Chapter 10

Social Collaboration in the Cloud

In This Chapter

Distinguishing between cloud and application hosting

Knowing the advantages of a cloud solution

Meeting the needs of your organization

Understanding contract negotiation

Some of the most prominent social collaboration tools were born in the cloud, meaning they are offered as software as a service (SaaS), delivered over the web, rather than software you download or get shipped to you on a stack of CDs in a box. For example, no one besides Yammer runs its own server for social collaboration on Yammer: You get it as a cloud service or not at all.

Some products originally marketed as traditional enterprise software, such as Jive and IBM Connections, are also available in cloud editions and various other forms of application hosting.

In many ways, social collaboration is a perfect match for the cloud — an inherently web-based experience that needs to be available to employees at home or on the road, as well as in the office. Cloud products also tend to have a cost advantage derived from the extreme economies of scale achieved by cloud data centers. In this chapter, I tell you about the advantages of cloud solutions and help you decide whether they’re right for your organization.

Cloud computing is still new enough that many traditional organizations distrust it or have legal and regulatory reasons to worry that it’s unsuitable for business collaboration. I have some advice for overcoming that distrust and making it work for your organization.

Before you select a cloud platform, you should also understand what kind of leverage you have (and don’t have) when you’re negotiating a contract with a service provider. I tell you about that in this chapter as well.

Playing in the Cloud

The reinvention of business collaboration is driven at least as much by the rise of cloud computing and software as service products as it is by social media.

By definition, cloud software products are provided as Internet services rather than software for businesses to set up on their own servers. Companies like Salesforce.com have proven that important applications, such as tracking sales leads and coordinating sales activities, can be provided through a web browser. The point is not necessarily that the app is web-based, and not every web application should be labeled a cloud application. Cloud services sometimes have their own desktop PC clients and often reach mobile devices such as phones and tablets using apps rather than a mobile browser.

Rather than being defined by the user interface, a cloud application is one that you can sign up for online and begin using immediately (or very nearly so) and scale quickly by buying more capacity from the service provider. The customer isn’t responsible for buying, renting, or administering a specific Internet server, and may in fact be getting services from several servers working in tandem. Instead of worrying about (or having tight control over) the back-end configuration details, the customer pays for access to the application and lets the service provider worry about the details. (This is also known as software as a service, or SaaS.) The cloud service provider, in turn, is supposed to provide more than enough capacity to accommodate new customers or new requirements from existing customers at a moment’s notice.

In addition to software as a service applications, cloud computing includes more basic services like storage and web hosting from organizations like Rackspace and Amazon Web Services (a division of the online retailer Amazon.com). These provide large pools of raw compute capacity and network bandwidth that they can make available to their customers on demand.

Many collaboration technology startups now deliver their own subscription-based applications on a foundation provided by Amazon Web Services or one of its competitors, making it easy for them to scale quickly as demand for their applications grows. These infrastructure as a service cloud players provide very good (although not perfect) reliability. They also make it easier to deliver a service that can be available with good performance, from anywhere, because they operate multiple data centers around the globe.

This makes them a good match for collaboration apps, which are often fielded partly to support telecommuters and employees who spend a lot of time on the road, as well as workers who need to collaborate across geographically dispersed company locations.

In this section, I touch on some of the benefits of cloud computing and help you decide whether cloud computing may be a good fit for your organization.

Recognizing the innovation taking place in cloud computing

The advantages of the cloud are significant enough that leading social collaboration products like Yammer are available only as cloud services. You can’t purchase a copy of the Yammer software and set it up on your own server or servers, not for any amount of money.

Yammer keeps its cost down by simplifying its operations, keeping the servers that run its software as identical as possible, all running the same version of the same software so they can be cloned as necessary to support the expansion of its user base. When Microsoft acquired Yammer in 2012, it was quick to assure the world that Yammer would be allowed to continue to maintain its singular focus on cloud-based software delivery.

One of Yammer’s longtime rivals, Jive Software, started on the traditional enterprise software model of selling software, supporting on-premises installation of that software, selling periodic upgrades, and distributing bug fixes and software patches as necessary.

