Twenty years ago, enterprise software was installed on-premise and managed locally. This required organizations with no knowledge of IT or IT management to create IT departments to manage servers and the software services that ran on them. For an organization that didn’t use software in it’s daily operations — such as a manufacturing organization that used manual production lines, an advertising agency that deals in existential image and not physical product, or a real-estate agency that only has to take listings and take cheques — it was an expensive proposition.
Then came the Application Service Providers, better known as ASPs. Using the power of the internet, these software solution providers built their own data centres and hosted the solution for their customers on dedicated machines in their own data centres. However, this solution was not optimal either, as the organization was not only paying for machines, energy, and administrators to run the software, but also paying for these through a third party that added overhead and markup.
This provided an opportunity for more enterprising software delivery organizations that were able to build their applications to be multi-tenant and host multiple clients on the same platform. This reduced the number of machines, kilowatts, and system administrators that were required and thus reduced the overall operating cost. This allowed this new breed of Software-as-a-Service (SaaS) vendor to take business away from the ASPs and advance the state of the art.
But this wasn’t the end. New enterprising software delivery organizations, who realized that their expertise was software and not data centre management, decided that they could do even better if they designed multi-tenant Software-as-a-Service solutions that could be run on someone else’s platform. This would bring more economies of scale into play as not only could multiple solutions could be run on the same platform, but the platform provider could be replaced by another platform provider with a lower-cost at any time. Enter the Cloud, which, like a real cloud is ephemeral, suspended in space, and, in some cases, full of security holes.
Cloud services are ephemeral as any specific instantiation of cloud services last as long as the company behind it has the means and the desire to continue supporting the cloud services. Cloud services are suspended in space since the instantiations may move over time as the service owners switch to lower-cost and/or more secure data centres. And, the cloud is full of holes. Massive holes that can swallow even multinationals whole. Nothing has improved since the the revelations on the PRISM program five years ago when the EU Parliament has called for suspension of the multi-billion ‘Safe-Harbour’ deal over NSA spying because some cloud providers don’t, either because they don’t have the expertise or won’t spend the money, secure their part of the cloud properly. For example, the recent Marriott hack compromised 500 million accounts. That’s absurd.
As a result, supply chains are continually exposed to additional risks of disruption (if a cloud provider unplugs overnight), security breaches (as some platforms are significantly less secure than others), and privacy risks (as some governments claim the right to all data on servers on their shore that is not associated with citizens or entities of that country or that might pose a security risk under acts like the US Patriot Act).
And most companies choose to remain blissfully unaware of the fact that a relatively significant software-as-a-service provider could go dark overnight or that their major cloud-based ERP or S2P provider could be hacked, exposing all of their trade secret company information, private banking information, and personal employee data — potentially subjecting not only the provider to massive fines but them to law suits, wire theft, and additional fines.
In other words, when you are assessing, and preparing for your supply chain risks — don’t forget the information chain. It can disappear with the literal flick of a switch.