Cloudy thinking
Incidents earlier this year involving Amazon's Elastic Compute Cloud and Sony's PlayStation online gaming platform, both sizeable cloud computing players, raised fears around the stability and security of 'the cloud.'
In late April Amazon's EC2 cloud computing service suffered a service outage that crippled many popular Web sites reliant on the platform. That same week Sony reported computer hackers stole millions of user records, including personally identifiable information (PII) such as credit card details.
'It's a great experiment, isn't it?' quipped Jay Heiser, vice president of research at Gartner. 'It is interesting that Sony can have 100 million user accounts and lose them, but we shouldn't be distracted by this spectacular loss of information on a consumer site.
'We should be more concerned with the practical day-to-day reality of business continuity on business-to-business (commerce) sites.' Heiser believes the Amazon EC2 outage is far more relevant to issues supply chain businesses wrestle with as they address cloud computing.
The EC2 failure's 'root cause was an attempted upgrade that turned sour,' he explained. 'The failure was limited to a single Amazon 'region,' which is consistent with a design that uses logical 'fire breaks' to proactively limit failure scope.
'The more sophisticated and higher paying Amazon customers understood the reliability benefit of utilizing multiple regions, and did not lose service,' he said. 'My understanding is that the incident was consistent with Amazon's service levels. It was unfortunate, but everyone got what they had paid for. While it's conceivable that a failure would affect the entire Amazon system, it's much less likely.'
Data security in the supply chain stands out as the leading criticism of the cloud. Just how safe is the cloud for shippers, carriers and the ecosystem of service providers they support?
'The most advanced cloud supply chain platform providers focus on data security and guarantee levels of performance and security that internal IT shops would be hard pressed to match,' said Greg Johnsen, executive vice president and co-founder of GT Nexus. 'They must provide this level of data and systems security to ensure that companies collaborating in supply networks can see and act on just the data they are authorized to access.'
'Huge stores of data are being targeted,' Heiser noted. Clearly the supply chain, inherently a collaborative business, generates a lot of data. But for B2B supply chain operators this data is not very sexy for the everyday cyber thief.
'It's not liquid in the way that the criminal underground would need it to be,' he said. 'This criminal underground can immediately turn around PII and sell it. I don't see supply chain as representing huge targets of interest.'
Instead, he said the security threat to the cloud supply chain could come from within the community. 'Online transactions raise the potential for industrial espionage.'
'Supply chains are rich with product and performance information that if breached could compromise the competitiveness, or the brand equity, or the customer trust that companies have worked so hard to create,' Johnsen said.
Concern about data security 'will be around information related to customers,' said Chris Jones, executive vice president of software and services for Descartes Systems Group. 'Information tied to things like volumes. They don't want competitors to know what volumes they run by lane, what prices they pay, etc.'
'Customers want to make sure their competitors don't know their configuration,' he said. 'A customer may say they have a way of running a piece of business that they believe is a competitive advantage and they want to shield that.'
The biggest risk users should be aware of when operating in the cloud, Heiser said, is availability of the system ' simply put, the percentage of time the systems are functioning correctly. The Amazon incident shows a service outage can be disruptive or even deadly.
'More money will be lost because of availability issues than is lost due to hacking attacks,' he said.
'Any time the service is mission critical that puts a priority on making sure it's reliable,' he added. 'The IT failure can be tantamount to a loss of supply.'
'If you're not running,' Jones said, 'they're not
shipping.'
Shippers looking to protect themselves from security breaches or services outages in the cloud must do their homework, particularly when it comes to vendors.
'Picking the right vendor is the single-biggest way to ensure you'll be secure,' Johnsen said.
'Review the track record and competence of your service provider to make sure they can deliver the level of security you need,' he said. 'The best cloud providers will do security better than the vast majority of companies could ever hope to do on their own.'
Heiser suggested shippers look at their preparedness as well. 'What's your contingency plan? There are many instances where falling back on pencil-and-paper-based methods are acceptable for some period of time. Don't lose the ability to do that in the worst case.'
Despite moving to the cloud, save data for a rainy day ' with redundant or alternate systems. 'It's a shame when someone steals your data, but it can be fatal if you have no copy of your data. Don't allow any single provider to be the only storage place for critical information. Keep copies in a format you can access elsewhere,' Heiser said.
Other aspects to address with a vendor are how are they testing to know if systems are up, and how quickly can they identify a problem, Jones said. 'It's also key to understand what strategies the provider has in place when they do have disruptions. When something happens what's your ability to turn that situation around?'
The debate about cloud security and reliability overlooks the fact that security and reliability assessments are all relative to the current level of success. How secure and reliable are the supply chains that have not embraced the cloud?
'Companies still rely on highly insecure information exchange methods that have been around for years such as faxes, e-mails, paper documents to communicate purchase commitments, status updates, service agreements, trade documents, invoices,' Johnsen said.
'Cloud-based information-sharing models are not just the only way that collaboration can be achieved in a scalable way; they offer far better security than the traditional methods many companies rely on today,' he said.
'It's an area of burgeoning best practices,' Heiser said. 'We're just this year seeing the introduction of standards around cloud computing. It's certainly going to make life easier in the coming years.'
