Diseconomies of scale in data services?

26 05 2011

Much well-deserved attention has been given recently to “Big Data” and “Utility Computing” as transformational technology developments.

However, the recent data breaches at Sony and Epsilon have now exposed personally identifiable information from hundreds of millions of consumers. Billion-dollar brands have been defaced and this necessitates understanding the drivers of risk in “Big Data” and “Utility Computing”

Were these breaches due to budget-scarce, conflict-averse corporate IT? Or are they the result of inherant risks in “Big Data” and “Utility Computing?”

That the worst breach in history occurred at a media and marketing-centric company like Sony rather than a technology company like EMC might seem to support the “blame corporate IT” response. But Epsilon poses a challenge to this explanation. Founded in 1996, Epsilon can be thought of as one of the original “cloud computing” service providers. They send over 40 billion e-mails annually on behalf of 2200 clients. This is a very highly scalable model in which technology should be central. Clearly size and smarts didn’t keep Epsilon from failing at security.

What are cloud computing providers and purchasers to do?

First off, it’s important to recognize the advantages of cloud computing well-done:

Major cloud computing providers combine two scalable inputs, hardware and talent, in ways that corporations big or small can’t match. Talent is particularly hard to match because the most talented engineers will naturally want to work on the most scalable problems in the least bureaucratic environments. This ups the premium that a large company, like Chase, will need to pay to attract competitive talent and thus increases the necessity of running more services “in the cloud.”

Secondly, cloud computing providers enable businesses to do more by doing less. The failure of Lehman Brothers, and the abject failure of executives to see it coming, helps illustrate the fact that managerial attention suffers from huge “diseconomies of scale.” As businesses get more complex, they increasingly need “Big Data in the Cloud” to do two valuable jobs: enhance visibility giving executives a “sixth sense” while removing the burden of executing the complex work to make it happen.

With that said, achieving economies of scale without jeopardizing brands requires cloud computing companies and clients to have frank conversation about a few key factors:

  • How stable is the underlying technology? Utilities are only as stable and dependable as the technologies which underlie them. Anyone evaluating Epsilon as a provider should have been worried to discover that not a single technology executive sits on their Executive Steering Committee.
  • How important is the asset you are outsourcing?  This is a Catch-22. On the one hand, a business cannot sustainably outsource the key drivers of its competitive advantage. If you could do that then, axiomatically, so could competitors and you would have no advantage left. On the other hand, the practice of outsourcing “non-core” assets begs the question of how much you care about the stewardship of those assets. It’s up to a company’s CEO and Board to make decisions about what is really “core” but the reality is that many outsourcing decisions are made locally without this kind of thinking.
  • What is the impact of a catastrophic failure? To evaluate the risks of a complex system, it’s important to isolate whether a failure will take down the entire system or just a component of it. How you choose to share data with a cloud services provider has a lot to do with mitigating or intensifying the costs of failure. For example, companies who out-sourced their entire customer lists to Epsilon must be kicking themselves when they realize that only a small fraction of customers are e-mailed on any given day. If they had only shared data with Epsilon on a “need to know” basis through something like a RESTful API, they might have limited the impact of the breach to simply the number of customers they e-mail in a day rather than in a lifetime.
  • How much is actually budgeted for security services specific to your install? Many clients expect their cloud service providers to implement security as part of the overall application “stack” and cloud services marketing plays along by insisting that security shouldn’t be a worry. But these data breaches clearly show that it should be. Expecting to get optimal security for a low, monthly, bundled price is a bit like hoping that your landlord will bundle optimal security into your office cost per sq. ft. Price and security are competing objectives where price is the feature that gets you business and which a client notices monthly, while security is the one that they rarely notice. Clients need to recognize this and work with cloud service providers to create custom, client-specific security procedures and audits that are budgeted independent of the core product.
  • Do you know how Big Data improves customer satisfaction? Customers seem to care very little about privacy under normal circumstances, but they care a lot about it when something goes wrong. Many companies have responded to this by seeking ways to educate customers about how they data is used. While this isn’t a bad idea, I think the approach is likely to fall upon deaf ears. The better approach is to audit uses of customer data to ensure that they are “on brand” and being used for customer’s own benefit. When disaster strikes, companies like Amazon and Netflix will be better positioned to recover because customers already believe that they have derived great benefit from their use of Big Data. But companies like Bank of America may be a bit hard pressed to explain how the end customer benefited from BofA saving a couple of million bucks by outsourcing an e-mail list to Epsilon…
  • Can a “Big Data” service provider steal your customers? It’s important not to narrowly concentrate on security risk. Sharing your data also provides others with the ability to analyze and use it to better serve your customers. In most cases, the service provider has a shared interest in selling this insight back to you on fair terms, but they may also sell it to your competitors. Chances are that some of their personnel will be hired by competitors in the future for that very purpose.Management consulting firms have lived with this dynamic for decades. Clients hire them and provide secrets, knowing that secrets will be closely guarded. Yet, they also hire these firms precisely because they have worked for their competitors and can provide “best practices” examples… in other words, code for Other People’s Processes. A high degree of trust and interaction between consulting firms and their clients helps assuage fear, but cloud computing providers have thus far avoided having to invest in consultative relationships in the same way.

    My suggestion to clients would be to talk with your cloud computing vendors and ask for specific consulting investments and points-of-contact which ensure that people you can trust have a genuine stake in your success. If you’re going to ask them to take stewardship over part of your business, then you need to know who you can hold accountable and feel confident that the right incentives are in place for a win-win partnership.

Advertisement

« »


Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s


Follow

Get every new post delivered to your Inbox.