Water vapour

Outsourcing and managed services are terms that are used interchangeably. Cloud computing is a term that's misused and misunderstood. Offering outsourced or managed services in the cloud is only going to result in more semantic chaos. But it may offer some business benefit too.

Outsourcing involves handing over one's IT infrastructure, including staff, to a third-party provider to run, manage and maintain. A managed service involves contracting a third party to manage a service on your behalf, meaning you retain ownership of the resources and someone else puts in the elbow grease. There are variations and hybrids, but the main differentiator seems to be ownership.

Cloud computing, simply put, involves a service provider making a service available to end-users. Whether the end is my mother using Gmail to e-mail long lost relatives in Uzbekistan, or a university in the UK that has entirely migrated to using Google Apps is irrelevant. The point is it's a service, provided by a third party, which users can switch on and off or scale up or down depending on what they need. The user has no say in how something is provided, they merely have the choice of providers in the same way they have a choice of restaurants.

“Cloud computing provides a resource that organisations can use 'on-demand',” says Simon Abrahams, head of product marketing EMEA at Rackspace Hosting. “It's available within minutes, and typically you stop paying when you stop using. Cloud is 'utility IT on tap'.”

“Outsourcing, managed and hosted services, and cloud computing can all be offered as hybrid models that allow companies to retain control over specified functions,” says Spescom's group executive of business solutions development Pieter du Preez. “It's really a case of deciding what is 'core' and what makes sense to outsource, whether full responsibility (including skills and resources) is given to a third-party provider or whether components (eg, infrastructure) are outsourced.”

What seems to be holding back the rush to cloud in this market is regulatory, compliance and governance risks and responsibilities. Local companies have been reluctant to move important data or services to the cloud, preferring to hang onto them, even though third-party providers can attain critical mass and economies of scale that make it far cheaper for them to run these services.

Ultimately, says Xepa CEO Garth Francis, it boils down to trust.

Cloud computing provides a resource that organisations can use `on-demand'.

Simon Abrahams, head of product marketing EMEA, Rackspace Hosting

“When client companies can trust their service providers to deliver the layers of security that are necessary (and available), the question of what to put out to cloud becomes purely one of pragmatism,” he says.

“It's about having the right controls in place,” says Magix Integration MD Hedley Hurwitz, “and if you don't have those, you're not going to get them from the outsourcer.”

“Most data protection legislations place the burden of responsibility for data protection on data owners/controllers, which are typically defined as entities that decide how data should be handled and processed. This means that the data controllers that outsource their processing responsibilities to service providers (eg, managed service companies) are still responsible for accidental or malicious data breaches that are caused by the outsourcing companies. To provide assurance, data controllers need to perform appropriate due diligence of the management and handling of their outsourced information. This can be done by either relying on third-party audit validation of the service companies (like SAS 70, and ISO 27001) or performing these audits themselves,” comments Rackspace's Abrahams.

If it's being run by you, it's a job, not a service, says Gartner research chief Daryl Plummer, so if you're thinking of running a private cloud internally then, technically speaking, it's not cloud, it's IT infrastructure.

A public cloud service is one that anyone with the money and the ability can share with anyone else and services are shared in the public marketplace. Private cloud, he says, is where infrastructure is owned and controlled by a company or group and only people in the group can use it, and services can only be delivered and used by people in that group.

It's about having the right controls in place.

Hedley Hurwitz, MD, Magix Integration

Many commentators have suggested private cloud as a means for wary CIOs to retain control of critical applications and sensitive data.

“In South Africa, we typically see clients being more cautious,” says Accenture COO Clive Butkow. “They are moving to private cloud, non-critical services like e-mail and non-confidential back-end activities are going to providers that can manage these more cheaply and with a high degree of reliability. With more sensitive information, they're not going to the cloud, but over time, when companies realise the cloud is more secure than their own data centres, we'll see them move.

“It's a natural progression we see - companies go to private cloud then to public, mission-critical infrastructure is going to private cloud, and non-mission-critical infrastructure is moving to the public cloud, and if it isn't, it should be because there is a significant cost-saving to be realised. Cloud companies that can answer questions about liability and responsibility are the ones that get business,” he says.

SMEs, meanwhile, are taking to cloud services like all their Christmas wishes have been answered at once, outsourcing the shop in one grateful swoop. Says T-Systems' team leader: ITO pre-sales Roelof Louw: “In a smaller company, it's a burden to do IT services, and cloud provides a solution for that in that SMEs can source e-mail, application hosting and data storage (where applicable) in one place. Smaller companies are also more agile in terms of changing the way their IT is delivered, and are therefore better positioned to utilise cloud.”

Du Preez sums it up neatly: “Services and skills will always be more important than the technology itself. An information management strategy that ignores the possibilities of 'the cloud', however, also ignores important opportunities to differentiate the entire business.”

Smaller companies are also more agile in terms of changing the way their IT is delivered and are, therefore, better positioned to utilise cloud.

Roelof Louw, team leader: ITO pre-sales, T-Systems

Plummer says this means SA's CIOs will have to get out of their 'we have to own it' mindset. And that's what it will boil down to - companies that are willing to make use of providers to more efficiently do what they cannot will have an edge on those that hang on to their 'stuff' for dear life.

Governance, risk, compliance and security are considerations, and no responsible CIO will take the leap without doing a through due diligence, which includes finding out if providers vet potential employees appropriately, whether they can comply with your security and compliance policies, whether you retain ownership of your data (if it's not explicitly stated, it's in doubt), what will happen if the provider shuts its doors and any hidden dependencies the provider has on other providers.

The opportunity cloud services provide to free up IT to innovate and drive business strategy versus just keeping the lights on must be appropriately weighed, and a call made based on what is best for the business. Simple, really.