When Jive announces a new version of its software, many of its customers take a wait-and-see attitude before deciding that the upgrade is worth the money. This means that Jive must support multiple versions of its software that are currently in active use. Even some customers for whom Jive hosts the software on their behalf want it to run on dedicated servers and be updated only on a schedule of their choosing. There are legitimate reasons why large organizations insist on maintaining tight control of the software they run, but as a consequence, both Jive and its customers have higher operational costs. Also, improvements to the software are slower to trickle down to the end users of Jive’s software. As of this writing, the current version is Jive 6, but many customers I talk to are running a 4.x or 5.x version.

Jive argues that it offers customers more freedom by offering both cloud and on-premises software options. At the same time, Jive is moving toward the cloud model. Although not all its customers will be convinced to switch, Jive is encouraging new ones (particularly midsize companies and teams within larger ones) to sign up for its cloud version. Jive has also begun to introduce new features in the cloud first, using the cloud as a proving ground for innovations that will later make it into the installed version of its software.

Still, many organizational leaders prefer on-premises installation of separate instances of their collaboration software on their own equipment or dedicated servers in web-hosting centers. Among other things, this allows them to upgrade on their own schedules, not at the whims of a cloud service provider. Cloud services are also commonly viewed as less secure, although there is an argument to be made that a cloud service can invest far more in information security than most organizations can themselves.

Regulatory requirements can render cloud computing a nonstarter, particularly in fields like healthcare and financial services. If you do business in a heavily regulated field, make sure that any social collaboration solution you choose complies with those regulations.

Even when an organization opts for on-premises social collaboration, employee expectations for the capabilities that business systems ought to offer are increasingly set by cloud services. When organizations fail to provide an adequate corporate solution, employees often resort to using unsanctioned consumer apps for their information sharing needs.

Making collaboration services available from anywhere

Employees increasingly expect collaboration services to follow them wherever they go and be available on whatever device they have handy, much like their Facebook and Gmail accounts. Wherever they go, access shouldn’t require more than a username and password, plus an Internet connection. The unacceptable alternative (in most organizations) would be containing a social collaboration server within the corporate firewall and requiring users to access it with virtual private network (VPN) software.

Because cloud collaboration services aren’t inside anyone’s firewall, they have to be capable of protecting themselves. As a reward for going “naked” on the Internet, they can reach users at work, at home, or wherever they travel.

Web-based applications are available to anyone in the world with an Internet connection, but to be effective for global companies and business travelers, those services should be available from multiple data centers around the world. Having a copy of the software and related web assets available from a nearby server means higher performance because signals don’t have to travel as far between you and the sever handling your request.

Just because a service provider uses the word “cloud” frequently in its marketing materials doesn’t mean that it has this quality of geographic distribution. Even cloud products that run on top of Amazon Web Services may be available only from a single data center because they haven’t paid for capacity from several of them.

Providing private cloud alternatives if public cloud is unacceptable

Cloud-crazy vendors who allow on-premises deployment often talk about a private cloud alternative to public cloud access to their software.

Private cloud is something of an oxymoron because it means that your software is running behind a firewall, or perhaps within a segment of a cloud provider’s infrastructure that is walled off from the rest. Vendors may describe any software that can be hosted onsite as running in a private cloud. The more legitimate use of the term refers to an internal company software infrastructure that mimics some of the characteristics of the public cloud, often using virtualization software to make it easier to partition and clone instances of software and simplify the operating environment.

Whatever the terminology, organizations that implement social collaboration but choose to do so internally should seek to duplicate the advantages of cloud software, even as they hope to preserve more security and control.

One sensible compromise, offered by VMware’s Socialcast division (among others), is an appliance-based model where the software runs on a virtualized application image that mirrors the functionality of the cloud version and gets regular software updates. This means the onsite software installation gets bug fixes and software improvements on approximately the same schedule as the cloud version, but all corporate data is contained within the corporate firewall.

Distinguishing between Cloud and Application Hosting

Cloud providers like Amazon Web Services provide storage and raw computing power on a metered basis. SaaS providers typically charge per user, per month on subscription contracts.

To understand the technology term cloud, you first have to understand how traditional applications are hosted. There are a few distinct types of application hosting:

Dedicated hosting: The service provider hosts the application on a server (or set of servers) owned by the provider but reserved for the exclusive use of one customer.

Cloud: You purchase a subscription entitling you to access the application rather than buying the software and installing it on your own equipment. All the IT details of keeping servers and databases running and performing well are off in the cloud — someone else’s responsibility. This also means you as the customer don’t control how the servers and databases that support the application are configured.

