Posted on | May 15, 2010 | 1 Comment
The following is a collection of considerations and criteria from discussions of cloud computing, cloudsourcing and outsourcing in various organisations,
e.g. universities in several countries, tech startups, NGOs.
While this write-up is inspired by many colleagues in various places and networks (thanks!), the views expressed are my personal ones and not necessarily shared.
It s work-in-progress, or thinking aloud really – all comments are extremely welcome and will be published here.
I will focus these around a question that many organisations are facing these days:
whether to outsource mail, calendar and related intranet service operations, or run those inside one’s own organisation.
To set the context, Google offers free mail and apps to e.g. african educational organizations:
This is often described as “putting things out in the cloud”, however the term “cloud” itself deserves some attention.
Wikipedias take on this,
“Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid.”
is not very helpful. Following this definition, almost everything we do on a computer these days, is actually cloud computing.
I dont want to get into the long discussion of terms, myths and hypes here, however,
it seems important to note that
“real” cloud computing would have to be defined a bit more narrow, and specifying what resources we are talking about – e.g. cpu cycles, storage, software resources, and so forth.
Distributing your backup storage, your 3D rendering jobs or your trust base system among computers on the net – that is what i would call true cloud.
Having your mail and calendar servers run by someone else really is a lot closer to classical outsourcing, and we should discuss it as such.
So, what is the question?
Many universities today are considering whether to hand over operations to players like Google, Microsoft, Amazon, and many others in the marketplace.
Here s some things to consider:
There is no reason to believe that outsourcing as a rule will be more cost effective (in terms of TCO) than operating your own services.
This myth rose sometime in the 90s, and managements around the world then had to learn painfully that it is just that: a myth.
The truth is: it all depends. On how well you run your outsourcing. Sorry if that s not helpful.
In terms of people resources, managing outsourcing competently (!) may take just as much time resources as internal operations. It doesnt have to, but it may, depending on how you manage.
Often we hear the argument that running your own services takes way too much time and resources.
Frankly, if it does, then you are not doing it right.
If it is possible for your potential outsourcing partner, located in a high cost of labour country, to offer you these services and make a good profit with this –
then clearly it can be done.
True, it is also about size of operations, but not only – it is equally about learning from best practices.
If your core routines – like HR routines, deployment strategies, backup and recovery – are not in order, no doubt you will suffer.
With regards to mail and intranet services, most of the attention and time will go to proper routines, like new users and leaving users – and these core routines will be the same, no matter whether they are being executed on one or the other technical infrastructure. Even if someone runs your server, it is still you who has to know about authorizations and access.
Insourcing later what you have outsourced now comes at a price
It is all about skills: in case you decide some years down the line to insource services that you have abandoned today, this will become expensive.
You either have to reconnect and rebuild your organisations capacity, or buy people from outside. Even telling what skills you will need might become a challenge.
5. Legislative factors
Most IT legislations somewhat limit the places you may put your data and services.
For example, in EU countries, security standards demand that we keep services in europe or with companies that maintain a legal presence in Europe.
Authorities probably wouldnt be happy if we put out data storage into North Korea – just as an example.
Do you know, what your legislation says about this?
6. Location of services
Speaking of location of data and service – face it: chances are, you will never really be sure where they *really* are.
In a truly clouded environment, physical data may be moved at leisure –
and often, even inside your partner company, people would not necessarily know where servers and CPUs reside.
7. Dependence on upstream conenctivity
Having services outside your local network or country makes you vulnerable for failure of upstream connectivity.
True, if your international links are down, you would not be able to reach your global contacts per mail anyway, but at least your faculty mail and calendar would work.
This is a serious consideration of how dependent on external factors outside your control you like to be.
See for example this interesting post, discussing teh impacty of a major outage of the east african cable rings:
“Why we urgently need offline cloud computing redundancy in Kenya”
8. Cloud or Central Control
With what we said above, take a look at the picture, wikipedia is using to illustrate the cloud:
You might add players to this picture, but the telling fact is, that in todays reality, it is really just a few big ones dominating the market.
