or inadequate service level agreements spelling out business continuity planning; and the cloud service provider’s ability to assure data privacy, integrity and confidentiality.
Peter Hum, an independent systems integrator and consultant based in Singapore, also says that it can be difficult for companies to download their data from one cloud provider for transfer to another provider or to put them back on-premise or in a private-cloud environment. You can get the bits and bytes, but they will not make much sense because the software that organises the data is proprietary.
Where does all this leave the Asia’s companies? Somewhat surprisingly, they appear to be unfazed. In the CFO Innovation study of Hong Kong enterprises, 44% of the CFOs surveyed said their company was already running an application on a cloud environment, while another 27% indicated that their firm was planning to follow suit.
Of course, this can be as simple as a subscription to Salesforce.com and Concur, as Frost & Sullivan and Interactive Intelligence have done, and not the near top-to-bottom public cloud solutions adopted by NetSuite, for example.
Cloud Assessment Tool
Which is not necessarily a bad thing. “Migrating [business critical applications] to the cloud is not a trivial task and could best be described as a journey where benefits need to be weighed against risk, cost, and effort,” says the Asia Cloud Computing Association (ACCA) in a new report with the somewhat unimaginative title “Cloud Assessment Tool White Paper.
“Different applications have different requirements and different levels of complexity,” the report points out. Telephony and financial trading need very fast response times, for example. Security might be the key parameter for an ERP system, while redundancy might be more critical for others.
Different sectors might also prioritise differently. For SMEs, support and interoperability might be the most important considerations while engineering companies might prize performance and life cycle management. “Different applications have very different requirements and they have to be evaluated on an individual basis,” says the report.
To help companies decide how and when to migrate to the cloud, or whether to do so at all, the ACCA has formulated a framework comprising eight criteria:
- Security: Encompasses aspects ranging from privacy to information to regulatory
- Life cycle: Addresses questions that might have an impact on the customer’s business process while using the service
- Performance: Deals with issues relevant to engineering the runtime behaviour of a deployed application
- Access: Examines connectivity between the end user and the cloud service provider
- Data centre basics: Refers to the fundamentals of the physical infrastructure
- Certification: Looks at areas that give a degree of quality assurance to the customers
- Support: Assesses various types of help for customers to deploy and maintain the application
- Interoperability: Addresses topics that help customers adopt several cloud offerings at the same time without causing too many integration and management problems
What About Finance?
The framework is useful in thinking through cloud implementation plans. What is missing, though, is the financial aspects, such as assessing the cost of writing off existing on-premise systems and the impact on the balance sheet if capex is turned into opex.
"It's a generational thing," says Hum, who believes that as the younger generation of finance leaders takes over and the cloud itself becomes more mature, the current worries over security and other issues about the cloud will disappear.
Perhaps so, but for CFOs of any generation, the cost-benefit analysis of going to the cloud should continue to be as important as the evaluation of operational pluses and minuses.
About the Author
Cesar Bacani is the Editor-in-Chief of CFO Innovation