I'm guessing that this blog's title is going to generate a really high hit rate compared to my other blog postings. Some of you are probably reading this hoping for a clever (politically incorrect) punch line to the question I pose. And another group of you (colleagues, mostly) are hoping to read the scandal blog before it (and I) get censured. I know the first group is going to be disappointed and I sure hope the second group is, too!
So let me get right to answering my question: Why is running a public cloud like prostitution? Well it isn't. There's nothing there. As a service provider, you have nothing to fear. At least, you hope so. At least, that's what the folks who run Craig's List thought. If you search through the Internet (I'll leave this exercise to the reader) you'll find that several months ago the Craig's List folks got into trouble because along with all the postings for free baby cribs, cheap horse manure and reasonably priced collectable beanie babies, a number of their users were selling, well, themselves.
As a cloud service provider you probably won't have to worry about that exact scenario but you do need to think about what customers are doing and how that affects you and your reputation. And the great thing is that if you take a holistic approach when building out the automation and compliance processes this "best practice" solution provides three benefits. First, you’ll generate efficiencies (and therefore greater profits) for your company. Second, you’ll go a long way towards protecting your reputation as a service provider. And, third, you'll be in a position to provide huge value-add that customers will be willing to pay premiums for. In fact, that level of provable compliance may be the key factor in whether a customer chooses your public cloud service as an option.
One particular example where implementing a cloud offering that holistically blends automation with compliance results in a win-win scenario for you and your customers is compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). PCI DSS is intended to protect payment cardholder data (think credit card data) and covers all aspects of how cardholder data is stored, processed, or transmitted. While enterprise customers may have developed sound approaches to meeting PCI compliance standards in more traditional computing models, once everything gets vritualized and dynamically assigned, it's a lot more complicated. Trying to figure out how to stay compliant in a cloud environment can be very daunting to enterprise customers. Service providers that offer potential customers this kind of compliance across the dynamically allocated environment are offering customers a huge benefit and it's a compelling differentiator.
Taking a holistic approach and incorporating compliance into your architecture and offerings should be a fundamental part of your business plan. Make it a differentiator and a reason to lower potential customers' concerns about what might be appropriate to move to a public cloud environment.
While maintaining environments that meet compliance regulations is an attractive benefit to customers, so is the resulting lowered auditing overhead that this could represent for them. A recent ComputerWorld Resources article titled "Top 5 IT Budget Killers" listed storage expansion as #1, hardware sprawl as #3, and compliance as #5. Imagine how compelling that would be to enterprise customers, particularly smaller IT organizations where trying to keep up with all the compliance requirements can be overwhelming.
There are two downsides to not baking in good compliance practices and offerings in your cloud environment. First, your customers' compliance auditing requirements are surely going to expand into your environment, so you'll be participating in their auditing practices, anyway. You can participate efficiently or you can do it the hard way. The second implication is unwanted press if one of your customers isn't quite up to compliance requirements. Do you want to run the risk that some of your other customers will get nervous about your ability to provide a safe computing environment? "What else hasn't come to light?" they’ll be thinking. Is this incident indicative of other problems? Why isn't this service provider making sure I don't hurt myself? See my previous blog titled "Public Clouds and the Darwin Awards" for my thoughts on that.
Oh, and just a reminder. If you email me your credit card number, expiration date and credit card security code, I'll happily agree to, well ...