There is nothing new under the cloud August 27, 2013
http://www.flickr.com/photos/davejackson/4876222979/
Talking to government organisations that are moving some of their operations to the cloud, you discover that many are doing excellent assessments to combat a lot of the ICT risks associated with moves to the cloud, such as examining security, down time, back up and restoration and performance related issues.
Government organisations are also actively considering the requirements of the Privacy Act when selecting what forms of business and related data are appropriate to move to the cloud.
Many government agencies have developed excellent checklists to identify, measure and control these issues, and have incorporated specific references in contracts with cloud providers to address any problems.
But not many cloud projects assess information requirements and risks, and talking to people you discover that information management is seldom explicitly addressed in cloud contracts.
Why is this a problem?
Information in most environments is not managed well
Barclay T Blair, a US-based information governance expert, in his article Governance for protecting information in the cloud, has identified that many of the information management mistakes that are being made in just about every organisation will likely be replicated in cloud environments.
These information management issues already cause daily costs and complexities in the corporate business environment but in the cloud these common mistakes can bring:
- new risks
- greater complexities, and
- the potential for ever escalating costs.
What are the key information management risks to look out for?
The key information management risks that will particularly impact on cloud arrangements are:
- Information longevity: business systems are not designed to keep your information for the medium to long term and the cloud isn’t either
- Information proliferation: information volumes need to be managed, particularly in cloud frameworks, to prevent significant cost blowouts.
This post is called ‘There is nothing new under the cloud’ because these key risks already affect information in just about every organisation today. They are slow burn issues, however, that in traditional business frameworks take a number of years to impact on corporate processes, accountabilities and bottom lines.
Cloud frameworks however will bring these issues to the fore. Cloud-based systems will either:
- rapidly exacerbate these existing information management issues and cause them to impact corporate operations or the corporate bottom line in the short term, or
- provide the impetus to proactively address these challenges and resolve them before they present a corporate risk.
Information longevity
The majority of business systems today are not configured to make and keep the information that your business will need in the medium to long term.
Systems are necessarily designed to meet immediate project needs and requirements and for, speed and efficiency purposes, are often based on non redundancy and data over-write principles.
But a significant core of your business information will have a business and legal lifespan that is greater than the system it is part of. However we very seldom plan for this longevity and are consequently often left with complex legacy system and data management problems as a result of inevitable technology change.
The challenge of the cloud is harmonising these needs for daily efficiencies with an organisation’s parallel needs for longer term efficiencies, strategic insights, reporting requirements and accountabilities.
The cloud just emphasises that you need to be smart and strategic with your information. And you need to be proactive. You can’t wait and deal with a remnant legacy, you have to make all these long term, proactive and strategic decisions before you deploy your cloud frameworks.
Resolving these types of risks and issues may be more complex with the cloud because, like the majority of business systems, the majority of service or application offerings in the cloud have not been developed with long term information management principles in mind.
Information export and portability are not native functionality in some cloud offerings and the commercially driven lack of standardisation between cloud services can also inhibit data movement and consequently data maintenance.
Because cloud service and application offerings often tend to have a short term project focus, they are not mature in their ability to handle more long term information. We see this lack of maturity in:
- blanket retention rules in some cloud systems
- blanket purging rules
- lack of tools or capacity for data partitioning, segmenting, tailored purging and retention.
Many cloud systems can treat data with a one size fits all approach, but this does not fit the nature of the information that government is generating, where some data barely needs to be retained a day and other data has a variety of legislative requirements to be kept for 50+ years.
According to Barclay T Blair again, key planning questions to ask when considering different cloud offerings to address these issues include:
- what capability does your cloud provider offer for exporting data from its services? What types of metadata are preserved? What are the costs and timeframes?
- what standards does your cloud provider adhere to, and are those standards sufficient to address your data portability requirements?
Asking these types of questions will help you to mitigate and manage maturity issues and develop plans for how you will sustain your information that needs to be kept longer term.
Information abundance
The next key risk that is threatening all organisations but which is going to come to a head first in the cloud is information abundance.
I have been arguing elsewhere recently that we are in a data bubble that is getting pretty close to bursting. I think all organisations have to plan very carefully for the cloud with this data bubble in mind.
We hear a lot today about information surviving forever, about storage being cheap, about technical capacities to keep everything we create. Each of these in fact is a myth and each day organisations are exposing themselves to very long term risks and cost liabilities because of these inaccurate assumptions.
According to IDC research, information volumes across the world are growing at 57% per year. By 2020 it is anticipated that across the world, 35 zettabytes of data will be created. One zettabyte is equivalent to the content of 260 billion DVDs. We cannot afford to keep all of this data.
