By Sramana Mitra and guest author Siddharth Garg
Sramana Mitra: Yes, that is a valid point. But where I was going with that question is that there are a large number of cloud providers operating today. There are the larger providers like Workday and a variety of larger public companies that are already doing very large [implementations] and servicing a large number of customers. Those are more robust in format, but there are lots of very small companies operating that are running cloud services and have customers. My thought is that maybe they are not all that safe.
Steven John: Well, that is my fear! One of the first documents was the Gartner hype cycle.
SJ: And one of my fears is that, as I mentioned earlier about dot-com – and I know this is focused on entrepreneurs – my voice of warning to entrepreneurs would be that the true cloud takes deep pockets, deep understanding. My worry is that there will be a lot of false clouds without appropriate backing from technology and financial support and so on to be successful. I think there could be some damage to the reputation of the cloud from some of these startups if they get traction and then fail. A broad brush would then paint all cloud companies the same. There are worries about that, and there will be a period of immaturity when IT organizations may not do proper due diligence.
SM: Tell me more about this.
SJ: I think one of the skill sets doesn’t exist in IT organizations is to go out and do due diligence on cloud partners. What you want to do is to be able to go out and validate that they do have security, they do have disaster coverage, and that not only do they have it but they do it better than you do it. And, they not only do that at the beginning of the relationship, but they have an audit capability going forward to make sure that they maintain that capability. That is one thing I thought of, and I might actually start a company that does that. It is a really an entrepreneurial opportunity to provide that service to companies that don’t want to make a huge investment building such due diligence internally but one turns to a trusted partner to make sure that their other partner can be trusted.
SM: And for someone who would be offering that capability, what would be some of the top points you would ask them to audit in the due diligence process?
SJ: For me, a big one would be disaster recovery. I describe it like this: Everyone fails at some point, and it is how they recover that really determines their capability, so their what is their disaster recovery capability and how solid is it? I would look at the distribution of their resources. Is everything at one data center or have they distributed their risk and disaster recovery to another geographic location and so on? Security would be a huge one that needs to be looked at, so you are going to test their security procedures. One of the things I would say is that I have had a background check three times in my life: when I adopted my son, when my dad became a CIO at the FBI, and when I joined Workday. Workday has high security capabilities, but that is one thing that needs to be determined upfront.
The cloud, in my opinion, is a deeper form of outsourcing. Not only are you outsourcing bodies per se, you are actually outsourcing processing, you are outsourcing disaster recovery, you are outsourcing security, you are outsourcing development processes, you are outsourcing testing and QA processes, so someone needs to test and validate that those processes are standard, that they do proper testing that they do proper QA, and so on. Security, disaster recovery, development process, and QA processes are just some of the things on high levels, I would say.