September 2, 2010  5:45 PM

ITIL books don’t mix with cloud? ‘A massive cop-out,’ ITIL guru says

Linda Tucci Linda Tucci Profile: Linda Tucci


The IT Infrastructure Library (ITIL) books — 30 years in the making and regarded by many as the industry’s bible for managing IT services — do not at first glance seem like such a hot match for cloud computing. Or at least that is what the Internet will tell you when you type in ITIL and cloud and get headlines that skew toward “Are cloud and ITIL like water and oil?” from Federal Computer Week, or “Cloud–The Death of ITIL? Or the Opportunity of a Lifetime?” from a CA Inc. blogger. Mistress Cloud (yes, I picture cloud computing as female) may prove to be the undoing of ITIL.

Rubbish, says David Cannon, co-author of the Service Operation book in ITIL Version 3 and head of the IT Service Management (ITSM) practice at Hewlett-Packard Co.

“Just because you have cloud, does that mean that things are not going to go wrong? And if they do go wrong, what processes are you going to use to fix them? Are you going to call them something different from incident management, from problem management? Do you make changes in cloud? Are you not going to call it change management?” Cannon asked, almost Shylock-like in his indignation.

“This whole thing that ITIL does not apply to the cloud, I believe, is a massive cop-out from the people who are developing cloud solutions to basically get away with less control because this is a new technology,” Cannon said. As for the “built-in controls” of these cloud solutions –“We’ll wait and see on that one,” he said.

Lest you think Cannon has it in for the external cloud providers’ commitment to service management, he is even tougher on internal IT groups conjuring up internal clouds. “Totally irresponsible,” he said, in many of the cases he’s seen. “What they are doing is saying, ‘We don’t know what the users are doing with the service, so we are going to put it out there and the users can do what they like. Whatever you need, guys, you just have to pay for it.'”

Granted, Cannon has a lot of skin in the game. When I spoke to him by phone last week, he was hard at work updating the Service Strategy book for ITIL Version 3.1, due out the middle of next year.

And Cannon is nothing if not passionate about the ITIL framework. In a recent interview for about launching an IT service catalog, he insisted on making certain I understood that the ITIL books document best practices for managing the complex and dynamic business of delivering IT services. They are not a theory nor a standard, nor a detailed how-to. A collection of what actually works — that’s how people should think of ITIL, he said.

But for all his ITIL passion, Cannon is not dogmatic about the ITIL framework. With regard to the cloud, he stressed that the point is not that providers or enterprise CIOs apply the ITIL books to cloud offerings, but that they apply some proven process. External cloud providers who do not have a framework for managing IT services, “will go out of business, simple as that.” he added. The brand-new infrastructure many of these cloud solution providers have invested in will work for the short-term. Longevity, he argues, will depend on how effectively these businesses can deliver their services and continue to manage customer demand.

Enterprise CIOs who provide internal clouds without implementing proven processes and governance put their companies at business and legal risk, Cannon says. And in some sense, he argues, they are abdicating their responsibility for understanding the business. (He gave the example of a customer who was providing Storage as a Service, assuming the business had policies for archiving, refresh rates, forecasting requirements, budgets and so on.)

The cloud providers skeptical of ITIL are right on one count, Cannon said. ITIL Version 3 — the latest one — does not tell them how to apply ITIL to the cloud. And that is because cloud is new and the ITIL books (returning to his initial point) are based on what has worked, he said. The ITIL framework “is best practice, not a best forecast,” he added. Detailed prescriptions will likely have to wait until ITIL Version 4.

But that is no excuse for not using the ITIL framework, Cannon said. “You can’t tell me there are not enough smart people out there to figure out how to apply incident management to the cloud.”

Rebuttals? Write to me at

September 1, 2010  6:58 PM

VMware luminaries say virtualized environments lead to IT as a Service

4Laura Laura Smith Profile: 4Laura

Hall D in San Francisco’s Moscone Center was an electric mecca this week, as tens of thousands of IT professionals gathered to hear VMware Inc. luminaries discuss the future of IT as a Service at the VMworld keynote session. Upbeat music pulsed as the techies took their seats, and three giant screens projected images from a stage so wide that Steve Herrod, VMware’s chief technology officer, used a scooter to get from one side to the other. The slick presentation was theater at its corporate best, replete with relevant props, such as a cubicle warmed by a lava lamp.

