Why are organisations cautious about handing data over to Apple’s iCloud?

“This is the cloud the way it should be: automatic and effortless…” So claims Apple on its website. But while iCloud is a fantastic endorsement of the cloud concept and will undoubtedly appeal to the company’s personal consumer market (not least because it is free) is it a viable option for businesses?

iCloud is an ‘effortless’ way to store, access and manage content across all devices – not just Apple devices and iOS but, if we are to believe CEO Steve Jobs, on Windows PCs too. It provides instant access to content on whichever device, at whichever location the user needs it – and it provides automatic synchronisation of content across devices.

In Apple’s own words, ‘iCloud does it all for you’ – a hugely appealing message to personal users, who have access to this at no charge, including 5GB storage.

What about the business user?

The use of iPads and iPhones is commonplace across businesses today and the Apple brand has spread much more widely than its original stronghold in the ‘creative’ industries.

For companies with a mobile work-force, the appeal of the iCloud is evident: instant access to documents, presentations, reports, stock lists, customer information and so on from the iCloud, from whichever iOS device employees happen to be using, together with an automatic synchronization and a backup capability.

And while this capability is initially limited to Apple iWork apps, Apple is giving developers the tools to make their apps work with iCloud too, a move that should greatly extend the appeal to the business user.

Apple’s claim that ‘iCloud does it all for you’ could be an enticing message to small-medium sized businesses. iCloud, just like any ‘cloud’, offers SMEs a way to take advantage of the latest in technology and systems, without having to resource sizeable, specialist IT departments in-house.

The potential downside to this is a possible loss of control over information, exemplified by iCloud with the automatic nature of intervention for document/content synchronization.

Larger enterprises, with more complex IT landscapes, are justifiably cautious and perceive even greater risks in handing over control of applications and data to third parties. This is not unique to Apple/iCloud, of course, but applies to any cloud vendor.

SaaS, PaaS, and cloud have enabled many companies to lower the cost of their infrastructure and application landscape. But is their data secure? And, can they get at it when they need it? Enterprises need to adopt a ‘best practice’ approach to security and integration for any ‘cloud’ environment.

Some background

In the late 1990’s companies aspired to Enterprise Application Integration (EAI), but most implementations were tired old point-to-point fixed interfaces, running in batch on new technology platforms. Then along came Service-Oriented Architecture (SOA), with the promise of new and exciting ways of delivering more IT value.

Unfortunately, most implementations were still tired old point-to-point interfaces to tightly customised commercial, off-the-shelf applications. The data was still in the data centre: integration and security were, at best, an afterthought.

Now the ‘holy grail’ is cloud and ‘Software as a Service’ really is a service in the way SOA promised a decade ago. The problem now is that the information is both on-premise (fixed) and off-premise (unfixed), so point-to-point integration can no longer be the default; and security cannot be assumed to be a function of the enterprise firewall.

Information Security: The Brand Guardian

In all the excitement generated by cloud, enterprises need to be absolutely sure that they retain control over their data. When information security goes bad, the impact is felt on the company’s share price and the brand takes a hit.

With more information being provisioned and consumed in the cloud (stored and retrieved in old money), the risk associated with an information breach has changed and potentially increased. This risk is not necessarily related to the cloud paradigm (although security will vary from vendor to vendor); it is more to do with the way the information is consumed in business transactions.

While cloud initiatives can reduce the cost of the IT estate there is a real risk that this cost will reappear in the integration or security layers as compliance costs increase or as integration becomes more complex. Worse still, the cost may be felt in delayed time to value, as projects themselves are held up while these issues are addressed.

Integration: The IT Business Enabler

The difficulty is that while secure, data must still be accessible. Integration is the key IT enabler for business, touching and connecting all areas of the business, including customers, suppliers and partners. With more data, functions and operations now being pushed off-premise, it is essential to have a real understanding of how the business information flows . Integration can no longer be an afterthought.

