IT Responsibility Evolution
Over the last few years, there has been a lot said about our responsibilities regarding the cloud, security, data sovereignty and availability. When we talk about these topics, we find we naturally are bias to prioritise one over the other, myself included. All our points of view are correct from our perspective and priorities. The internet and the cloud have again changed the way we consume IT services. So, what does this mean to our data centres with their large redundant formats?
Some of us will remember thin clients and terminals that connected to a central mainframe or central servers in a central location. Moving forward the next major evolution was the Wintel (Windows running on Intel PCs) personal computers with IPX and IP networks. This allowed us to distribute the workload to end-user devices and create a far more engaging user experience, with the data centre being geo-located. The internet has allowed the model again to switch to a server and client design (based in Data Centres) and the web browser has become King. But who owns these Data Centres, and are they providing free services, paid public cloud or private cloud?
Cloud Services The cloud is great for a number of reasons; however, it mostly boils down to cost and separation of responsibilities (refer site and diagram below). The public cloud aims to provide the cheapest possible option but may not provide the protection and features you require. Your private cloud can be hosted directly by you or by a third-party provider on your behalf, and generally it has more options but at a higher cost. Are you looking at a Hyper Converged solution or a full on-premise public cloud solution from Amazon (AWS Outposts), Microsoft (Azure Stack) or Google (GKE On-Prem)?
[Reference: https://docs.microsoft.com/en-au/archive/blogs/kevinremde/saas-paas-and-iaas-oh-my-cloudy-april-part-3]Security With technology workloads shifting we are now often left with more than one location that we need to secure or protect. If you are using a truly free cloud service like email or social media; free generally means your data is what they are selling. Paid public clouds initially offer basic security but with some additional paid options giving you the ability to increase security options. Lastly there is also the use of 3rd party solutions. These are often more complete products but can lead to a more complex overall solution.
Data Sovereignty With the initial rush to the cloud, many people overlooked where their data was being stored. The power of the cloud means that their data can be moved without your knowledge or impact to availability. This is great until you realise that you may suddenly open yourself up to regulatory or legal implications. With the recent increase in cloud computing requirements due to COVID-19, providers were stretched to the max and had to redistribute workloads to meet demand. When monitoring a client, we quickly noticed that logins to an internal database were coming from overseas. When our client questioned their hosting provider, it admitted to shifting the client’s data overseas to keep up with demand. The problem for our client was even though they had specified an Australian location, the data was hosted overseas and that meant they were now in breach of their legislative requirements.
Availability Availability depends on individual business needs, so businesses need to make determinations about the criticality of their systems and services. Can the business afford an IT outage due to; equipment or system failure, environmental, political or security impacts (phishing, ransomware or direct hacking)? As we move our systems to a more shared model of services (through either multiple locations or providers) our risk of security increases as well. Leading to the “what happens when something does fail” and what does this mean to the company, do you have a BCP (Business Continuity Plan)? What are you doing to back up your systems and processes?
Responsibilities and Risk Management Just as we saw the development of the CFO role in the 1970’s we are now watching the creation of the CIO role as businesses are recognizing a common language of risk.
- What happens when / if my “cloud” goes down?
- What happens if my data is leaked online?
- What happens when my SAAS platform is updated and it changes or removes functionality?
Risk management is what drives business and something non-IT people understand. With Australia’s introduction of the Notifiable Data Breaches (NDB) scheme, in February 2018 company directors now also have direct legal responsibilities.
Just as company directors now have a responsibility to understand what IT is implementing and changing, IT also has the responsibility to continue to grow beyond just simple IT services and support. They are now integral to the infrastructure and performance of organisations today. Every small change can have a big impact on an organisation. What is the cost to the business if a change ends in 100 users being unable to work for 1 hour? Or the change puts the company in breach of legislation?
So, what does mean to the evolution of IT? IT is no longer a single entity that belongs in the basement. It encompasses multiple locations over multiple mediums. It is a fast-moving disruptive beast; however, it is an integral part of an organisation’s daily operations. How we manage technology and engage with the rest of the business and the wider world is what is needed for us to be successful.
REFERENCES:
[https://mdlaw.com.au/article/non-compliance-privacy-act-breach-directors-duty/]
https://www.actiac.org/system/files/IT%20Management%20Maturity%20Model%202.pdf