This was VMware’s seventh annual shindig, and the statistics ticked off by Rick Jackson, VMware’s chief marketing officer, indicate that virtualization is growing like a popular religion. In 2004, 1,400 people attended the first VMworld conference, and by last year, the number of attendees had risen to 12,500. This year, the Palo Alto, Calif.-based company’s goal was to lure 14,000 attendees, but it was blown away by the registration of 17,000 professionals from 85 countries looking to take advantage of virtualization technologies. And that’s just a fraction of the 195,000 customers worldwide who are engaged with VMware, he said. Customers are banding together in user groups to help each other adopt the technology that will transform their IT initiatives. To date, 50,000 members are involved in VMware user groups across 145 local chapters in 32 countries. This year, the groups inaugurated a board of directors who created a mission statement. Jackson invited attendees to join a local chapter or start a new one.

The theme of this year’s conference was Virtual Roads, Actual Clouds. It’s not about public vs. private, Jackson said: “What people want and need is a hybrid cloud environment.” Last year, VMware built a large private cloud to service its event, but this year, it put its money where its mouth is and built a hybrid cloud using Verizon and Terremark clouds on the East Coast connected via the Internet to a cloud in San Francisco. This platform provisioned 4,000 virtual machines an hour during the conference, for an expected total of 100,000 VMs.

The road to a hybrid cloud is a three-phase journey. In the first phase of virtualization — what VMware calls IT production — customers are averaging savings of 50% to 60% in capital expenditures, according to Jackson. The second phase, referred to as business production, is driven by quality of service with high availability and disaster recovery at a fraction of traditional costs. The average VMware customer is in this phase, he said. The third phase is the optimization of IT production for business consumption, which is the premise of IT as a Service. The goal is to quickly deliver business value. “The value proposition from Phase 3 of the journey significantly dwarfs phases 1 and 2,” Jackson said.

In 2009, IDC reported that the number of applications delivered on virtualized infrastructures exceeded those on physical hosts. “We are at a tipping point in the industry,” said Paul Maritz, VMware president and CEO. The tide is coming whether VMware is there or not, he said, predicting that in 2010, more than 10 million virtualized machines will be deployed, growing at 28% annually. The trend is evident in industries ranging from pharmaceuticals to fashion, and spans the globe from dairy farms in India to large breweries in Eastern Europe, “to Tastykakes in Pennsylvania, which delivers satisfaction on top of a virtualized infrastructure,” Maritz said.

Two notable challenges are the integration of Software as a Service (SaaS) apps and mobile devices that have made their way uninvited into the corporate IT environment. It even happens at VMware: The company is using 15 SaaS apps that do not share single sign-on status. “I didn’t approve a single one of them,” Maritz said. Meanwhile there is an increasing heterogeneity of such devices as iPads that IT will have to support. “Ultimately, IT is going to be left holding the bag. Just as the PC came into the environment uninvited, IT will have to stitch them together in a manageable environment,” he said. What’s needed are automation, management and integrated security to make hybrid clouds a reality. The holy grail of porting data from one cloud to another will depend on faithful, open standards.

August 26, 2010  7:09 PM

IT service catalog planning stage tips

Christina Torode Christina Torode Profile: Christina Torode

A large publishing company in the U.K. is introducing a new IT service catalog as part of its plan to turn the current IT chargeback model on its head.

Until this year, the company charged for IT services based on the head count in a given department. With the new IT service catalog, built on ITIL V2 and using a CMDB, a department will be charged for only what it uses.

The impetus behind the catalog is a sweeping decision made in 2010 to cut costs. The catalog will allow users to see just how much a service costs, and what it costs to use it.

According to Paul Hardy, who’s in charge of service and support at the company, the goal is to cut costs companywide by giving the business a true sense of what is actually being spent on IT. If a business unit isn’t using a service, it’s cut.