Cloud services are typically multitenant, meaning that servers and databases are shared among multiple customers. This allows the service provider to use server resources more efficiently and keep its subscription price low.

Private cloud: IT people use the term private cloud to refer to corporate data center resources and applications hosted in a cloud-like fashion, using virtualization technologies. Organizations pursuing a private cloud strategy aim to achieve some of the flexibility and cost advantages associated with cloud computing, without giving up corporate control.

Some cloud-based social collaboration services, including Socialcast and Socialtext, specifically market a private cloud version of their services: a virtualized image of their software that can be loaded into a private cloud environment. This means the data derived from collaboration activities is stored on servers controlled by the enterprise, which is important to some organizations. Meanwhile, because virtualization abstracts away some of the details of servers and operating systems, the cloud providers avoid some of the support headaches associated with traditional enterprise software.

This chapter is primarily about social collaboration in the public cloud. As far as I’m concerned, that’s the real cloud, so I refer to it as just the cloud instead of the public cloud.

Other forms of application hosting and outsourcing are not cloud services in the same sense. For many years, Jive has provided managed application hosting services to some of its customers. The difference is that the software runs on dedicated servers, and the customer still decides when (or whether) to upgrade to a new version. The customer is still in control of how the application is configured but outsources the routine tasks of server maintenance. These customers continue to treat Jive as a traditional enterprise software product and have more freedom to customize it than they would get from a cloud provider.

Assessing the Advantages of the Cloud

Most traditional software vendors have adapted to some version of the cloud business model by now, offering customers a choice of software or SaaS. The advantage of choosing a product that is available in either mode is you can start in the cloud and later switch to an on-premises version of the software, and vice versa.

For all the concerns they may raise, cloud applications have distinct advantages over on-premises applications.

Reducing the burden on your IT department

The cloud shifts IT’s role from maintenance to integration and innovation. With social collaboration in the cloud, IT personnel don’t have to worry about racking and stacking servers or provisioning more storage as users share files. A cloud provider may also be able to provide storage and network resources more cost effectively than the internal IT organization can on its own.

---

---

So what’s left for IT to do? In some organizations, it may be an IT person who administers the service: not in the hands-on fashion of administering internal IT resources but through the cloud application’s web-based administration console. Even if the administration function is designed to be self-service, IT personnel may be better equipped to know what check boxes to mark and what settings to tweak. Someone from IT or the web development team may also be in charge of whatever customization is allowed to the branding and appearance of the cloud service. I tell you more about IT’s role in the “Addressing Concerns about Cloud Services” section.

Taking advantage of continuous improvements

Cloud software products get better day by day, with more major upgrades arriving several times a year. When a cloud product gets an upgrade, every user gets access to the new features at approximately the same time. If the software developers introduce a bug fix, the bug is fixed immediately for all customers. However, that’s not how things work with enterprise software.

With the exception of bug fixes and patches made available for download, enterprise software products typically aren’t updated more often than once per year. Then, after a major upgrade is released, it may be several months to a year — or more — before users see the version. First, the IT organization needs to decide to buy the upgrade and win corporate approval for the purchase. Then, there may be months of testing to ensure that any customizations applied to the software or the underlying database will continue to function following the upgrade.

Often, enterprise software installations lag behind, maybe for budgetary reasons or because customers don’t want to go through the hassle of upgrading. It’s not unusual to find customers running, say, 4.x versions of the software a year after the release of the 6.0 version.

Reaching out to telecommuters and traveling employees

Cloud applications can be particularly convenient for employees who work from home or while on the road, delivering the best web and mobile app experience to workers anywhere in the world. Some cloud applications can be accessed from multiple data centers around the world, reducing transmission latency for those traveling internationally.

Although a web application hosted in a corporate data center may be accessible from anywhere, it would be unlikely to match the performance optimizations that a cloud vendor can provide.

Automating account provisioning

Jive introduced the first real cloud version of its social collaboration product in mid-2012, partly to enable a streamlined 30-day free trial sales model that would allow it to reach small to midsize customers. Instead of having to manually provision trial accounts for new customers, now it allowed them to sign up online.

True cloud services can be purchased online and activated within a few minutes, usually requiring nothing more than a few clicks on a signup form. Payment is typically by credit card, but in the case of freemium and free trial offers, a card number may not be required up front.

