During the recent recession, Cloud Computing was touted as a new model for IT to adopt, in order to cut operational costs and extract maximum efficiencies out of their software. 2010 was supposed to be the ‘Year of Cloud Computing’ yet adoption still remains slow.
A recent InformationWeek article referenced a study conducted by Avanade which showed that 91% of U.S. respondents understood the term Cloud Computing while only 61% of respondents from the rest of the world understood it. Even more surprising was the fact that over half of U.S. respondents claimed to be using a combination of internal IT systems and cloud services (in other words “hybrid clouds”), while those who didn’t adopt any form of cloud computing cited security and control as their primary reasons for not doing so.
The unusually large number of ‘cloud computing adopters’ leads one to believe that the respondents considered web-hosting, salesforce.com, and other SaaS-type offerings to be cloud computing as opposed to pure-play cloud providers such as Amazon EC2, Heroku, and Google AppEngine. This leads us to the first reason for slow cloud computing adoption:
Misunderstanding Cloud Computing
The definition of Cloud Computing has converged on three distinct layers, each of them mapped appropriately to the ‘old’ traditional datacenter model of hardware, OS, and application:
Infrastructure-as-a-Service (IaaS): This includes servers, storage, and networking hardware stored remotely and delivered on an as-needed basis in the form of CPU cycles or data. Amazon EC2 and GoGrid are prime examples of IaaS providers.
Platform-as-a-Service (PaaS): This consists of a complete platform upon which to build your custom applications. APIs, database development, storage, and testing are provided as well. Microsoft’s Azure and salesforce.com’s force.com platforms are examples of early PaaS providers.
Software-as-a-Service (SaaS): This consists of applications delivered over the web and accessed through an internet browser. salesforce.com’s CRM modules, Gmail, and Workday are all examples of SaaS providers. However, as you’ll see below, there is a fine difference between a SaaS solution, and a SaaS cloud-computing solution.
While the above definitions provide a basic foundation for understanding what cloud computing is, they still do not enable decision makers to understand the myriad of complexities involved with pushing the ‘go’ button when it comes to migration, and deployment. I found this useful in-depth InfoWorld Cloud Computing Deep Dive report, which addresses all the ‘middleware’ components needed for a successful cloud computing migration, amongst other issues. One of InfoWorld’s main cloud computing bloggers, David Linthicum, wrote a book called Cloud Computing and SOA Convergence in Your Enterprise: A Step-by-Step Guide, which outlines the 11 categories of Cloud Computing. I’ve reproduced the image from the InfoWorld Report below:
Although the above topology adds more granularity to the various components of cloud computing, it is sometimes too all-encompassing. For instance, the Application-as-a-Service segment (a.k.a. SaaS) consists of any software delivered over the web. But to be a true cloud-computing solution, I believe that such SaaS solutions must be able to not only integrate well with on-premise software but also with other SaaS solutions that exist on some other platform.
Apart from understanding what cloud computing really means, the next biggest impediment towards adopting it is:
Security in the Cloud
The vast majority of enterprises who have taken to the cloud have done so in the area of non-critical business applications. However, to truly realize the full benefits of cloud computing, enterprises must be able to consume their mission-critical business applications in the cloud, and be able to transition seamlessly between their on-premise applications and the cloud. An old Gartner report almost two years ago, summarizes seven main security risks of cloud computing. The seven risks outlined were:
1) Privileged user access (what controls are in place over the administrators at the service provider who have access to your critical data)
2) Regulatory compliance (what kind of external audits and security certifications has the provider gone through)
3) Data location (what country is the data stored at and will privacy of customers’ data be guaranteed at this location)
4) Data segregation (data in a cloud datacenter is typically in a shared environment. What encryption schemes are there to ensure that private data is not delivered to another customer by mistake)
5) Recovery (what disaster recovery mechanisms are there for backup of data)
6) Long-term viability (what exit or continuation strategies are available in case of acquisition or bankruptcy of the provider)
The above list though, is not comprehensive. Moreover, current security solutions in the cloud are merely limited to security vendors that have SaaS extensions to their existing software. Security issues around protecting the platform in the cloud have not been addressed yet. A nightmarish security scenario would involve a hacker exploiting vulnerabilities in the force.com or Azure platform, and the virus quickly spreading to any applications that are run off it. Such a virus could then quickly proliferate its way to all customers using these applications. If you thought any of the MyDoom viruses of 2004 caused havoc, a virus of this scale through a cloud computing platform would bring significant business disruption. PaaS vendors such as Microsoft and salesforce.com need to assure customers of in-built anti-virus mechanisms to protect applications that run on their platforms.