Cloud Computing Benefits and Risks

Cloud computing promises to deliver a new, modern, 21st-century IT infrastructure for your business. Before investing heavily in this technology, you need to make sure that you fully understand cloud computing benefits and risks so that you can reap the most gain while avoiding unintended consequences.

Cloud Computing Benefits

People cite a number of benefits associate with cloud computing, but almost all of them can be grouped into two fundamental categories:

  1. Agility
  2. Cost


Prior to cloud computing, the provisioning of new computing resources could take days, weeks, or even months. Enterprises were reluctant to tie up capital by buying equipment in advance of a demonstrated need. But cloud computing has changed that thinking. As described in our cloud computing tutorial, users can now access computing resources using an on-demand, self-service interface, as demanded by the business. This allows applications to rapidly scale up and down in response to external business forces, rather than the needs of IT procurement. The result is a computing environment that more rapidly tracks the needs of business users, allowing them to better exploit transient market opportunities. Sometimes, people will say that cloud computing enables “rapid provisioning,” or “automated provisioning,” or “fast time to market.” Each of these benefits falls into the “agility” category.


There is a lot of debate in the IT industry about whether cloud computing has a positive or negative impact on IT cost structures. The topic deserves a longer treatment that we can give it here; Leverhawk will be publishing more in-depth articles on cloud computing economics in the future. The short answer is that it depends on the characteristics of your specific applications (scale, duty cycle, and cpu/disk/network consumption), whether you’re targeting a public or private cloud, and what your overall consumption rate does. In some cases, cloud computing can be a huge win; in other cases, not so much. That’s not necessarily a problem, however. Even when cloud computing fails to lower costs substantially, it rarely raises costs substantially (for the same number of workloads) and many enterprises are happy to gain business agility, even if costs stay roughly the same or increase slightly.

Cloud Computing Risks

While cloud computing has many benefits, it also comes with a set of risks. The goal here is to make you aware of potential issues so that you can manage them proactively before and during the shift to cloud computing. The three highest priority risks you’ll want to keep in front of you are:

  1. Security
  2. Lock-in and Data Portability
  3. Reliability


Survey after survey report that fear of security incidents is the greatest concern standing between enterprises and large-scale cloud computing adoption. Note that I said that fear of security incidents is the greatest concern, not that actual security incidents are more widespread in the cloud. While it’s true that security is a risk with cloud computing, it’s also a risk with traditional computing environments. Moving to the cloud will alter the threat profile and may force you to rethink your security response process, but it neither absolves you from having such a process nor makes it substantially worse. The CTO of a large Wall Street bank once said to me, “People who tell me we shouldn’t move to the cloud because of potential security issues don’t have a clue how many issues we have in our current infrastructure. The fact is, we’d likely improve our security posture in the cloud.” The main issue you’ll need to think through is how you’ll coordinate with one or more service providers if you’re using public clouds. Plan for that up front. Security events are inevitable and you don’t want to be reworking your process on the fly in the heat of a crisis. Finally, you’ll want to use security criteria as part of your cloud provider selection, and you want to test and re-test your provider’s capabilities over time. In a nutshell, security in the cloud is a real threat, but no more so than security was before. Face the threat head-on, soberly, as you would have in the past.

Lock-in and Data Portability

Diamonds might have been forever for James Bond, but IT infrastructure and systems change every five to ten years. The cloud certainly won’t alter this dynamic. Even if your selection process is rigorous and you choose the best provider given what you know, the market is competitive and today’s winner will inevitably be tomorrow’s loser. This means you should spend some time up-front thinking about what you’ll do in a few years when you want to switch things. Ask your potential service providers how they deal with data export issues. This is particularly the case with SaaS applications, where the only portability might be of the raw data itself. A few good questions to ask are:

  1. What’s the process for extracting data? Do you simply download over the network, or does the provider have an option to send you a hard drive if the data set is large? Remember that you might be extracting years worth of data.
  2. Will you have access to database schema and technical documentation? Think about a sophisticated SaaS CRM or accounting system. The best you’re ever going to get is a database dump. Even if they gave you that, however, could you make sense of it and all the data relationships without the schema documentation? Probably not. And without those data relationships, the data is significantly less valuable to you, even if you can salvage some of it.
  3. Does the provider have an escrow plan in case of financial insolvency? If the worst case comes to pass and the provider goes bankrupt, how would you extract your data and what rights do you have in your contract? The last thing you want is to get caught up in a bankruptcy squabble between the company and its creditors with your data held hostage in the middle. It’s going to be rough enough being forced to migrate at a time-not-of-your-choosing, so at least make sure you can get rapid access to your data.

All that said, the best you can do is try to plan for the future. Some amount of “lock in” is inevitable; if nothing else, the switching costs associated with data migration will favor staying with the current provider if at all possible. But as much as you can reduce those switching costs, the better off you’ll be in the future. At a minimum, you’ll have more negotiating power.


One of the biggest myths surrounding cloud computing is that “the cloud” never fails. Alas, the past few years have seen some large, high-profile cloud computing failures reported in the press. The causes have varied:

  • Software bugs
  • Equipment misconfigurations
  • Lightning strikes causing power disruptions

Whatever the reasons, you can expect future disruptions as well, so you better plan for them. Make sure you discuss the reliability and uptime statistics for each of your potential providers:

  1. The first question to ask is for yourself: What availability do you need for the applications associated with your business? The answer will probably vary, application by application. Some will be business critical and need something like “five nines” (99.999%) availability, whereas others might be able to suffer with large stretches of downtime, particularly on nights and weekends. The main takeaway here is that you’ll probably have different targets for different apps. Don’t fall victim to sloppy thinking that decides that every application in your business requires five-nines availability — some do, most won’t.
  2. What availability targets does the provider engineer for? Availability is a game of exponentially increasing costs for diminishing returns. It’s relatively inexpensive to engineer for two-nines availability (99%), but very expensive to engineer for five-nines (99.999%). You need to understand the engineering target your provider is going for and then compare that to the price they are charging. If they don’t look right, you should ask a lot of questions.
  3. What availability have they actually hit? If your provider doesn’t know, you should probably walk away right then. It means there isn’t any measurement happening, which means they don’t understand how to run a service.
  4. Do they consider planned downtime as downtime? You might be surprised that many service providers don’t consider planned downtime against their service availability goals. Thus, as long as they tell you they’re going to take your order entry system down at noon, two days before the end of the quarter, they can still claim to hit five-nines or even 100% availability goals. But from your standpoint a disruption occurred. Make sure you understand what is or isn’t considered downtime.
  5. What’s the process for notification of planned downtime and for status updates about unplanned downtime? Are you proactively notified, or do they just post information on a web page? How much lead time do they give you before a scheduled outage? How often do they update status during an unplanned outage?
  6. What’s the process for root-cause analysis? Downtime is unavoidable, but the service provider should be committed to making the service more and more reliable over time. One tool to help that happen is to conduct thorough root-cause, post-mortem analysis. It’s even better if they commit to sharing that analysis with customers in a transparent way.

You should not expect perfection from any service provider, but you should expect professionalism.


Before shifting your business to the cloud, it’s important for you to understand cloud computing benefits and risks. You’ll need to make sure you’re structuring your cloud environment to deliver the biggest return, while minimizing the risks.

Speak Your Mind