Outsourcing Cannot Remove Risks
Ironic that this item appeared yesterday. This past Friday, I presented a "Agility, the Cloud, and Accountability: What you can't know can kill you" as part of the Trenton Computer Festival Professional Conference (presentation at http://www.rlgsc.com/trentoncomputerfestival/2011/agility-the-cloud-accountability.html).
The basis of that presentation was that moving anything (e.g., tasks, processing, storage) to "the Cloud" cannot remove risk, it can only redistribute it. It is also very clear that a "redistribution" can seem to make risk disappear by obscuring it from view. However, in a manner reminiscent of multiple financial crises, it merely moves risk "off balance sheet". It does not destroy the risk. Moving to professional management should reduce the risk, but it is never eliminated.
In "Why Settle on a Hosting Provider? Bandwidth liquidity and other issues", the May 12, 2010 posting to my blog, Ruminations, I noted that providers are vulnerable to resource liquidity crises. Hosting providers who offer "unlimited" usage plans are clearly vulnerable to liquidity crises, runs on resources similar to bank runs, when more than the expected demand occurs. This is nothing new. Bank runs are legend, as are congestion crises on utility networks during surge periods (e.g., Mother's Day [telephone], water systems [Superbowl Sunday in the US]).
Employee malfeasance at a provider has similar risks. Automating processes so that a single individual can run massive infrastructure also increases the risk that a mis-operation (deliberate or accidental) will have system-wide implications.
RAID presents a similar hazard. RAID is a solution to drive failures, not a solution to software errors. A RAID array will dutifully copy incorrect data to all copies.
Risks can only be ameliorated by carefully implementing overlapping protections. There are no "magic bullets".