Appreciating the Advantages of Cloud-Only Products

Many startup cloud software products are available only in the cloud. For the cloud service provider, focusing on one mode of delivery clearly simplifies things. The advantages of that choice also trickle down to customers.

Delivering continual innovation

Cloud-only vendors tend to move faster. They can operate more like web developers working on consumer services like Facebook, which sometimes displays unannounced new features to some fraction of its user base just to see how users react. Yammer has been known to experiment first on its nonpaying users. This also means Yammer can respond quickly to match popular new features that crop up on Facebook or in competing social collaboration tools.

Upgrades can be released on whatever schedule they are ready to go live. They may be packaged and released on something like a quarterly schedule, but that’s more for marketing reasons than technical requirements.

Focusing on a single version of software

Pure cloud service providers have the advantage of not needing to worry about an installed base of customers who may require support on multiple versions of the software released in past years. They can run their software on exactly the hardware, operating system, database, and network configuration their engineers believe to be optimal.

In addition to simplifying operations within the cloud data center, this almost completely eliminates finger pointing between infrastructure hardware and software providers. If something is wrong with the application, it’s the cloud provider’s job to fix it. You just need to keep your users on a current web browser and keep their Internet connections working.

Upgrading difficulties become a thing of the past

Cloud application access also eliminates the traditional challenges of upgrading on-premises software, where the process may be significantly different depending on which version is currently installed, and what database, database version, OS and its version, and user customizations are in place. The process of porting content from the database structure of one version of on-premises software to the structure of the next may be a process that takes months of futzing around and testing the results on a staging server.

If a cloud application provider decides that the database structure must change to speed a critical query, it takes charge of porting any existing content to that new format. If the operator does its job right, the end user need never know anything changed.

Avoiding the Pitfalls of Free

At larger organizations, many of the stories about freemium social collaboration start with an ad hoc implementation of the technology, without the blessing of corporate IT. Yammer requires nothing more than a work e-mail address to initiate the creation of a social network associated with that e-mail domain. Subsequent users who sign up with an e-mail from that domain are assigned to the same collaboration network. Many other social software players have adopted exactly the same model.

What is absent from this scheme is any form of corporate administrative control, which is something IT administrators often find disturbing. Even though Yammer isn’t invading the corporate network and pilfering information, IT sees it luring employees to collaborate and share company information on an unsanctioned service.

At least in past years, pre-Microsoft acquisition, some IT people who objected to this practice found it difficult to shut down employee accounts on Yammer. In the absence of a contract, Yammer treats those accounts as the assets of a bunch of individual users who happen to share an e-mail domain — that is, as personal rather than corporate property. Yammer’s terms and conditions for free accounts state that they will be converted into corporate property as soon as the owner of the e-mail domain becomes a paying customer, which (of course) is the resolution Yammer is hoping for.

The way to shut down employee accounts without paying is to have your company lawyer send Yammer a stern letter referencing the Digital Millennium Copyright Act — the same tool movie studios use to get bootleg videos removed from YouTube — to argue the accounts should be deleted because they contain corporate intellectual property, posted to the service without permission.

Otherwise, the only provision Yammer provides for deactivating free accounts is a “challenge” mechanism that for example can be used to turn off the accounts of former employees. Any member of a free Yammer network can challenge any other member, at which point that person must respond to an e-mail prompt to reactivate the account. Assuming the company has removed the e-mail account of the former employee, that message will never be received.

All this proves is that free does not necessarily mean easy or simple. Other modes of free carry their own complications.

A 30-day free trial of Jive’s cloud edition is meant to last just long enough that some pilot project team will be able to show practical results, leading to a more formal adoption of the product. One drawback is that 30 days may not be enough for a realistic assessment of the software (although Jive can point to its share of success stories). Also, if the trial generates productive activity but you decide not to sign with Jive, you may find yourself scrambling on Day 29 to download valuable content and conversations.

Embracing ad hoc efforts, where possible

Social collaboration doesn’t always start as a centrally planned initiative, managed by the IT department, like a traditional software roll-out. Cloud services, particularly those offered on a freemium model, make it easy for any project team anywhere within the company to sign up and start collaborating right away, inviting co-workers as they go. Yammer is famous for enlisting hundreds of thousands of employees this way before an IT department knows it’s happening, even when the use of outside cloud services may go against company policy.