So what are the issues facing enterprises in terms of cloud security and integration?

  • De-centralised security: applications and information are outside the traditional firewall. Information and data accessed by means other than the application user interface must be secure.
  • Unfixed location: the information and data reside in a virtualised environment. The cloud vendor can choose to upgrade and replace physical and virtual machines at will – this is essentially the management burden your company has outsourced.
  • Business process: elements of the business processes that are codified in applications are outside of your control. The SaaS vendor will have exposed only a limited number of standard entry and exit points for data and information: ‘vanilla’ is the preferred flavour. Where you require bespoke touch-points, the cost of integration and process support will increase. Any upstream or downstream dependencies for the ‘end-to-end’ business process must be understood and catered for.
  • Scope of jurisdiction: data residence and data import /export regulations have become more of an issue with the uptake of Business Process Outsourcing (BPO) and cloud computing, particularly with SaaS, where the legislation applied is that of the country of data residence. The location of the SaaS platform may be one thing, but tracking and securing ‘in transit data’ as part of an integrated business process is another. Understanding the business risk of cloud integration is critical.
  • Regulatory compliance: both regulatory and client expectations for PCI, FSA, DPA on the storage and provision of information relating to personal and business data are increasing. Understanding ‘where’ your data is controlled and ‘who’ controls it is a must.
  • Speed and volume: a business uses its data and information in complex and different ways, supported through different integration profiles. Understanding the implication of these profiles (for example, extract-transform-load – ETL, or real / near real-time) is essential to avoid integration bottlenecks. Establishing how high volumes and /or low latency consumption of off-premise data can be achieved through integration patterns is one way of avoiding gridlock.
  • Exit Planning: the flavour of the month is cloud and SaaS, but what if you want or need to bring IT back on-premise? Protecting and understanding the transactional boundaries or business applications and services can help you to avoid long and costly‘re-integration’ programmes.

Realising the benefits of “cloud”

If the enterprise is to achieve successful integration and security in a cloud environment, the pre-requisites are upfront architecture, design and planning, coupled with strong through-life governance. This is a topic that requires a whole article to itself to do it justice.

The argument for reducing the cost of ownership for any given application or service through cloud is relatively simple, given a focus on both ‘core competence’ and ‘economies of scale’. When any business function, application or service is ‘moved’, however, there will be integration and / or security implications, often resulting in higher cost.

An understanding of the broader implication of cloud and ‘X’aaS, coupled with an enterprise approach, can help to avoid unnecessary cost and risk, as well as ensuring that the expected benefits are realised.

Inevitably, the varying cloud paradigms will need to interact and operate in harmony at all levels. The protection, provision, consumption and synchronisation of content across the personal cloud, (iCloud); the private internally hosted cloud; the public cloud (Amazon or Goggle and eventually the ‘G-Cloud’) should be a matter of concern for individuals, companies and government departments.

To address this paradigm shift and its implications means taking a view of the business area to be affected by cloud or ‘X’aaS and understanding the entry and exit points for business transactions and information flows. This will give a better understanding of security and integration needs.

Security and integration architecture and design should be guided by simple, enterprise-wide principles, unconstrained by the way things are ‘done today’: modular, able to support change, standards- based, consistent and repeatable.

A commitment to these and other basic principles can help to ensure that ‘cloud’, of whatever flavour, is more likely to deliver real benefits to the business while reducing the risks.

Jason Hill is Partner of Glue Reply. He covers strategy and development for the business as well as playing a key part of the growth of Reply in the UK. With 18 years experience in enterprise architecture and solution delivery, Jason began his career in IT at the ‘back-end’ of the IT value chain working in manufacturing and industrial environments. Often literally on the 'shop floor' and at the end of the production line! Having picked up the pieces from several front-end architecture and design flaws, he is now committed to helping organisations drive genuine business value from IT investments and avoiding costly front end mistakes. Jason has held senior positions within both software development companies and large system integration companies.

Our latest thought leaders