Among IT people I know through Connect and other organizations, opinions on "the cloud” range from "If you're not already doing it or exploring it, there's something wrong with you” to "What? Let some stranger look after my data?” and various points in between.

By the way, one of the big advantages of groups like Connect is that you get a sense of context. You get to find out what your peers are running into – what's easy and what's hard, the benefits and the gotchas. Their experiences can be illuminating even if it's just to highlight how your situation differs from theirs. That sense of context is helpful to me in executing my job, and it also gives me credibility within my organization if I know what other organizations are doing.

So let me share our context at CNA.

The Appeal

At CNA, the appeal of cloud-based solutions doesn't come from calling them cloud-based solutions.

Most of our senior management would have no idea what you're talking about if you offered up "cloud computing” or "cloud services.” To me, this is not a sign of cluelessness on their part. It's a sign that the label covers so much territory that it doesn't clearly mean one particular thing to the world at large. When we talk to upper management about cloud services, we have to be clear about particular offerings without relying on buzzwords.

What does appeal to them? Sometimes it's the infrastructure we won't have to maintain. Sometimes it's the availability of services, because we're not fully staffed 24x7 for all services. Sometimes it's the capabilities we're not staffed to offer.

Some articles claim cloud solutions are cheaper, more scalable, more flexible, more mobile, or quicker to implement. From what I've seen, those aren't universally true. The usual "Your mileage may vary” disclaimer applies. Certain solutions will have some or all of those attributes, but to assume they're a given for anything that invokes the "cloud” label is a mistake. Note to providers: Don't come in telling us it'll be all those things before you know anything about us and our requirements.

The Worries

Cloud solutions create instant worries for our senior management.

A big worry is "What if there's a spill?” That is, what if one of our employees puts data where it shouldn't be? For sensitive data spills, we're under strict requirements about how to do the clean-up, and how to show outside agencies that a proper clean-up occurred. If it happens on our equipment, we know where it's been, and chances are that everyone who had physical access to it was sufficiently cleared anyway. If it happens on some service provider's equipment, we might not know where it's been, the provider might not be able to vouch for the clean-up operation sufficiently, and chances are that those who have physical access to the equipment aren't cleared to the appropriate level. The provider's staff may well be cleared sufficiently for what's supposed to be there, but not for the stuff that's not supposed to be there. It's not their fault if our employees mess up like that, but it's our necks on the line.

On security overall, a worry is whether the controls described by the presales team match reality. We've seen it before, when the intended security policy and the actual security policy are only distant cousins.

Another worry is integration with our other solutions. How do we identify access levels? Would we have to manage a whole new set of user IDs and permissions? Will we be able to do data exchange between the cloud service and other apps we're using? So far, the cloud solutions that have the best shot here are the ones that are largely self-contained, requiring little integration with anything else we're doing.

Another worry is the likely stability and longevity of the service and the provider. What happens to our data if relations sour with the provider? What happens to our data if the provider goes out of business? What's the impact on us if the provider decides to stop offering this service?

The worries don't mean we won't do it, but they're the things people lose sleep over.

The Reality

We do indeed use some cloud-based services. So far, they tend to be self-contained and they carry relatively low risk for the organization. We also have some services that absolutely won't be sent out to the cloud.

At CNA, prospective offerings neither automatically win nor automatically lose by being cloud-based. Like anyone who wants win our business, prospective cloud solutions need to cover the "ibbles” appropriately: affordable, securable, flexible, reliable, scalable, usable, and manageable.