So then what happens? What should happen? In some cases, there may be no choice but to shut down this activity. Perhaps for regulatory reasons, social collaboration in the cloud is unacceptable. Maybe IT blocks access to the cloud service’s domain at the firewall and the demands that the service purge any company content from its servers. If that’s really the way it has to be, so be it. Even if it’s necessary to slap a few hands for violation of policy, though, give the rogue operation credit for trying to innovate.

In general, I recommend taking a serious look at embracing what network is already working. For every organization that violently rejects Yammer, a few will sign up to become paying customers, turning it into an official corporate solution. Many others will tolerate a cloud collaboration service that’s either free or paid for departmental or project use — note that I said tolerate it — but not embrace it to be offered company-wide.

I don’t mean this as a commercial for Yammer, which happens to be the most prominent example of a social collaboration tool that often takes root this way. Plenty of organizations I talk to have piloted multiple social collaboration solutions before picking one, and often Yammer is in the mix even if it was never an official pilot. Sometimes they decide Yammer is a good fit for their needs and an easy choice because it’s already enjoying use. Other times, organizations decide that Yammer doesn’t meet long-term needs and it goes by the wayside of another platform instead.

The same sorts of decisions may have to be made about other cloud services or collaboration applications built on an open source software product like Drupal, where that’s not the corporate standard.

Before you decide to embrace the rogue solution or shut it down, do a little fact-finding. Is it really working? Are the employees participating in the collaboration network finding it to be a good fit for their needs? Or are they chafing at its limitations? If it doesn’t meet your corporate requirements for security, administrative control, or integration, is there an upgrade path to a version that fills those gaps?

If the powers that be rule an ad hoc or unsanctioned collaboration community must be shut down, at least try to learn something from it first. What collaboration scenarios were most popular on the platform? What communities were active there, and what can you do to provide them with a soft landing on the official corporate platform for social collaboration? To what extent is it possible to port over content from one environment to the other, while preserving as much of the context as possible?

---

---

Recognize the risk that whatever collaborative activity was flourishing may not survive being transplanted to a new environment. You can mitigate the risk by recognizing the value of the experiment and those who participated in it. Ask for their help making the new, officially sanctioned social collaboration platform a success. If you can get them on your side, broader success will be more likely.

Weighing Simplicity Versus Control

A key selling point for any cloud service is simplicity. The cloud provider’s operations may be very complicated behind the scenes, and no doubt they are. You don’t care. You just enter your password and go to work. No one on your payroll needs to worry about setting up or backing up servers to support these applications or fixing them when they break.

However, if you want the simplicity, you must compromise absolute control, including control of these items:

Limited choices: Cloud operators are focused on achieving very high scale at low cost, and one way they accomplish that is by making their services as standardized as possible. For a cloud collaboration service, that typically means offering one version of the software (or at most, two or three editions), with only the configuration options offered through a web-based administration screen.

Can you change the background color and add your logo? Sure. Can you modify the source code of the software for the sake of integrating with a legacy app? No way. Can you dictate the database will be Oracle and the server processor will be from Intel? No, you’re not supposed to care about any of that as long as it works.

Data storage: Cloud computing also means storing business data outside the corporate network, which some companies find scary.

Big companies have been outsourcing data center operations for years, but the contractual arrangements and the control IT had over the configuration and management of systems is much different in a traditional outsourcing or managed service arrangement. Those outsourced data centers can be treated more like an extension of the corporate network.

Cloud startups tend to want to operate more like consumer services, such as Google or Facebook. Cloud divisions of traditional IT services businesses like IBM may be a little more accommodating, but they too must seek to simplify their operations as much as possible if they want to be price competitive with other cloud services.

Addressing Concerns about Cloud Services

Although the advantages of cloud services are real, that doesn’t mean that the worries are all imaginary. After you get past the myths of how wonderful (or how scary) cloud computing is, you can start to focus on the reality.

For social collaboration, one of the things this means is deciding whether the cloud service can be trusted to host important business conversations, documents, and project planning tools. What would happen if a competitor got access to those resources? You don’t want to find out. You should make sure the solution you choose provides at least the same level of security you would expect from e-mail, making it safe to share routine business discussions. If there are some sorts of information you do not want to trust to the cloud platform — for example, if contract negotiations are ruled out of bounds — you will have to address those issues with corporate policy.

