Chan is not alone in advocating a community cloud. "The cloud is at the top of our agenda, but not "one-size-fits-all", said Hui. "There are public and private clouds, but I want a "community cloud." For example, the finance and logistics industries have different applications, data and network requirements – so they need their own cloud environments."
A good vendor contract may reduce cloud risk. "There has to be negotiation on risk and service level," said Bullock. "Vendors will not provide SLAs (Service Level Agreements) too close to the best they can deliver—they need a buffer. Data location is also a problem to regulators. New legislation compels data users to vouch for all the facilities through which their data is processed."
Photo: Martijn Blaken
Data may move about, of course. "Do we see the separation of data processing and storage to satisfy regulations that require the location of data storage to be known?" asked Martijn Blanken, Executive Director, Telstra Global.
This question seems important to finance and other heavily regulated sectors. "Some vendors will tell the user where their data is processed and use this as a service differentiator, knowing that the regulators have to be satisfied," said Bullock. "Other vendors are unable to agree to that."
Industrial Standards help with some regulation issues. "In Europe, they have had standards, for example, ISO27001 for information security management, and we wrote that in our contract," said Blanken. "Then we had to pay 250,000 Euros in audit fees to prove we were in compliance with it."
Data can be copied so easily. "The hurdle in cloud adoption is trust," said Hui. "With ordinary hosting, you have control of your hardware and software, but with the cloud you don't. If you leave a cloud service, how do you know that they retain no copies of your data?"
An audit would help. "We will agree to an audit by a third party," said Blanken, "but 100 percent certainty is impossible."
Of course, enterprise security is never perfect. "Actually, it's likely that cloud security is stronger than that at our own data centre," said Lee. "They employ thousands of trained professionals. It is probably easier to hack into a corporate data centre than into a cloud."
New Role for IT
Cloud technology impacts the role of IT. "Cloud computing is really outsourcing," said Ken Chan. "Writing an application in-house may take three years, but the users want it in three months. Cloud computing is the solution for applications and infrastructure - but what core competence remains with the IT department?" The answer is that businesspeople cannot manage the cloud because they don't understand IT sufficiently, thinks Chan. "The IT department will be needed to manage the vendor relationship, including service levels and outages, and perhaps also handle project management."
Sign up for CIO Asia eNewsletters.