Figuring out that cloud computing might help your company is the beginning of a long journey. The cloud represents a new IT paradigm, one that requires new ways of thinking about data and the implications of its movement outside a company’s firewalls. For large companies, this means delving into a process of inquiry and discovery, and that’s just what one American commodity trading firm had to do.
The company in question, which requested anonymity in relaying its story, is in the process of replacing its ERP system, moving from a system running on an antiquated architecture to a thin-client application with a significant grid computing component. After looking at the product more closely, the IT team concluded that it presented an opportunity to use a public cloud provider to host the system’s test and development environment. Doing so would allow the company to purchase fewer servers for the ERP system, quickly ramp computing capacity up and down to meet demand, and pay only for the capacity it needed rather than paying for servers to sit idle.
But there was a complex consideration: The test and development environment could contain transactional data on the trading of bulk commodities between buyers and sellers around the world. That meant data on those buyers and sellers might be crossing borders to be processed on servers in countries with differing privacy laws. It also meant that data could exist outside the company’s immediate control.
“We knew it would work technologically, but from a compliance and legal perspective, there was a lot of work to do,” says the company’s IT director.
The IT team set up a meeting with the company’s compliance staff, and started to explain the potential benefits and risks of a cloud-based test and development environment. “After the first 15 minutes, they all had glazed looks on their eyes, as if they had no idea what we were talking about,” the IT director recalls.
Once it was made clear that the primary consideration was the movement of financial and contact information outside of the company’s data centers, the questions started flowing. Is the network in question secure and encrypted? What kind of risks would the company face if its trading partners were identified? How do we know where the data is sitting? If another company using the same “cloud service” became involved in litigation, how would we know our data would be protected during the legal discovery process?
The company began talking to cloud providers to get answers, and it quickly crossed Google and others off the list because of their unwillingness to disclose the location of their data centers. Ultimately, the company went with Amazon Web Services’ Elastic Compute Cloud, which allows customers to choose the geographic region of the data center where their information will be processed. The IT director got approval to run a portion of the company’s test grid servers in an Amazon-hosted environment, and as of press time, he was still awaiting final approval to move data from there into the production environment.
As for the performance of the test environment, it delivered classic cloud computing benefits. The company was getting 80% of the throughput of its old test environment, but rather than paying thousands up front for each server and hundreds each month for management and maintenance, it was instead spending 12 cents per hour on computing resources, and only when those resources were actually being used. The IT director estimates the costs at about $40 per month per server.
He also says the effort has yielded an important lesson — namely, that the compliance and legal implications of cloud computing are not well understood, nor are there sufficient laws and regulations to protect customers. The technology is solid, he says, but placing his company’s core systems or sensitive data in the public cloud is simply not an option yet.
“From a security standpoint, it’s probably more solid than what’s in our data center,” the IT director says. “The uncertainty comes from the ‘what if?’ Over the next year or two, some legal matter is going to prompt some laws and regulations in this space. Because of the lack of that today, it just makes us nervous.”
His advice to other IT teams considering the cloud? Be sure you’re aware of the risks you assume in an environment lacking clear oversight. “Before you go do anything,” he says, “go talk to your legal and compliance groups.”