You should also investigate how the cloud platform integrates with other applications, including on-premises applications, to make sure you will not be creating an island of collaboration isolated from the rest of your business.

Understanding key security practices

Application security deserves some extra scrutiny. There are several dimensions to the security of a web application:

Protection of data in transit: This usually involves using the same encrypted version of the web’s HTTP protocol used for consumer credit card transactions. Your browser displays a closed padlock icon when this is active, assuring that data you send to the web server cannot be intercepted — at least not easily.

Protection of data at rest: Measures are taken to protect your data in whatever form it is stored in the cloud data center. For maximum security, data can be stored as well as transmitted in an encrypted format so that only an authorized user can decode it.

Authentication security for identifying authorized users: This measure includes minimum standards for passwords and the security of password reset mechanisms that can be subject to abuse by hackers.

Data center security: This includes building access control, limits on physical access to cloud servers, and process controls governing the behavior of server and storage administrators.

In the next section, I give you some advice for reviewing a service provider’s security practices. If you’re not completely comfortable at the end of your review of the cloud provider’s security measures, you may approve the application for some routine business but rule sensitive topics out of bounds. For example, you may dictate that legal and personnel matters should be discussed through other channels but that social collaboration on sales and marketing topics is acceptable.

The need to restrict the types of activity allowed in the cloud also can indicate that your organization would be better off hosting its own collaboration software.

Trusting but verifying service provider security and reliability

During U.S. President Ronald Reagan’s negotiations with Soviet President Mikhail Gorbachev, his approach to their arms control agreement was based on a Russian proverb: Doveryai, no proveryai. In English, that translates to Trust, but verify.

Some conservative corporate IT and information security managers have just about the same watchful attitude toward cloud operators. That is, if they’re going to trust their data to the cloud, they want to see independent evidence that it will be safe there. How you approach this depends, to some extent, on the size, cloud, and attitude of your business.

Aggressive, paranoid standard bearers: These firms want to peer through the cloud, get a tour of the operator’s data center, and see an independent security audit of the facility’s processes and procedures. Cloud providers are typically reluctant to provide this access, but they’ve been known to bend when courting large or high-profile “trophy” customers. Usually, only the largest customers can afford to invest the time and effort required for that kind of detailed review of a cloud operation, anyway.

These are also the firms that push harder for Service Level Agreement contracts with guarantees of performance tied to penalties if the SLAs are not met.

The followers: Many large and midsize firms watch what the larger, higher-profile ones are doing, figuring that any cloud operation they sign up with is probably trustworthy. They may also consider such benchmarks as a SAS 70 Type II audit of processes and controls for reassurance about the reliability of a provider.

  Gut instinct believers: For small businesses (and perhaps most businesses) the security and reliability of the application services available through a reputable cloud provider are likely to be better than what they can provide on their own. Cloud services are big targets for hackers, so they staff security professionals with the skills to prevent and detect security breaches. Cloud services are expected to operate 24 hours a day, 365 days a year, so they carefully optimize their software configurations and data center operations for maximum reliability, with contingency plans for what to do when something goes wrong.

When a cloud service fails or is breached, it’s news, partly because it doesn’t happen that often. As with the safety record of commercial airplanes versus passenger cars, cloud services are safer on average, but when they fail, they can fail spectacularly.

I’m generalizing here, which is dangerous, but I believe this assertion is true of the level of cloud service you can expect from Yammer, for example, operating with Microsoft backing.

Cloud application startups often buy data center and network capacity from Amazon, inheriting some of its cloud computing competence. However, that doesn’t necessarily mean that their apps are as resilient as some of the rhetoric about the wonders of cloud computing would lead you to expect. For example, Amazon suffered a rippling failure across the servers in its East Coast data center, and the social media marketing app HootSuite was offline for most of a day and recovered only by sacrificing some customer data that hadn’t been backed up. Although Amazon operates multiple data centers around the world, HootSuite had not arranged for replication between them. And Some startups may not have even the technical backing of Amazon.

Any service that can provide instant activation over the web can represent itself as a cloud service even though it could be running on a rusty server under someone’s desk. If you’re going to try something brand new, there will be more Trust, but verify required.

