more-arw search

Q&A Forum

Are there new areas of risk that need to be addressed when moving to a cloud based technology applications?


Topic Expert
Sunil Thukral
Title: Controller/Technical Accounting Advisory..
Company: Consultant
(Controller/Technical Accounting Advisory/ SEC Reporting, Consultant) |

My two cents on this issue - some of the issues might not be new to you:

1) Addressing the security of the data.

2) The company who is providing you services should have enough financial strength, i.e. long-term sustainability. Ask the question as to what will happen to your data in the event the company were to go bankrupt.

3) Ask the question - "Where the data will actually will be stored?". Based on the nature of your business your compliance team might have a problem if the data is stored across the border or across the world.

4) Also check the location where the back-up of the data is stored and how often the data is backed up. The locations of the back-up data will also be important to investigate.

Topic Expert
Bob Scarborough
Title: CEO
Company: Tensoft, Inc.
(CEO, Tensoft, Inc.) |

A few additional thoughts:

1) You should understand the trade-offs to make sure expectations are clearly set (customization, reporting, performance, lower IT costs, etc). There are some good threads on this topic already.

2) You should spend time to make implementation and training expectations clear to all sides. The industry models related to implementation support are often different than the on premise models and expectations. You and your team need to understand your internal action items.

3) Most of the marketing information generally available is geared toward private and not public companies. If you are public or considering this you would benefit from combining requirements.

Topic Expert
Scott MacDonald
Title: President/Owner
Company: AlphaMac Resources, Inc.
(President/Owner, AlphaMac Resources, Inc.) |

The main thing is the reputation and stability of the company you use. You also need to make sure they will participate in any disaster recovery plans you have implemented.

As mentioned earlier, "the cloud" still has a physical address. You need to know where that is. If it is in India for example, you need to understand the geopolitical ramifications (wars, terrorism, etc.) and the geographical impact that might have (bad weather, earthquakes, etc.)

If you are actually processing in the cloud, there are certainly issues with availability of service. Processing on a T1 line is different that over a cable modem if your employees have to work from home.

Bottom line, just because it is in the cloud does not automatically make it secure or available after a disaster.

Topic Expert
Scott MacDonald
Title: President/Owner
Company: AlphaMac Resources, Inc.
(President/Owner, AlphaMac Resources, Inc.) |

One other concern, if you rely on the information for the core of your business, and you have your financial statements audited, your auditor may request a SSAE 16 (used to be SAS70) review of the cloud operations.

If you are a public company, the cloud will have to be part of your SOX compliance work.

Topic Expert
Len Green
Title: Performance Improvement Consultant and E..
Company: Haygarth Consulting LLC
LinkedIn Profile
(Performance Improvement Consultant and ERP Strategist, Haygarth Consulting LLC) |

Based on our experiences with both cloud and on-premise software projects, here are some perspectives around risks that you may encounter:

1. Do you have the right (experienced, knowledgeable, available) resources to both evaluate what you need and execute the implementation? If doubtful, consider engaging outsiders who have done this.

2. Don't lose sight of functionality! Can you do what you need to do in all your business processes? To what extent would your cloud app need to integrate with other apps (either also in the cloud or on premise)? If you have not created prioritized requirements, you are at risk of making a poor selection. Integration of processes and data between systems can also be a nightmare if not assessed properly. This is especially important if an existing (non-cloud) app needs to work with the new app.

3. Performance: get clear specs on SLA metrics from the vendor-uptime is not the only service level agreement item to be looking at; test the app for performance (e.g. speed to enter a transaction, upload large volume files or run reports, integration with other apps, etc).

4. Implementation methodology and experience: assess the proposed implementation staff for cloud app experience and project management skills. Some cloud vendors prefer to do almost all the work remotely-are you able to work that way? You'll also need to own the User Acceptance Testing phase; have you managed UAT before?

5. Legal terms: there are a number of key legal issues that differ from an on-premise implementation. Some are noted in earlier posts; one that is key relates to your rights at termination/expiration, e.g. extracting your data before you lose access, another relates to remedies for breach of performance or decrease in SLA metrics or other agreed terms. Again, use experts to look at both business and legal issues if you have not done this before. Remember, you are buying a service, you are NOT acquiring ownership of anything, you are relying on the service provider to take on many things that you and your IT dept used to do.

6. Finally, make sure your users understand they need to take ownership of how to use the application-there's no IT person to hand hold them through reports or queries. If they don't know how to do it, they'll have to call your vendor(s) support line.

Len Green
“An ounce of selection is worth a pound of implementation”

John Krebsbach
Title: Co-Founder
Company: Relify
(Co-Founder, Relify) |

There are many issues from a risk perspective to investigate and address if possible when considering the cloud. Gartner has several good reports on the topic if you can access them. I recently made the call to move my company to NetSuite, and went through a fairly extensive checklist with them, much of which is mentioned above, but also included:

-Who runs the data center? The company you sign up with may not, so there could be a "ghost" 3rd party with access to your data.
-Do they have redundant n+1 backups for all critical systems to ensure availability? Beyond the normal things like data backup and power, think about Internet connectivity; if the data center goes offline, then so do you.
-One element of risk on your side is to evaluate whether you need a backup internet connection. You might have a primary fiber line, but if that gets cut or goes down, how will you get work done? I see companies going with DSL/cable/cellular backup data connection options. Large organizations might get a redundant fiber data line for $$
-Can their customer service reps access your actual account data (e.g. financials, customers, etc.), or are they limited to help people troubleshoot via phone/email?
-Contractually, look out for price escalators and if you negotiate a discount up front, be sure to check whether future purchases get the discount as well or use "then current pricing" - either of those clauses can hurt you later if you're not careful
-Can they terminate your service if there's a billing dispute? You should be able to push back and require that any billing disputes are documented and can be escalated to some form of arbitration before they can just shut down the service and severely impact your business
-Even if they're compelled to do so by law, require them to notify you before a disclosure of any kind about your account or data is made to an appropriate party (e.g. law enforcement, litigation)
-Plan for a way out and know how to extract your data and whether there's a fee to do so
-Be very clear about liability and limits for data breaches. This can quickly get complicated, and you'd be wise to have an attorney help here. Require them to notify you promptly of any "security incidents" as you may be impacted and be required by law to tell anyone affected

Although all of this can sound daunting and scary, and the end of the day, especially in a small company, you have to appreciate that a cloud partner can usually achieve much better security, availability, and backup than you ever could. Plus, with many pay as you consume models, they're attractive partners for businesses with fluctuating workforces and cost drivers (CPU cycles, storage space, etc.)


Products and Companies

Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email [email protected] to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.