The IT service catalog being built at Hardy’s company is set to roll out this month, with basic services and equipment available at first, but it will one day include enterprise business services. The company is choosing a staggered approach to test acceptance, and make sure that the IT services in the catalog best represent the needs of the business.

As Hardy is finding out, the planning stage is a critical step when building an IT service catalog — a number of stakeholders are involved in the process from IT and the business.

Forrester analyst Eveline Oehrlich shares a few steps for getting an IT service catalog off the ground:

  • Understand what is the goal of a service catalog (efficiency, reputation, reduce complexity, cost reduction …).
  • Once that is understood, then involve the correct team members. (You need one service catalog manager who has the ability to see the big picture, can coordinate, correlate and communicate).
  • Invite key constituencies who are either business relationship managers or service-level management owners.
  • Evaluate potential or already existing service offerings — review the current state of existing services (IT services and business services).
  • Model them in service families with definitions (if none exist, then this is a workshop with customers to collect data to form service families).

We will be writing about the IT service catalog planning, building and governance stages in an upcoming series of articles on For now, we’d like to hear about your IT service catalog experiences — email me at

August 25, 2010  3:57 PM

WikiLeaks: When IT security threats are leakers, not hackers

Linda Tucci Linda Tucci Profile: Linda Tucci

Last month’s release of the incendiary Afghan War Diary by WikiLeaks raised a lot of national security questions, not the least of which is how a large, complex enterprise anticipates the human element when it builds its IT security solutions. For the White House, which issued a statement strongly condemning the disclosure of the secret documents, the human element in this security breach was not a super-sophisticated computer hacker, but what news reports suggest was a disgruntled employee (or hero, in some eyes). The whistleblowing website says it will release a CIA paper today. How do security experts fix a threat that is more about human psychology than computer programming?

I had the opportunity to interview Paul B. Kurtz on the matter. A former security adviser to President Clinton and President Bush, Kurtz began working on federal security issues two decades ago, focusing initially on weapons of mass destruction. Since 2001, his prime interest has been cybersecurity policy. He is now in private industry. Reaching him by phone at his current home in Abu Dhabi, I asked him whether I was wrong to assume that security tools are better equipped to deal with a hacker than with a leaker. Is there a security system that can guard against someone who is determined to disclose sensitive information? Here is part of his take:

Kurtz: Oh yeah, there is a lot that can be done by coupling policy and technology. The first thing that I think is relevant in the case of WikiLeaks is that you have an individual who has TS-SCI [Top Secret-Sensitive Compartmented Information] clearance and has broad access across the system. He is sitting in Baghdad and yet he is dumping information on Afghanistan — although it does appear he was passing information into WikiLeaks on what was happening in Iraq as well.

So, there are a couple of things that can be done. Are we segregating data the way we should, based upon an individual’s area of responsibility? Here we have a private who is able to access all sorts of data from Afghanistan. That doesn’t mean that nobody should have that type of global access, but you kind of have to scratch your head and ask yourself whether a private should have [the same] kind of access as an intelligence analyst.

If in fact, someone does need access, whether it is a private or a senior official, there are still technologies, in addition to policies, that can enforce that segregation and can create that accountability and tracking system. For example, if the right systems were in place, the private searching data or searching video on Afghanistan, which really has nothing to do with his responsibilities, should be caught by the system. And it wasn’t. There are lots of technologies out there that can assist with this . . . access control, authorization, monitoring. This is out there today.

But, as you said, in a situation like WikiLeaks, we can’t simply rely on technologies. We have to have technologies coupled with policies, and obviously enforcement, in order to protect against [what], in this case, is an insider.

So, what keeps Kurtz up at night?

Kurtz: There are two things that bother me now. One is economic espionage — state-sponsored espionage in particular. Massive amounts of data are being sucked out of government and private-sector systems. Emphasis on the private-sector side. We are like moths to a light on any national security-related incident, but the fact of the matter is, a lot of our very sensitive intellectual property — plans for technology — is being taken out of those systems. That is exceptionally problematic.

