At another level, however, it is also a more revolutionary organisational transition – a step-change in the logic of how ICT capabilities are managed and in the role of the corporate IT department. In the glory days of the desktop age the IT department was a monopoly provider controlling access to the network and corporate applications using SOE devices and software as gatekeepers. Information was secured within the enterprise network perimeter. In the webtop and mobile age users are becoming increasingly independent and have a growing range of options for meeting their ICT needs. The IT department needs to develop new skills to orchestrate, integrate and secure these environments effectively. More importantly, it also needs to develop new ways to engage and influence the behaviour of increasingly self-reliant users. Information security in the webtop and mobile age is more so than ever before in the hearts and minds of users.
Ovum has interviewed many executives in organisations that are early adopters of public cloud services. These interviews reveal that the public cloud is becoming a useful catalyst for accelerating the transition from desktop to webtop and moble platforms. The popular notion among executives without hands-on exposure to public cloud services is that they are untrustworthy – not ‘enterprise grade’ – and therefore to be avoided on information security grounds. Paradoxically, however, our research reveals that early adopters of public cloud services are finding that practical, as opposed to theoretical, information security can be enhanced by the use of the cloud.
The reason is that funding and skill constraints and the increasing complexity and sophistication of threats means that many organisations are struggling to adequately secure their desktops and their organisation's perimeters. This is part of a general trend towards more porous organisation perimeters which is accelerated by internet connectedness, the increasing use of social networking and mobile devices and the digital blurring of our 'work' and 'personal' lives. In theory the desktop age delivered a secure information environment, but in practice this age is now over – like it or not.
The reality is that public cloud services are part of a broader webtop and mobile age trend away from information being 'locked away' inside the enterprise network and towards the emergence of information ecosystems which transcend organisational, and national, boundaries.
Adopting a public cloud service for a mission critical application or infrastructure service is a radical externalisation of ICT capabilities, and requires a total rethink of the factors that drive counterparty risks and information security. Contracts and SLAs remain key risk mitigation tools, but need to be extended by a pre-nuptial agreement on data (where is our data and how do we get it back?), a tested Plan-B (what do we do if the cloud service evaporates?) and more rigorous treatment of information management processes and practices (what data ought we store in the cloud, how and where?).
Executives interviewed commented that working through these issues required some effort and “thinking out of your boxes”, but was later regarded as having been a positive process because it confronted the both the real security failings of the desktop age and the organisation's historically informal and ad hoc approach to information categorization and management. The result was an overall increase in the integrity of security and information management.
Generally, there was recognition that the move to using a public cloud service required a new approach to thinking about risks and security on a more granular, transactional, basis – setting aside the false sense of security created by reliance on the integrity of the SOE and network perimeter.
Cloud platforms are one element of a bigger change underway in the way corporate information is created, processed, stored and managed. Use of public cloud services is regarded by early adopters as a useful catalyst for accelerating changes in the approach to IT management that needed to happen anyway to develop the skills needed for the webtop and moble age.
Dr Steve Hodgkinson is Research Director IT – Asia Pacific for Ovum.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.