How cloud computing is changing the world of IT

Cloud computing is transforming the IT industry along with companies’ use of IT.

This is an industry transformation driven by business model innovation, not a new technology generation, as we understand the mainframe, minicomputer, PC, Internet and, currently, the smartphone eras to be.

Cloud computing is only one example of an “anything-as-a-service” business model innovation which means that a vendor will retain ownership of their product and “rent” its use to a purchaser and others.

The vendor of the “service” is responsible for the performance of the product and the purchaser gains from not having any capital expenditure or maintenance costs.

More importantly, the purchaser “rents” what is needed and only pays for what is actually used.

The “anything-as-a-service” business model has very powerful benefits for buyers of the service. Any function within a company which is not one of the two or three core competencies the business must have to create value for the firm’s clients, should be considered as a target for this model.

The use of third party logistics instead of maintaining warehouses and distribution systems is a classic example. Similarly, owning computing assets can not create any competitive advantage or unique value, so the benefits of cloud computing resonate strongly with CEOs.

However, on the supplier side of this business model innovation, all is not so rosy. This should ring warning bells in the ears of buyers.

Traditional providers of IT equipment, their distribution channels and the firm’s own internal IT staff are all severely threatened by the explosive growth in cloud computing.

The fear of disruption from cloud computing on traditional IT business models and a motivation to preserve the status quo is reflected in the promotion of “private” or “internal” clouds. Existing products are also re-positioned as “cloud”, which is known as “cloud-washing”.

An “internal” cloud usually means keeping a firm’s own IT assets inside its own security perimeter, or “firewall”. However, an “internal” cloud is just traditional IT described by a different name.

The word “cloud”, in the context of “cloud computing”, is a metaphor for the Internet. A third party owns the IT resources and “rents” a “cloud” service.

An “internal” cloud simply misses the whole point of cloud computing and delivers few business benefits. How can one take computing out of the cloud and still call it cloud computing?

Legions of IT value added resellers, known as VARs, face a similar disruptive challenge. As the cloud computing transformation continues to accelerate and an initial denial response gives way to a dawning realisation, VARs will seek to adapt.

What are their options and how will those options impact on buyers? In essence, they may choose to build their own “cloud” asset, they may resell cloud computing services provided by third parties, based in New Zealand or overseas, they may forge on against the odds or they may exit the industry.

The critical downside of the “anything-as-a-service” business model for the service provider is that it takes a very long time to become cash positive and profitable.

In traditional IT, hardware, software and services are usually charged to a client “up-front” for an on-premise solution. This means that cash flow is also received “up-front”.

This differs dramatically with an “anything-as-a-service” business model. Firstly, an enormous investment in skills and assets must be made in a “cloud” long before any “as-a-service” revenue can be earned.

The difficulties involved in building a successful “cloud” are invariably underestimated.

Secondly, there is considerable uncertainty about future demand, even though a large investment must be made “up-front”.

Thirdly, cloud service prices reflect a total cost of ownership which is comparable to an on-premise solution, except that it is effectively spread over multiple years. That is, the investment must be made up-front, but the revenue lags over several years.

Finally, it takes many years to build up a sufficiently large portfolio of clients to generate enough total margin to make the cloud services business viable.

All of this means that a VAR building its own “cloud” will need very deep pockets to both create a computing cloud and fund the inevitable cash deficits until break-even is reached in several years.

This challenge poses obvious and multiple risks to any firm using a VAR’s own computing cloud.

Another alternative is for the VAR to resell a third party’s cloud computing services while rebranding the services under its own name. This process is known as “white-labelling”.

However, it is not possible to know who is really providing the service. There may also be multiple layers of sub-contracted providers, none of whom have any direct legal obligation to the firm using the service. There is often a blurred view of who has the data and which party actually owns it.

If the cloud service provider is located outside New Zealand then the client data will also be located outside New Zealand. This is an issue of data sovereignty or data residency.

This is important because the privacy and other commercial laws of the country of data residence will apply, for better or for worse. Some overseas cloud service providers may be located in countries of dubious commercial reputation, to lower their costs and avoid legal restrictions.

In addition, there is for all but the largest of firms no practical way to bring any legal action to recover lost client data or gain any remedies owing to the cost of litigation.

If the VAR is reselling a well known cloud service from outside New Zealand the commercial risk is lower, although it will still be virtually impossible to gain access for an independent audit, modify a service agreement or mount a legal challenge.

In contrast, if the VAR is reselling a well respected and branded cloud service from a cloud service provider based in New Zealand the commercial risk is reduced significantly, as the visibility and reputation of the brand will provide much more confidence. The personal reputation of the service provider’s owners and directors are also much more transparent with a domestic provider.

In New Zealand, there is more scope for protection, but this is still inadequate for smaller businesses. Business owners typically do not even know what questions to ask, let alone understand the answers when they get them.

Larger businesses have the economic leverage, governance drivers and knowledge to insist on customised service agreements and gain access to their service providers’ systems for an independent audit.

At present, there is a process under way to develop an industry code of practice for cloud computing. This is a laudable and well-timed effort. Unfortunately, the process is likely to result in a voluntary “self-assessment” by cloud providers of their own compliance level with the code.

This flaccid result will simply lack the teeth necessary to ensure providers really do meet the requisite standards. The taxi industry is often compared to cloud computing. Transport without capital expenditure or maintenance costs, only pay for the journey you need together with a lot of choice in suppliers.

Consider how comfortable one would feel entering a taxi knowing that the driver “self-assessed” his or her own driver’s license and vehicle’s warrant of fitness.

Financial advisors were finally regulated this year after billions of investors’ dollars were lost in shady investments funnelled through so-called financial planners, who often acted in their own self-interest.

Would “self-assessment” have had much protection for investors?

There are many practitioners within the IT industry who harbour aspirations to be considered professionals in a similar way to chartered accountants, engineers and lawyers. Nowhere is this more relevant than in cloud computing because a third party will have sole possession of each client’s vital asset of data.

Usually, a client does not hold a second copy of their data and relies on the cloud provider to safeguard their data assets. This is tantamount to a professional holding a client’s cash in their trust account.

The law relating to trust account management with independent audit requirements did not come about by accident. Many painful lessons were learned before legislative corrections were made to govern the provision of advice and custody of client assets.

Accordingly, it is now an ideal time for a statutory body and regulatory framework to be established to protect firms using cloud computing services.

History will likely repeat itself as the high growth cloud computing market opportunity attracts all the usual gold rush fly-by-night cowboys, licking their lips over an unregulated feast.

It would be a tragedy if hundreds, or even thousands, of clients lost their critical data and perhaps lost their entire business if a cloud service provider were unscrupulous, negligent or took risky short-cuts while under severe financial pressure.

The enormous economic growth and productivity benefits emanating from the adoption of cloud computing would be stalled if public confidence were bruised by such an event.  

Dr Michael Snowden, CEO, OneNet Limited