Just because you automate a process doesn’t mean you’ve secured it. If you're considering RPA, make sure you understand the security implications
Six ways to avoid cloud missteps
As some companies enter into their first cloud engagements, other organizations already are looking back at 'legacy cloud' experiences and defining best practices based on what they might have missed or overlooked the first time around.
At JPL, we made the decision early on to create a cloud computing commodity board. Why? We already could see that we would need to align all our business functions as people started getting excited about cloud computing. If everyone had to create his or her own deals, it would become a disaster. Why? Because if you don’t know where your data is, or the contract terms, you’re much more susceptible to a security breach and data loss. And as many companies have discovered, one tiny security breach can bring the whole ship down. In addition, we had to ensure that we could always retrieve all our data, even if we ended the cloud computing contract with the vendor.
At JPL, the cloud computing commodity board is composed of key stakeholders from the entire organization. We meet monthly and entertain proposals from new cloud vendors; review new needs from JPLers; discuss current contracts; outline action plans for vendors where we don’t see the expected value; and discuss cloud computing-related future capabilities and needs. This helps JPL stay current with the evolution of cloud computing.
Looking to avoid problems with a cloud vendor? Here are a few tips based on experience:
1. Use your cloud clout.
The more projects you have with one vendor, the more negotiating power you have. How? If you’ve set up your hosted projects the right way, you can move them from an under-performing vendor to a preferred one. It is a common mistake to over-react and take the workload back in house, even though this is the natural reaction. You will often experience a longer deployment time and higher costs, slower performance, or less flexibility than users have become accustomed to.
2. Closely monitor “experiments.”
Experimenting with cloud computing is a great thing to do. You just need to monitor the experiments to make sure that you get value from them, learn from them, and don’t forget the experimental virtual machines running 24x7, racking up charges and being security risks. We found that periodic interactive discussion and training sessions are highly effective.
3. Know who’s paying for what.
Users only want to pay for what they used, so internal charge-backs become important. This is one example where perfection is the enemy of progress. We recommend starting by getting the large items right, such as compute time, storage, and network costs. How do you know what the large items are for your organization? Simply look at a few bills and focus on those that constitute 80-90% of the bill. Then draft a memorandum of understanding with your users to share evenly in the remaining 10-20% of the bill. As long as you have a policy and people sign up, you are compliant for most audit purposes. You don’t want to spend 10 cents an hour on cloud computing and over one dollar an hour responding to an audit.
4. Always know where your data is.
With Infrastructure as a Service, it’s important to keep track of the data, but it’s fairly straightforward. Software as a Service introduces additional challenges, because it’s not always clear that a procurement is a SaaS offering. We knew that software-as-a-service might be a bit of a problem when our Procurement group said, “This contract doesn’t say SaaS, it says HR analytics. How do we know that it’s SaaS?” This led to discussions, checklists and training, and is one reason we took on Software as a Service as an issue for our Cloud Computing Commodity board.
5. Your data is your data, period.
Consolidating to fewer cloud vendors does cut down on time dealing with lawyers, but you don’t want to limit yourself either. As you do line up your cloud vendors, make a few requirements mandatory. And primary among these is that you own the data. Whatever happens, your data is yours and you need a guaranteed a way of getting it back for any reason.
6. Promote success.
At JPL we make a point of measuring success from our end users’ point of view. That means not only asking them “How it’s going?” but also “How can we help you tell your story?” If they are happy about using the cloud, we can promote their expertise and the business value they added, which promotes our success as an enabling department. As we make good collaborations visible, it helps to reduce independent cloud contracts that would divide our resources and make it much less secure.
At the end of the day we believe that that draconian IT would not set the right tone. It’s about IT enabling people and IT taking responsibility when things go wrong, not about taking control. To reduce strong push-backs from business users, clarify that the cloud is about the entire organization with implications beyond the business unit. Bring all the stakeholders together into a cloud partnership including Legal, IT, Procurement, Finance, vendor management, end users, and other departments. You’ll be glad you did.
Tom Soderstrom serves as Chief Technology Officer and Innovation Officer in the Office of the CIO at the Jet Propulsion Laboratory (JPL) in Los Angeles, CA, where his mission is to identify and infuse new IT technologies into JPL's environment. He has led remote teams and large scale IT best practices development and change efforts in both small startup and large commercial companies, in international venues, and in the US Government arena. Some of the companies he has worked for include Telos, enterWorks, User Technology Associates, Digital Island, Exodus, Cable & Wireless, and Raytheon.