Monday, August 20, 2012

On Blindness – The Cloud Veil

“Living is Easy with Eyes Closed” ― John Lennon

Cloud is good, but…
Perhaps the single most powerful appeal of the Cloud – the ability of business managers to circumvent IT and get immediate IT resources - is also the most problematic aspect of it.

No wonder there is still a large group of CIOs and IT directors that shudder at the thought of letting go and have the business managers, or anyone in the organization, go out and purchase these resources with a swipe of a plastic card.

The fact that IT can be bypassed by the process is really neat: It save lots of time, there is zero bureaucracy, it is probably cheaper, and it is available anytime/anywhere. The fact that there is no go-between gives the business users all these advantages but in the same time leads to a debilitating blindness.

What we can’t see
Since all communications are done between the end user and service provider, there is zero visibility on the following information:
  • What Cloud resources/applications are being used by the organization? Have various business units subscribed to services without IT’s consent or knowledge?
  • Who is using what and how much? Perhaps the organization is paying for many subscriptions of employees that have left the company, or simply not using the app? 
  • What modules are being used? Maybe the business is paying for the Unlimited Edition, while most of the users are only using modules of the Basic Edition – the difference can be significant – in some cases ranging from $5 to $350 per user, per month.
  • What is the user experience like? Are the applications performing as expected? Which browser performs best per given app? Are the services providing similar results in the different office locations?
  • How are the applications being used? Are all the modules accessed, and if not perhaps training is needed? Are the apps used as expected? E.g. if a CRM is used only between 4-5 PM every day or perhaps once a week, one would suspect that the service is not used as intended. 
  • Compliance – how do we know that we are compliant to the various PCI, HIPPA, GLBA, FISMA requirements if we have no idea how the applications are being provided, or are being used by our employees?
Back in the days where all the applications were in-house, on-premise, IT could (in principle) know exactly what systems are running, who is using them, what the performance behavior of a given solution is and how the applications are being used.

Tools such as Network Sniffing, APM, and log analysis could be deployed in the network and monitor the traffic between the end users and the applications. For services that were offered outside the organization, one could use synthetic transactions to monitor performance and end user experience.

But what do you do if all the traffic is outside of your reach? How do you know what is really going on?

Single Sign On
Some companies use SSO to give them a measure of visibility into the application usage. While SSO has its merits, it is also limited in a number of ways. First, one must ensure that all employees are using the gateway to access the application. If employees have been using a certain SaaS service for a while, there is no guarantee that they will stop accessing it directly, and in any case, IT may not even know what apps are being used.

Even if IT manages to enforce the policy that every user in the org, accessing a certain Cloud app, will go through the company’s gateway, (whether from the office, on the road or from home), even then, the knowledge of the usage is limited to the single fact that user 'U' logged on to application 'A' at a certain time. Did that user ever advance from the login page or did she log out immediately afterwards? Did she stay signed in for three days, what modules did she use and at what frequency? What was her user experience? All these questions remain unanswered.

Service Provider Logs
A very small percentage of Service Providers have started making available usage logs for their customers. Potentially, these logs are quite helpful, as they can give a detailed view of the usage of the Cloud resources.

The drawbacks in this solution are threefold: First, as mentioned, only a small fraction actually does provide such reports, at different levels of detail. Second, each report is formatted differently and therefore, one needs to study each report, try to normalize the data and build a dashboard to capture the information. (bare in mind that some organizations consumes dozens of SaaS apps). Finally, this is simply data. To create actionable, insightful reports will require a huge investment in time, resources and ingenuity that I doubt many IT departments will consider.

Where is IT?
Perhaps in the future, businesses could thrive without an internal IT (just as we make do with power and utilities today). There is a hot discussion going on right now on the various internet forums, as to what shape IT will have (if at all) in the future. But right now and for the foreseeable future, IT is here, and will be needed to resolve a multitude of technical and procedural issues.

Therefore, even if one is a big believer in Cloud (as I am), IT will need to be involved. At the end of the day, all the problems will be brought to the helpdesk (even if IT was not involved in the process of purchasing and setting up the Cloud apps). Issues of performance, usage, security, compliance and integration will remain in the realm of IT, because the business managers and individual user will not be capable of handling them.
And, therefore, the blindness must be cured. Tools allowing visibility and reports providing actionable insights must be made available.