Does it Pay to Move to the Cloud? Or Back?

Most organizations that decide to move workloads to the cloud are missing a crucial piece of information: What it costs to run the system on-premise. In a viral blog post, David Heinemeier Hansson shared his specific calculations for Basecamp and HEY. Moving back from the cloud makes perfect business sense for him. Of course, your calculation will be different, but unless you know what it costs to run on-premise, you are comparing an uncertain cloud cost with a completely unknown on-premise cost.

As a CIO, you are expected to make sound business decisions. You can only do that if you have both numbers.

Cloud Means Aomeone Else is in Control

Cloud services mean you are at the mercy of someone else. It is bad enough that hackers broke into Western Digital’s My Cloud service and encrypted their customer’s data. But many private customers are now learning what it means to use WD’s cloud-based login service. It means that even though your data is stored on your own NAS device in your own basement, you still cannot get at it when WD is down.

If you are using any cloud-based login service in your organization, ask your CISO how people would log in and access ressources if that service is down.

You Don’t Have to Move Just Because You’re Ready

I was worried when I saw Denmark ranked no. 4 in “The Global Cloud Ecosystem Index 2022.” I was afraid that we had somehow stumbled into the cloud trap without my noticing. But it turns out the index is not about actual cloud adoption, only cloud readiness.

Being ready for the cloud means having affordable, fast internet connections, digital public services, data protection regulations, and a well-educated workforce. I’m all for that.

But the fact that we can doesn’t mean we should. Just like the fact that you could move some of your services to the cloud is not an argument for doing it. There are some systems where there is a sound business case for moving to the cloud. But for most existing systems, attempting to move to the cloud destroys value.

There are Many Reasons Not to Move to the Cloud

You don’t save anything by moving to the cloud. Ask around – how many of the organizations you know who moved to the cloud have reduced operations headcount? Some things are simpler in the cloud, but many others are more complicated.

You enforce some good security practices because there is no way to NOT install the latest security patches. And you can quickly spin up an extra testing environment.

But unless you really have a highly variable load, or you are starting something new where you don’t have a clue how much power you’ll need, the cheapest option is to buy some hardware and put it in your server room.

The next time one of the vendors tells you how much you save by moving to the cloud, take a really good look at the calculation. I’ll be happy to help you. You will likely find out that there isn’t a business case for moving.

Do You Still Need an IT Department?

Is it time to get rid of the IT department? Some people advocate that IT should be fully distributed in individual business units. Dr. Joe Peppard argued this case, and I just read his reply in the Wall Street Journal to the various objections he received.

I find the binary “IT department yes/no” discussion to be a useless polemic. Every organization has some mix of central and decentralized IT. The question is whether each IT capability is correctly placed.

Systems of record make up the foundation of your business and do not provide a competitive advantage. That’s things like email, accounting, and HR. Those fit well in a centralized IT function. You want to focus on reliability, and you don’t want each department or country running its own accounting or email server.

Systems of engagement that provide you with competitive advantage need to be closer to the business and the customers and move faster. That requires a different mindset with more risk-taking. That’s why these systems are often a poor fit in centralized IT. But letting each department roam free means you end up with a dozen incompatible cloud services without synergy.

Conundrums like this cannot be solved at the organizational level where they occur. Because the choice pits the agenda of the CIO/CTO against the CFO, CMO, and CSO, the final arbiter has to be the CEO. He or she is impervious to technical arguments. If you are a CIO or CTO, you owe it to your organization to be able to speak the language of the CEO.

Cloud Services Leak Your Data

Big Brother is watching what you write. Chinese users working on the local equivalent of Google Docs discovered that there are some things you can’t write. An author was locked out of the novel she was writing, with the system telling her that she was trying to access “sensitive content.” It didn’t matter that she wrote herself.

Of course, Google would never lock you out of your Docs or Sheets. And they claim they don’t look at your documents to sell you ads, though plenty of users report spooky coincidences. The default setting in Microsoft producs is to enable “Connected Experiences.” That means your content is being sent to Microsoft servers for analysis. Microsoft claims no human looks at it.

Do you have guidelines and technical measures in place to prevent sensitive data leaking out of your organization through cloud services?

Are You Still Building Things That Don’t Scale Automatically?

There is no excuse for a modern system to be slow. I’m at a 5,000-people conference this week, and their official networking app is totally overloaded and almost unresponsive.

You might still have legacy systems with scalability issues, but everything you build today should be cloud-native. As a first-class citizen of the cloud, a modern app has access to automatic scaling, monitoring, robustness, and many other features.

Ask the architects building new systems in your organization about how the application will scale. If the answer is that it will scale automatically, good. If the answer is that somebody has to notice response time increasing and manually do anything, you are still building to the old paradigm.

Convenience vs Security

The convenience of Microsoft Azure come with some serious problems. It seemed like a good idea at the time to store your cloud service credentials in your on-premise identity management solution. With Microsoft Active Directory and Microsoft Azure, you got exactly that convenience.

The only problem is that when hackers get into your on-premise system, they own your cloud instances too. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about SolarWinds hackers using privilege escalation to gain access to the Microsoft Active Directory Federated Services (ADFS) and then producing OAuth tokens to move laterally to your cloud instances.

The SolarWinds hack shows that having intruders in your system is the new normal. You need to compartmentalize access, and storing all your access rights in one central place is a very dangerous convenience.

Future IT Leaders

The future IT leaders are coming from the cloud business. Jeff Bezos just announced he is stepping down as CEO, and the new CEO is Andy Jassy, who was running their cloud business. That business is a small part of Amazon’s turnover, but more than half their profits. At Microsoft, Satya Nadella was running Azure before he became CEO of Microsoft.

The next CIO in your organization is also going to be someone with experience running successful cloud-based solutions. And if you are an IT leader and looking to move up to larger things, you will need some cloud successes under your belt, too.

Just be aware that your career doesn’t just need cloud, it needs cloud solutions that provide significant business benefits without loss of flexibility. It is easy to rack up large cloud bills without anything to show for it, or to get locked into an inflexible cloud solutions. It is not easy to create successful cloud solutions. That’s why those who can will get ahead.