At a wedding last weekend, the woman sitting on my right told me a fascinating story about some of the perils of cloud computing, and an incident that she had been involved with. The story starts with a big push by the UK Government to save money by encouraging all departments, agencies and institutions to save money by cloud computing. They set up a large contract with an established company to run many aspects of their computing. The company who won the main contract then subcontracted the data hosting out to a data centre company. Many government organisations looking to save money naturally went with the government contract, and got the data centre company to host their data. Disaster recovery was taken into account, as the backed up data was held across two data centres that were far apart.

What could possibly go wrong?
The data centre company went bust. The receivers came in and then went to turn off the data centre as they had to pay the electricity bill to keep the data centre going. The organisations that have critical data in the data centre are faced with a major dilemma. They can pay for the data centre receiver to keep the power on, until a new company can be found (if possible) or for the receiver to switch of the data centre and they can lose all their data. If  I can remember rightly, the cost to some of the data centre clients to keep the centre power turned on was tens of thousands of pounds a week. They had to pay… otherwise, there was the possibility of losing all their data. At one point, the woman telling me this story had threatened to get a high court injunction to stop the company turning off the power to the data centre.

I heard from someone else that a company came into the centre and literately picked up the servers with their data and took them away to host themselves. The issue for all involved, within this case, was that they shared a server, so it was extremely difficult to get their own data off the server, as it was mixed in with all the other organisations.

Luckily in the end, the data centre company was bought over by another company and so there was no major loss of data. The organisations all had to pay again for their hosting, which a number of them had recently done to the previous data centre company in advance so had to pay twice for the hosting.

As cloud computing is a fast growing market and for many companies it makes commercial sense for a large company to host their data, what should we do to protect ourselves?

1. For me, Cloud Computing is the same as any supply chain and outsourcing risk and we should treat it as such. Remembering the key business continuity principal, that you can outsource the activity but not the risk. If something goes wrong with your cloud provider then the impact will be on your company.
2. The due diligence of your cloud supplier should be approached with the same vigour you would approach a key supplier and you need to make sure that the company you are contracting to is financially stable and has a good reputation.
3. This can be made more complicated by the data centre infrastructure building –  cooling, UPS etc may be provided by one company while the actual IT hardware company, the cloud provider, may be a different company.
4. If you are buying software as a service then there could be three companies involved.
5. Bankruptcy of the company is a single point of failure as it doesn’t matter how many backs-ups you have spread over so many different data centres, even in different continents, if the company goes bankrupt you could lose all your data.
6. As with all outsourcing you need to ask –  What is your exit strategy and how can you retrieve your data if you have to? This should be discussed even before you agree on the deal with the cloud provider.
7. Monitor the financial stability of the company you are contemplating contracting with, so you can get prior warning of any impending possible failure. The person I was chatting to said that they knew that the data centre company in this case, was in difficulty a year before it failed.
Cloud computing provides a lot of benefits for organisations but just because it’s the “next big thing” it should still be treated with the same caution as any other outsourced activity.

You may also be interested in BCT Supply Chain Continuity Management course which is presently being updated to look at the risks and mitigation measures associated with cloud computing.