But the next wave of attacks that I think we are going to see is a function of the first problem. If you can gain access to data, then you can start to manipulate data. If data is manipulated and you can’t get a true sense of what data is correct or incorrect or corrupted, how do you ultimately get to the bottom of that? That is very troubling.

August 20, 2010  2:21 PM

The cloud hype cycle will take the industry for a ride

4Laura Laura Smith Profile: 4Laura

If you think cloud computing is coming on strong, well, you ain’t seen nothing yet. Analysts at Gartner Inc. predict that worldwide revenue from cloud services will balloon from $58.6 billion in 2009 to $148.8 billion in 2014. Both the speed and scale of enterprise deployments are accelerating, with multi-thousand-seat deals becoming more common, said Ben Pring, research vice president at the Stamford, Conn., firm.

Progressive enterprises are envisioning what their IT operations will look like in a world of increasing cloud service use, which was “highly unusual a year ago,” Pring said. As a result, Gartner is “seeing an explosion of supply-side activity, as technology providers maneuver to exploit the growing commercial opportunity.” There’s no doubt: With a forecast like that, cloud services is clearly a business to be in.

But — and it’s a big but — if we put those numbers on Gartner’s own hype cycle, the industry will soon teeter at the “Peak of Inflated Expectations” (the highest point on Gartner’s hype cycle new-technology adoption curve) And if the model proves true, 2015 looks like it may see a financial slide into the “Trough of Disillusionment” (the lowest point on the curve, directly following the high), perhaps owing to persistent data breaches and the associated financial liability for interruptions in the cloud that prove beyond one’s control.

So, what should an enterprise do if a provider goes down? Sue the provider, advised Robert Parisi, senior vice president and cybermedia product leader for Marsh Inc., an insurance provider in New York. Where lots of experts see grey, he sees black and white: “If you render the service and you fail to render it, and it causes direct physical or financial harm, that’s your responsibility,” he said.

Community clouds are forming to provide more assurances to customers in particular industries — financial and healthcare, mainly, said Tanya Forsheit, founder of the InfoLawGroup in Los Angeles. Perhaps these will populate the “Slope of Enlightment,” (the upswing in the hype cycle curve, following the Trough of Disillusionment), where interest begins to build again as cloud providers “compete to provide better security, privacy and better assumption of liability at a price — of course, at a price,” she said.

Over the course of the next five years, enterprises will drop $112 billion on Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) combined, Gartner estimates. Financial services and manufacturing are leading the spend, followed by communications and high-tech industries. The public sector also is clearly interested in the potential of cloud services, driven by a federal government administration that has all but washed its hands clean of owning data centers.

The trend to cloud adoption can be attributed in part to financial turbulence over the last 18 months, but more fundamentally to the challenges of managing complex, custom, expensive IT solutions in-house, Pring said, “while cloud computing services have matured to become more appropriate and attractive to all types of enterprises.”

However, “many enterprises may be examining cloud computing and cloud services, but are far from convinced that it is appropriate for their requirements,” Pring said. He sees this as an opportunity for traditional outsourcing providers to retool their offerings into utility-based cloud services, while others wonder how the deeper issue of shared liability will be resolved.

Only then will we all be able to relax on the “Plateau of Productivity” (when the technology is mature on the hype cycle).

August 20, 2010  11:17 AM

Social media risks that will make your hair stand on end

Linda Tucci Linda Tucci Profile: Linda Tucci

We’ve all heard about the benefits of using social media in the enterprise: Brands are enhanced, customers engaged, employees connected. But as summer nears its end, let’s gather around the blogfire to recount a few scary stories about social media risks for the enterprise. These come by way of a panel on said topic that I attended at the Catalyst conference in July. (A month ago is a million years in IT reporter time, so I am not going to try to sort out who said what. See Social Media & Enterprise 2.0 Risks for the names of the panelists.)

The point of the panel’s stories was eerily similar: The big advantage and biggest risk of using social media in the enterprise is that the boundaries of the workplace are dissolving.

