Process management and the cloud: Challenges and risks

When it comes to doing BPM in the cloud, business and IT managers must address many of the same questions about security, cost and integration that come with any cloud computing application. But at the same time, cloud-based BPM comes with particular challenges of its own.

Nobody knows that better than John Cowles, director of operational efficiency at Clayton Holdings, a Shelton, Conn.-based financial services company. While Clayton Holdings has always had some BPM applications in the cloud, the decision to go that route came only after a vetting process and consideration of on-premises and “build-it-ourselves” models.

Cowles says his company’s decisions about BPM in the cloud ultimately came down to questions about cost and risk. Based on his evaluations, it would cost 80% less to invest in a Software as a Service (SaaS) BPM application than it would to bring a similar application on-premises. In addition, going with the SaaS model meant he was only committing to a one-year investment, so that if it didn’t work out, he was free to pursue other options. Says Cowles: “It really just made sense for us to go the SaaS route.”

The SaaS vendor that Clayton Holdings chose gave them the added benefit of letting experts handle maintenance, support and upgrading. Cowles struggled to find an on-premises vendor that would make the same offer--or even speak with him at all, as his enterprise’s revenues were just too low to capture their interest.

Despite the success, Cowles still has some reservations about having BPM in the cloud. First is the inability to customize the SaaS application he chose, although he describes customization as a “double-edged sword” because there’s no guarantee that his staff could improve on existing software.

Second—and more important--involves the security of private information. Fears over liability and security have kept Clayton Holdings from doing invoicing in the cloud or using the document management capabilities of its cloud BPM application.

Cowles notes that Clayton Holdings’ cloud vendor has equivalent or better security than his company’s own. But he adds that “we have high expectations from our clients of liability,” which the vendor couldn’t absorb: “If I don’t have control over [information] as an organization and it’s in a third party’s hands, who is liable?”

Clay Richardson, senior analyst with Cambridge, Mass.-based Forrester Research, says that the law has yet to catch up to the cloud technology and it will be a long time before it does.

“Every country has their own requirement about how you report breaches,” says Richardson, adding that in the United States, many states have their own laws as well. “The issue for a BPM vendor is that usually they are using a hosting provider. The vendor is shielded because ultimately the hosting provider is liable.”

Richardson sees several other challenges facing an enterprise that wants to shift to the cloud.“One is that companies see processes as assets, and in some cases, assets to be protected,” he says. “Some companies are interested, but they’re usually a little reluctant to risk exposing sensitive information to competitors.”

Richardson also views integration as both a perceived and a real challenge for some enterprises that are struggling to integrate their internal systems with cloud applications. Surveys indicate that that in such situations, enterprises are struggling with latency issues, he says, but adds that developments in direct VPN connections are beginning to alleviate those problems.

Companies should make sure that the vendors they choose thoroughly understand the complicated issues surrounding cloud and security. “If you look at some vendors, they are really sophisticated in looking at cloud security challenges,” he says.

While the issues of cloud and security seem to be inseparable, many cloud analysts disregard the notion that public cloud is inherently insecure.

In many cases, public cloud is actually more secure than an enterprise’s current set-up, says Jeff Kaplan, managing director of the Wellesley, Mass.-based consultancy ThinkStrategies. That’s because cloud vendors are better able to guard against security threats than local IT staffs are.

“Do they really have the internal skills to pull this thing off?” Kaplan says, referring to the question companies should consider in deciding whether to outsource such initiatives. He notes that the types of enterprises most capable of keeping up with security threats--Fortune 100 or, at best, Fortune 500 companies--are also among the leaders in cloud adoption. “I think you are finding more and more people recognizing this [trend] and that cloud vendors are proving this to be the case,” he says. (For more of Kaplan's insights, see "BPM heads for the cloud," a Q & A with ebizQ's Peter Schooff.)

Richardson agrees, saying that, as with integration, concerns about public cloud are based more on perception than on reality. “It’s really more people looking at it and saying, ‘I believe that since I don’t have full control over the cloud, it’s more open to be hacked or accessed by someone outside the organization,’” Richardson says. “It’s really a control issue, if we’re honest about it. It’s perceived control.”

READER FEEDBACK: What are your biggest concerns or questions about moving business processes to the cloud? Security? Integration? Something else? Let ebizQ know. Contact Site Editor Anne Stuart at

About the Author

Adam Riglian is a news writer for ebizQ and other sites in the Business Applications & Architecture Media Group at ebizQ’s parent company, TechTarget. Contact him at

More by Adam Riglian, ebizQ Contributor