Integrating existing resources

The most technically sophisticated aspects of working with cloud services are related to integration, particularly integration with on-premises resources such as a corporate directory server. Most cloud collaboration products, including those hosted in the cloud, offer some sort of integration or synchronization with Microsoft Active Directory (AD), which is the most widely used repository of network account information for corporate employees. Particularly in large organizations, it’s important to have an automated way of activating new accounts on the collaboration network when employees join the organization and deactivating them when employees leave.

IT personnel may also play a role in integrating other applications with the collaboration network, or even creating custom applications that integrate with it in some way.

Complying with regulations

Industry regulation can complicate or even prohibit the use of social collaboration in the cloud. Consider the U.S. Health Insurance Portability and Accountability Act (HIPAA) and its provisions for patient privacy. Even though patient records per se probably wouldn’t be stored in the collaboration system, any conversation between healthcare professionals about a patient’s health can be considered patient data. That means for it to be stored anywhere outside of a healthcare facility, it would have to be encrypted, not just in transit but on the server hard drive or other storage system.

If a cloud collaboration service does not meet these requirements, that doesn’t necessarily mean you can’t use it at all, only that you can’t use it for certain business functions or types of data. A hospital may use a cloud service in the marketing department, but not for use by physicians or nurses, at least not when discussing specific patients.

The European Union’s Data Protection Directive also complicates the use of cloud services because it discourages the storage of personally identifying information outside of Europe. European firms tend to be particularly leery of storing data in the United States, worrying that it can be subject to access by law enforcement under the USA PATRIOT Act. If the cloud service has data center operators in Europe, European firms may be able to negotiate terms that their data will be stored only there.

Achieving integration across a firewall

By definition, cloud collaboration services operate outside corporate firewalls. When the data or documents employees most want to collaborate on remain inside a firewall, that presents a potential problem. If a copy of the data is placed on the cloud service and the data happens to be sensitive, you have a security breach. Alternatively, if a collaborator posts a link to the location of that resource inside the corporate network, home office and traveling workers can’t access it unless they log in via virtual private networking (VPN) software. Not impossible, but awkward.

Some of the more interesting scenarios for using social collaboration in conjunction with other business applications also become more complicated if the collaboration service is in the cloud but the target applications are on the private network.

A cloud enthusiast’s answer may be to move more and more applications to the cloud until traversing the firewall becomes a nonissue. Another strategy is to use an integration appliance, such as Dell Boomi, designed specifically to bridge cloud and on-premises applications.

Negotiating a Better Contract

Cloud application providers prefer to do business on a click-through contract model borrowed from consumer websites. When you sign up for an account and mark the check box saying that you agree to the terms and conditions, that’s the beginning and the end of the contract.

In general, cloud providers offer their services on a take it or leave it basis, and most small-to-midsize businesses will accept the standard terms, perhaps with a minor amendment. Often, it’s that or walk away.

However, negotiations are sometimes possible. A survey for the Cloud Industry Forum of 450 senior information technology and business decision makers in enterprises, small- and medium-sized businesses, and public sector organizations, published in early 2011 found that 52 percent of the organizations making use of cloud services had negotiated the terms of these services, and 45 percent stated they had no opportunity to negotiate.

According to a Stanford Technology Law Review article, based on research by the Queen Mary University of London’s Cloud Legal Project, the top six issues cloud customers tried to negotiate were:

1. Exclusion or limitation of liability and remedies, particularly regarding data integrity and disaster recovery.

2. Service levels, including availability.

3. Security and privacy, particularly regulatory issues under the European Union Data Protection Directive.

4. Avoiding lock-in and security contract termination rights, including the return of data after termination.

5. Limiting providers’ ability to change service features unilaterally.

6. Protecting intellectual property rights.

The #1 concern on this list is also the one cloud providers were least willing to compromise on, saying they cannot accept liability for outages or data loss. According to the authors, “providers state liability is non-negotiable, and ‘everyone else accepts it.’ Even large users had difficulty getting providers to accept any monetary liability, with one global user stating that generally it ‘had to lump it,’ and another saying, ‘they won’t move.’ Refusal to accept any liability was cited as a ‘deal breaker’ by several users.”

European users can sometimes secure an agreement that their data will be stored within the region although some users complain that verifying the physical location of cloud data is all but impossible.

Negotiation is a power struggle, where the relative size and clout of the participants determine how willing each side is to move. Unless you think you can get the upper hand, it may not be worth the effort.