Boundaries are dissolving, but social media tools do not, as yet, come with flashing red lights to warn people that they are crossing from one territory to the other, from the private to the public domain. What’s so scary about that?

Well, one panelist said, let’s say you frequent a website in your off-hours that you would never interact with while you are at work, and that website company goes bankrupt. It files for Chapter 7 — all its assets sold off in a fire sale. No big deal? In the recent case of a Canadian company that ran a sexually explicit website, the court apparently decided that the names and addresses of its subscribers constituted an asset and were up for sale.

Even savvy social media experts can find themselves in deep digital voodoo. Consider the case of James Andrews, an executive with the global PR firm Ketchum, who was meeting with FedEx, a major client, at the logistics company’s headquarters in Memphis to talk about social media communication. Upon landing, he tweeted that Memphis was one of those places that he’d rather die than have to live in. The tweet was picked up by a FedEx employee and whisked up the command chain of both companies, giving Ketchum a PR headache of its own. (Andrews became notorious in the social media blogosphere as a poster child for what not to tweet, earning his his own Wikipedia page.)

Even LinkedIn, seen by many companies as a benign form of communication, poses social media risks. Competitive intelligence groups (aka corporate spies) apparently love scouring the LinkedIn profiles of their competitors’ employees, because they find the recommendations and skills listed are often a treasure map to what those companies are doing internally.

Then there is internal corporate espionage to consider. All the tagging, linking, favoring and so forth that connect entities to entities in a company, form a network ripe for analyzing. The map can tell the CEO that Sales really doesn’t talk to Marketing, or that a group in the company that shouldn’t be communicating with another group actually talks to that group quite often. Or who’s really in the inner circle.

We live in an archival society, pointed out one sage panelist. Once upon a time, “dust to dust” had real meaning for all but the most illustrious of lives. Not so anymore. Those of us reading stuff like this are generating a record that almost certainly will haunt us in the near future and will be the ghost of us after we’re gone.

August 13, 2010  12:57 PM

The feds’ identity ecosystem will include national identity cards

4Laura Laura Smith Profile: 4Laura

The U.S. government is increasing its efforts to identify, authenticate and authorize people online. This month it’s releasing a draft of a Strategy for Trusted Identities in Cyberspace proposal that includes promoting a “national identity ecosystem,” in which one option will be national identity cards. Legislators are looking the draft over, but the plan is far along — and, some would argue, comes none too soon.

“Cyberspace — the interdependent network of information technology components that underpins many of our communications — is a crucial component of the nation’s critical infrastructure,” the draft states. “The nation faces a host of increasingly sophisticated threats against the personal, sensitive, financial and confidential information of organizations and individuals.” It then delivers sobering numbers: In 2009 the Internet Crime Complaint Center, or IC3, website received 336,655 complaints, up 22.3% from 2008. The total dollar loss from all the cases referred in 2009 was $559.7 million, up from $264.6 million in 2008.

According to the draft strategy, cybercriminals exploit weak identity solutions for individuals, websites, email and the infrastructure that connects to the Internet. And by “weak,” the draft means passwords. This should come as no surprise to CIOs grappling with federated identity and single sign-on for managing identities in their hybrid cloud environments. It will be worth watching the evolution of a national identity ecosystem based on industry standards and backed by a partnership of private and public enterprises. In it, identity would be authenticated in a variety of ways and on various devices. Stay tuned to next week to learn more.

The potential for national identity cards scares the dickens out of regular folks who fear Big Brother and don’t realize what a big problem cybercrime is. The more than 10 million Americans who are victims of identity theft each year each can spend as much as 130 hours reconstructing their identities (credit rating, bank accounts, reputation, for example) following an identity crime, according to the Federal Trade Commission. But the financial risk for businesses and indeed, the national GDP, is alarming — and is heightened by the fact that we lack enough jurisprudence to figure out who is responsible for a business loss caused by a cyber event. That problem is being explored on this week and next.

