December 23, 2008
The TCO of Cloud Computing vs In House IT
OK, an interesting thread is starting up in a blog post from Susan on "Do the Math folks" where she talks about the costs on In House vs Cloud based services.
I have to say that in my own opinion, she is missing a CRITICAL costing factor. And that's TCO. She's an ubergeek... so she doesn't apply costs to managing all that infrastructure since she just "does" it. And probably faster than most. (I think its all the clones she has) But here is the reality. Businesses can delegate responsibility for data management and protection to Cloud providers, reducing business risk and IT costs accordingly.
I don't usually talk about my business here, but let me explain what I mean. I own a small software company. I don't have a dedicated IT team to manage our infrastructure. I have to do it. I'm the ubergeek. Which is rather sad, since I have better things to be doing, like using my time in revenue generating pursuits. The reality is that every time I have to deal with a new patch, an update or an IT disaster I have to drop everything to manage it.
Now the smart readers will say to hire external competant staff. Maybe outsource it to an MSP. Well here is the nut. In my local area, I simply don't trust any of them. Few are competent enough to actually understand our risk profile, and can properly and securely manage the infrastructure. And the ones that can cost way more than they are worth. I see way too many going under right now, and I simply will not put my business at risk to MSPs that I can't trust.
Which is sad really... since I have many MSPs as customers. However, none of them are local to me... which means I can't get bodies in the office when I need it most. And the sensitivity of the information matters to me. So I won't just contract someone down in the States. Why? Patriot Act. Sorry people, you are NOT going to access our sensitive systems from a terminal that may fall under those provisions. And to boot, we have a cracker jack BC Privacy Commissioner who mandates it that way anyways.
And I sure as hell won't delegate it to a firm whose people are overseas. You nuts? The weakest link in security is the human factor. I will NOT trust it to IT people who are paid $5/hr and are happy to jump between companies like they are playing hopscotch.
Now enters firms like Own Web Now, Amazon S3, Force.com and even Microsoft's own Online Services. Here are companies tieing their business to the Cloud in one way or another. The idea of hosting critical services like Exchange, Sharepoint and CRM, and leaving the standard IT management to those companies makes sense. Why? Because they have deeper pockets with more incentive to ensure my services stay running. Reputation matters to them. They will be around after this recession. These are all valuable pieces to a more dynamic IT infrastructure that can make sense. The TCO factors in as less IT resources are wasted in dealing with the day to day mundane tasks. And they can be trusted.
However, I say that without finishing the statement. That should be that "they are trusted, and can be verified". In other words, as a business owner I can delegate IT management of critical services to them, but I better not abdocate responsibility. I have to ensure we have backups of that information. That we can recover from it. There is no absolutes here. No one will care more about my data then me. So I have to invest in ways to ensure its protected.
Which gets me to a side benefit of Cloud Computing. I can delegate responsibility of all the day to day tasks of managing the systems to these firms. I do that now with services from Salesforce.com and Own Web Now. However, I ensure that data is routinely backed up to another provider. Thats just being diligent.
Now one of the comments in Susan's thread was about the comfort of these people being able to look at that data. Ya, there is certain risk to that. Vlad could read all my mail. With the millions of emails that go through his network, he must have time to read my emails.
Let's get real, shall we? As part of this exercise though, let's say that is a risk to me. Then it would be my responsibility to secure it. That's what email encryption is for. But what about databases? We use SQL 2008, and use transparent database encryption. That prevents 20 year old IT guys at OWN who may be underpaid and have other interests in mind from detaching the database and moving it to their own workstations. We use DDL triggers and force access to certain data to REPORT to use immediately, allowing us to use human heuristics to assure we know who is accessing the information.
And of course, we use strong authentication and identity assurance to make sure we know only authorized staff inside and outside our network is accessing our systems and the data on it. TRUST BUT VERIFY. I really need to get a tattoo of that or something.
75% of all statistics are faked. Just like that one. We can make numbers say whatever we really want. But at the end of the day, each business owner has to weigh costs against risk. This SHOULDN'T be about the technology or technical safeguards. It should be the cost of aquisition and use of the data our businesses need. It's the data assets that matter. Not the systems that drive it.
Some will invest in that through Cloud based services. Others will demand it in house. But if you are going to have that debate, PLEASE include the full TCO discussion in the details. Otherwise you are simply comparing apples to oranges, and neither are good in a Christmas cake.