The biggest business risk with outsourcing is that you
replace technical controls with contracts, and while a move from tactical
operation to strategic management looks excellent in a business plan, it can
fail badly when interacting with the real world. The claim that "insert-vendor-here"
should be better at running the infrastructure because they developed it, is
much more an article of faith than a well-reasoned position.
Consider the failure of the Windows Azure platform over
the last weekend. I noticed it when I
couldn't play Halo 4. As a gamer it
didn't occur to me that there was anything deeper than the Halo servers weren't
working, but it turns out they were hosted on a cloud infrastructure. And the cloud had failed. Completely.
The reason: "Storage is currently experiencing a worldwide outage
impacting HTTPS operations due to an expired certificate." In 2013.
Information security is a people business, and the people
failed.
As Sony previously discovered, the total failure of their
game platform is a pain, but it isn't going to threaten the company. To Microsoft's credit they had it all
restored in about 8 hours.
But Windows Azure doesn't just host games - it hosts
businesses. And the same failure
happening in the middle of the week would mean that businesses that had fully
moved to the Microsoft cloud could do nothing.
No backup. No failover. No disaster recovery. Because all the availability controls were
outsourced. And it is very unlikely that
the clients using the service are big enough to make any contractual claim for
loss.
This isn't just a Microsoft problem, Amazon had the same
sort of outage last year. Every cloud
hosting provider will have these problems.
So here's my cloud analogy: it's like putting all your
eggs in one basket - a basket you've never seen and can't locate - along with
everyone else's eggs, and having faith that this will be managed well by the
fox.
Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
Phil Kernick Chief Technology Officer
@philkernick www.cqr.com