In 2010 Barclay T Blair used data from the IDC Quarterly Storage Software Tracker, Worldwide Quarterly Disk Storage Tracker and Costs of Hard Drives 1956-2010 to show that storage costs are indeed cheap. He showed that in 2000 the disk cost per GB was $9.14. In 2010 the price was $0.08 (1% of the 2000 cost). The IDC statistics also show that the worldwide costs of storage hardware have also remained static over the last 10 years.
Blair shows however, that between 2000-2010, the world-wide storage costs have doubled, from $5.3 billion to $11.7 billion. When viewed in totality, Blair says that these statistics show ‘we are spending as much on storage 10 years later, when the price of the raw materials, disk drives, has dropped to 1% of what it was.’ We are spending all this money on software to manage and use all the information we are creating. Storing digital information in the cloud or in corporate business systems where we can access and use it is not cheap and these costs are growing year on year.
David Rosenthal of Stanford University, in response to the trend, ‘Let’s just keep everything forever in the cloud’, has analysed the costs of storing all today’s data in the cloud, using IDC data volume statistics, cost statistics based on Amazon’s Simple Storage Service and the 2011 Gross World Product (GWP).
Rosenthal concludes that ‘keeping 2011’s data would consume 14% of 2011’s GWP. Given the IDC’s estimates that annually, data is averaging a 57% volume increase, Rosenthal calculates that ‘endowing 2018’s data will consume more than the entire GWP for the year’.
He summarises by saying, ‘We are going to have to throw stuff away’ but ‘Ignoring the problem incurs the costs of keeping the data; dealing with the problem incurs the costs of deciding what to throw away’. He concludes, ‘We may be in the bad situation of being unable to afford either to keep or to throw away the data we generate’.
Before these critical problems are reached, the issue of what data has to be kept and what can be regularly purged and thrown away is vital to address in your cloud arrangements.
With the cloud you must think strategically about your digital information. Not foregrounding these issues and considering them up front is going to create substantial and unsustainable legacy issues in the future so they must be addressed.
This is particularly the case with the cloud, where all your excess data is going to cost you large amounts of money to maintain each and every year. So be strategic. Talk to your records and business staff and identify what corporate records need to be kept, and what can be thrown away and build these requirements into your cloud frameworks.
Case study – cloud email
A common example that demonstrates many of these issues is cloud-based email. Many organisations are looking to move email to the cloud for a ‘quick win’.
As you may guess from reading everything above, the risk when moving email to the cloud is that you are moving a high risk, multi transactional, multi-agent, poorly managed and massive dataset to a cloud environment where you will need to pay for its ongoing storage.
Cloud solutions in and of themselves are therefore not a solution for email. Unless you have well managed corporate email, or business rules that require staff to actively manage their email, cloud email systems are a means of moving an existing problem off site.
Many cloud email systems can also deploy a rolling deletion policy which will, for example, auto delete all emails after 2 years. The risk here is that standard retention rules will give equal weighting to an email about a birthday cake in the tea room and an email about a $10 trillion business contract.
You can of course deploy cloud-based email systems, but you do need to do it strategically. Strategies need to be put in place to ensure you can keep what you need to keep and routinely destroy the information you no longer require. Email is a high risk business system and unless a move to the cloud is handled well, these risks can be magnified and become exceptionally costly in the medium to longer term.
But all these issues can be resolved…
By assessing your organisation’s information needs and risks when moving to the cloud, you can identify and implement genuine management strategies that will mitigate these risks and to maximise your business potential.
To ensure that information risks do not ultimately outweigh the short term business efficiencies of moving to the cloud you need to:
- Plan for the cloud – take the time to do it well.
- Collaborate – bring ICT, IM, records and business staff together. Their shared insights will help you to develop the best cloud solution.
- Assess IM and ICT and business risks – information is a critical corporate resource in the short and longer term, so make sure any potential short and long term risks to it are mitigated.
- Select systems appropriately – choose systems that meet all your business needs.
- Build IM into cloud contracts – if warranted, make sure that longevity and volume management are appropriately covered in contractual statements.
- Monitor and improve – product maturity and corporate awareness of the cloud are still evolving so always take the time to assess and improve your practice.
- Educate – use the lessons from cloud to improve information management and recordkeeping practices across your organisation.
And lastly please share your views on the cloud via Future Proof. We always love to hear what you think.
Great post Kate.I shared this with one of our IT managers who thought it was very thought provoking. Thanks!
Thank you Janet! And great to hear that FP posts are being used to trigger good conversations with IT managers about recordkeeping issues and some of the enterprise governance and implementation issues they raise. Yay! All the best, Kate