The aggregation of network infrastructures with open APIs, the greater numbers of businesses using cloud services, the sheer amount of information and the nature of that data — all pose enormous risks, said Drew Bartkiewicz, senior vice president of technology and new media markets for The Hartford Financial Services Group in New York. “You talk about credit card data. . . . That’s so 2000,” he said. “Companies’ forecasts, people’s social reputations — whether they’re part of a gun group or are surfing a dating site when they’re married — all that data is becoming grounds for information malpractice,” he said.

August 12, 2010  5:46 PM

Gartner downgrades 2010 IT spending — what’s in your wallet?

Linda Tucci Linda Tucci Profile: Linda Tucci

Gartner Inc. downgraded its forecast for 2010 IT spending worldwide, and now pegs growth at 2.9% rather than the 4.1% growth it forecast earlier this year. Spending numbers for the U.S. market are even more modest: The revised U.S. number is for an increase of 1.9% in IT spending in 2010, down from Gartner’s previous forecast of 2.9%.

Even those companies that have huge amounts of cash right now are not spending as much as Gartner expected, said Kenneth Brant, research director for Gartner, in a phone call about the report.

“Many are still playing wait and see with spending, and I don’t mean just IT spending but spending across the board,” Brant said. “We’re not seeing the cash on hand turn into hires or capital investment.” That’s not to say companies aren’t making any strategic investments. (Intel Corp.’s strong earnings suggest a PC refresh is coming, he said.) But the refresh likely will be set off by trims elsewhere, with the goal of keeping budgets flat. “That’s more the mood we’re seeing than anyone planning a 6% or 7% increase,” he said.

The uptick in 2010 IT spending, however modest, is still much better than the 5.9% decline in 2009 IT spending, of course. Moreover, the downgrade is not entirely due to an organic decrease in spending, explained Brant, but was due in part to the appreciation of the dollar in 2010 against the euro and other major currencies, which depresses the growth in the industry.

But altogether, the report is more evidence of the economy’s frail state in 2010, and consistent with recent news that the global economy is slowing.

Indeed, the possibility of weaker spending in 2011 is anticipated in the Gartner report, which comes with a warning that technology providers should prepare for zero growth in 2011, as “commercial IT markets stagnate and governments transition to fiscal austerity programs.”

“We keep hearing about consumer confidence,” Brant said. “Until corporate confidence returns, we are going to see very cautious approaches to IT spending in 2010 and 2011.”

The news does not surprise me, given my own conversations with CIOs over the past several weeks about what’s happened with 2010 budgets and what they’re anticipating for 2011. While IT staff cuts seem to be behind most folks, many are telling me that budgets are flat. I would like to hear what your IT spending looks like, as your companies face more economic uncertainty ahead.

Write to me at

August 6, 2010  11:56 AM

What’s data fungibility got to do with delivering business insight?

Linda Tucci Linda Tucci Profile: Linda Tucci

What’s data fungibility have to do with delivering business insight? No, really, I’m asking.

According to Burton Group analyst Lyn Robison, one reason CIOs are struggling to deliver business insight to the business — as opposed to information — is technology’s misguided relationship with data. IT professionals of a certain age, he said, tend to view data as “sawdust,” a byproduct of the processes that information systems so brilliantly automate.

“Many IT professionals still haven’t realized that we actually store this data and can do useful things with it,” said Robison, who presented his views at last week’s Catalyst conference in San Diego.

For process-oriented IT pros, data is an interchangeable commodity, to be shoveled into databases just as oil is pumped into steel barrels — or at best, organized by type like cut lumber in a warehouse, one plank as good as another.

“The real world is filled with unique things that we must uniquely identify, if we are going to capture those aspects of reality that are important to us,” Robison said. To be useful, data needs to be a snapshot of reality. Nonfungible assets, unlike fungible commodities, need to be identified individually. And the IT department needs to manage those identifiers so the business can zero in on the data that matters. Fungibility matters.

So, what’s fungible? Currency, for example, usually is considered fungible. One $5 bill is as good as another. Buildings are nonfungible. Transactions are nonfungible. Customers are nonfungible. When nonfungible assets are treated like fungible commodities, the consequence is “distortion and incomplete information,” Robison said.