We often romanticize the cloud, associating terms like … distribution … sharing … cooperating – but in fact, the cloud might be much more central than we think.
Together with ambitions of part of the internet industry to take all core services away from the not so privileged, as they are not capable of running these securely anyway –
a pretty dark picture emerges, the picture of tightly controlled global IT structures that throw away the initial values of the internet.
Read about some of these considerations here:
This is a bit of draw: while none of the players out there have a clean track record when it comes to security,
To many, the two words “Microsoft” and “Security” combined in one sentence would seem like a bit of an oxymoron.
Microsoft, like other cloud computing players, clearly says that they will not be liable for security problems, e.g. data loss, in their cloud services:
Google has been criticized for its handling of privavy in search results and apps like Buzz.
See e.g. here for part of this discussion:
However, it would be arrogant to assume that you will do better yourself.
High security standards can be reached by yourself as well as by external partners.
You are less likely to be hit by random mass scripting attacks if you keep your services in your own backyard,
however, if somebody really really is after you –
they will know where to find you, no matter what.
Often overlooked: a high percentage of potential attacks come from inside your own organization – and in that case, maybe your services are safer if run by an external partner.
Take a close look at contract terms, e.g. notice period for cancellation or change of services.
Many major players, be that software companies or social websites, have changed their terms with short warnings, and often poorly documented.
Take facebook, whose bad practice of continuously changing privacy policies in order to make money out of the data the users gave them now has become a mainstream concern.
There is no guarantee that what you are given for free will stay free forever. It might just be “pusher marketing”: give it away for free until people really like it and cant do without it – then you start charging. Or change the rules.
Uncertainty of rules and conditions together with short periods of notice, e.g. cancellation notice, makes things even worse.
Having to move all your operations with a one month warning is bad news.
Note that these skeptical remarks are by no means assuming bad intent on the side of those who are offering free services today.
11. Pick and choose
Pick carefully what you like and do not like. It is no problem having all your students use google accounts, apps and so forth while keeping your own infrastructure intact. You do not have to be owned in order to be part of a cloud.
You can have your own Zimbra and get the best out of Google Apps – that s the whole idea of “cloud” interoperability
The dont’s: Prohibitive factors
Never outsource services that
- you have not run yourself and fully understood before you outsource them. Doing that will make it impossible to manage, control and evaluate your partners performance. They will be able to sell you stuff you do not need and should not pay for. So, in clear words: run your own mail server first, at least for testing, and once you understand it thoroughly, revisit the question of outsourcing.
- Never outsource services that need to be tightly integrated into your own IT infrastructure. If the doors to your building are controlled by IT services , you better keep those close to your door. It is so frustrating standing in front of a locked door, waiting for a network connection to come back up, or your helpline to answer.
- Never outsource anything that is closely related to your core competence. For a technology and science organisation, IT may or may not be seen as core competence. Personally, i would think that a university that aims to teach people how to build and control infrastructures for global IT also should be able to run such infrastructure. As a student, i would find it hard to trust knowledge by people who have not been in touch with what they are teaching.
- Never outsource anything into a tech lock-in situation – that means, only choose services and technologies for which you can find an alternative supplier if need be. Use Open Source technology, use networks, use open knowledge.
It s impossible to come to a general conclusion regarding cloud and outsourcing – but just for this concrete example, i will offer mine:
If you are a university or educational organization for whom IT infrastructures belong to curriculum and expertise – run your own services.
If your organisation is still small and weak with regards to people resources and skills – you might hear the advice to outsource, because of your “weakness”. I would turn this around: If your organization is young and growing – that s one more reason to run services yourself. To learn, develop and learn how to control processes. Once you have, you can always outsource later – and control that process.
Needless to say, if your core business is teaching graphics design or chemistry or literature – dont bother running your own mail servers. 🙂