A large university Robison worked with recently discovered it was paying costly insurance premiums for five buildings it no longer owned, because its information systems managed the university’s buildings as interchangeable, he said. A Florida utility company paid out millions of dollars to the families of a couple tragically killed by a downed pole’s power line — only to discover afterwards that another entity owned the pole. “The liable entity got off, because the utility poles around that metro area were not uniquely identified,” he said.

It turns out, however, that discerning the difference between fungible commodities and nonfungible assets is not as clear-cut a task as it might appear, Robison conceded. “Defining fungibility is something of an art,” he said. Just like in life, context is everything.

However, the bigger problem in managing data to deliver business insight, according to Robison, is that today’s enterprise systems do not identify nonfungible data assets “beyond silo boundaries.”

Primary keys are used as identifiers, but are not meant to be used beyond the boundaries of any particular database silo,” he said.

After his presentation, I learned that Robison has developed something he calls the methodology for overcoming data silos (MODS), “a groundbreaking project structure for bridging data silos and delivering integrated information from decentralized systems,” according to his recent paper on the topic. You can hear Robison talk about using MODS here. Let me know what you think.

Oh, and how you distinguish between the fungible and the nonfungible.

August 5, 2010  9:41 PM

Enterprise adoption of the public cloud hinges on liability policies

4Laura Laura Smith Profile: 4Laura

Of all the potential showstoppers to enterprise adoption of the public cloud — including such well-touted concerns as security, interoperability and portability — liability policies have emerged as the one most likely to derail progress. It doesn’t take an actuarial degree to predict that at some point, the cloud is going to go down — whether for routine service or by malicious intent. The question is, who is responsible for damages?

Because they are designed to serve the masses, large clouds like’s Elastic Compute Cloud, or EC2, have standard service level agreements that may refund businesses for time lost; but that’s pennies compared to the business that could be lost during an outage. Enterprises want to shift some of the financial risk to public cloud providers, but with increasing interest in cloud services, providers have little incentive to change their business models, according to Drue Reeves, director of research for the Burton Group in Midvale, Utah. The issue was brought home by Eli Lilly’s decision last week to walk away from Amazon Web Services (AWS) after its negotiations failed to push some accountability for network outages, security breaches and other forms of risk to AWS inherent in the cloud. In the article, an AWS spokesperson denied that Eli Lilly was no longer a customer.

At the moment, there isn’t enough jurisprudence to decide who pays for what, Reeves said, so he gathered a panel of lawyers and cyber insurers to comment on what has been deemed the Wild West of computing at the Burton Group’s Catalyst conference in San Diego last week. Heck, Rich Mogull, analyst and CEO of Securosis LLC, a consultancy in Phoenix, even called the public cloud a seedy bar.

“We don’t really have cloud law,” said Tanya Forsheit, founding partner of the Information Law Group in Los Angeles. “It’s going to happen. . . .[S]ome big breach involving a large provider will result in a lawsuit, and we might see principles coming out of that,” she said. Until then, negotiation is the order of the day around liability policies, she added.

Indeed, there have been 1,400 “cyber events” since 2005, according to Drew Bartkiewicz, vice president of cyber and new media liability at The Hartford Financial Services Group, a financial services and insurance company in New York. “If you had an event in 2005, you’re lucky,” he said. “The severity over the last two years is starting to spike. This is an exponentially growing risk.” With so much information flowing around the clouds, supply chains become liability chains, he added. “The question is, who is responsible for information that’s flowing from one cloud to another when a cloud goes down?”

The answer comes down to contracts, and what should be considered a reasonable standard of care, Forsheit said. “Have we reached a point where encryption is the standard?” she asked.

But enterprises aren’t the only ones at risk in the cloud: If the large providers are forced to indemnify businesses, the game will be over, Reeves predicted. The industry needs to figure out how to share the risk in order for the cloud market to mature. “Otherwise, the cloud becomes this limited place where we put noncritical applications and data,” he said. “If we don’t address this issue of liability, we’re stuck.” will be following the issue of liability policies in the cloud. Do you have a story that needs to be told? Contact me at

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: