Ten observations about cloud computing

I started following and writing about topics like Amazon Web Services and mashups even before they were corralled under the "cloud computing" moniker. But today, cloud computing is one of the hottest topics in IT.

Much of what I write about the cloud drills down on particular aspects or is a reaction to some vendor's announcement. Here I'm going to take a different approach and take a broader look at where things stand today and some of the challenges ahead.

1. Let's get one thing out of the way first. Cloud computing is real. Yes, there's a lot of hype and a lot of "cloud-washing" (applying the cloud term to only peripherally-related things). But cloud computing legitimately refers to a convergence of technologies and trends that are starting to make IT infrastructures and applications more dynamic, more modular, and more network-centric.

2. The industry has reached a rough consensus on a basic taxonomy for public clouds. We have infrastructure as a service (e.g. Amazon Web Services), platform as a service (Microsoft's Azure), and software as a service (Salesforce.com). People may quibble about some of the details and about how to characterize standalone Web services and such but IaaS, PaaS, and SaaS have developed into a convenient shorthand for describing the basic levels of abstraction for network-based computing.

3. Private clouds exist and will continue to exist. I'm not a huge fan of the term, but many enterprises simultaneously want to take advantage of the technologies and approaches associated with public clouds while continuing to operate their own IT infrastructure (or, at least, to maintain dedicated hardware at a third-party provider). Some of this is doubtless "server hugging" and some is giving IT-as-usual a trendy new name. However, there are lots of reasons why enterprises can't just move to a multi-tenant public cloud provider and it's not even clear that it makes economic sense for many to do so.

4. Security and compliance are high on the list of those reasons. I often see such concerns essentially trivialized as a matter of attaining a comfort level or a level of knowledge--sort of an enterprise version of consumer worries about the safety of online banking. However, as I noted after CloudCamp Boston, we're now getting into very real and very thorny questions such as how right-to-audit clauses can be satisfied in a cloud computing environment.

5. Closely related are legal matters. I hear a lot of generalized concern that the requirements for law enforcement to obtain data from a service provider may well be, at least in practice, lower than those needed to obtain a warrant for a company's own servers. Furthermore, we've already seen a case where the FBI confiscated servers from a hosting provider above and beyond those related to the specific company under investigation. Borders, especially national ones, also carry--not always well understood--legal implications.

6. There is no "Big Switch." Nick Carr's The Big Switch argued that computing is on a similar trajectory to what we saw with electrical power generation and distribution. If so, that would make cloud computing a fundamentally disruptive economic model rather than a mostly gradual shift toward software being delivered as a service and IT being incrementally outsourced to larger IT organizations. However, so far, there is scant evidence that, once you reach the size of industrialized data center operations (call it a couple of data centers to take care of redundancy), the operational economics associated with an order of magnitude greater scale are compelling. Specialization, such as to meet industry-specific compliance and regulatory requirements, will also tend to mitigate cloud computing concentration.

7. Data portability is a must. Interoperability less so. Although data portability isn't a panacea--even if you can extract your information in a documented format that doesn't mean you can transparently make use of it somewhere else--it's a base-level requirement. Interoperability is trickier. We're seeing some standardization activity at the IaaS level through a combination of de facto standards, consortia, and third-party brokers that translate among services. However, as we move further up the software stack, there are significant trade-offs between standardization and useful differentiation.

8. Cloud computing and virtualization intersect in interesting ways, but they're not the same thing. The flexibility and mobility provided by server virtualization is a great match for cloud platforms in general. And certain types of cloud computing largely define themselves in terms of the virtual machine containers that virtualization creates. However, companies such as Google have demonstrated that large-scale distributed infrastructures don't require server virtualization; they architect their infrastructures using other techniques and provide higher-level abstractions and services to users.

9. Location-based applications will reach their potential through cloud computing. People have been talking about the potential of apps that understand place almost since cell phones went mainstream. However, it's the intersection of more precise sensors on the client (GPS augmenting cell signal triangulation) and easily-consumable cloud-based applications that can mash up that data with geographical databases and the data from other users of a service that are moving apps about "place" into the mainstream.

10. The cloud will change the client. There often seems to be an implicit assumption that, over time, computing moves into the cloud and mobile devices become interchangeable display and input devices. The reality is more complicated. Copies of our devices' "state," whether data or personal customizations, will indeed migrate into the network. However, both user experience and the reality of sometimes-connected networks suggest that there's a lot of reason to push many computing tasks and working data sets out to the client device. The client will change but it won't become just a portable version of a "dumb tube."

[titook]

Very nice list of observations. Agree with all of them, and on the #10, certainly concur with you. I'm a proponent of cloud computing, but there are applications that have to be on the client side.

[liquidmetalband]

Cloud computing is based on the idea that it's cheaper to pay a yearly fee for storage than it is to buy your own external storage -- which, of course, is completely false.

It's the kind of thing that some businesses might use, but not really.

[ghaff]

That's a very narrow definition of cloud computing; it concerns a lot more than storage IaaS. I might even agree with you up to a point if that were all cloud computing is.

[rebeccalawson]

Thank you - this is one of the most sensible lists on the topic I've seen.

It's funny how most of the chatter today is about moving workloads around from a VM here to to VM there... which IMHO completely misses the point. The "real" cloud has more to do with a different computing paradigm whereby the service (that is, a technology-enabled service) takes advantage of parallel processing across huge expanse of non-structured data (think Google search), considers state and persistence, inter-operates with other cloud-based services by virtue of it SOA/WOA-ready design, is designed for scale independence and elasticity.

[ChrisHote]

Great post, thank you.
A comment: Why not adding an observation about security which seems to be a major concern for corporations? The topic is quite close to data portability and if well addressed may drive corporations far from private clouds.
Chris.

[ghaff]

See #4

[pentest]

"1. Let's get one thing out of the way first. Cloud computing is real. Yes, there's a lot of hype and a lot of "cloud-washing" (applying the cloud term to only peripherally-related things). But cloud computing legitimately refers to a convergence of technologies and trends that are starting to make IT infrastructures and applications more dynamic, more modular, and more network-centric."


Very wrong, it is a meaningless buzzword, and you used meaningless buzzwords to define it.

There is nothing new here, distributed mainframe is a very, very old idea. A person or company would have to be an idiot to gives all that control over your data to a third party. It has about as much meaning as the equally stupid term Web 2.0.

There is very little advantage in giving up your data. You still need to run computers at your company and they still need a network. That means management costs drop only slightly, not nearly enough to counter act the little saving doing this will give.

The only reasons companies are trying to sell this idea is because it makes THEM more money then selling licenses. No other reason. A buyer is foolish indeed to go into this one-sided bargain.

[VoiceOfLogic]

Thank You.

[ghaff]

We have been outsourcing payroll (which used to be processed in house) for decades. CRM (customer relationship management) systems accessed over the network are commonplace. As is accounting systems (for SMB). Companies are already storing many kinds of highly proprietary data with third-parties.

[VoiceOfLogic]

11. The cloud is not secure and will never be secure. People cant store data securely behind locked doors, let alone out there "somewhere".... I wouldnt trust a random bit "in the cloud". Sounds to me its just another buzzterm that the media loves to use to try to look cool - like the other current one: twitter. Point is, I want my stuff on premises and in-house.

Mark these words, the so-called "cloud" as it is defined today will never materialize.

[mevolution]

In our business, we use cloud computing to help businesses better serve and secure their mobile workers (which is pretty much all of them these days) by putting their management and monitoring of their mobile devices in the cloud where their mobile workers live.

The key word here ? for us and our customers ? is secure. The Internet has been deemed ?the Wild West? ? home to porn, predators, viruses and petty crime. So how could it possibly be a suitable replacement for the LAN? Well, it can and it is. And to make sure IT people around the world know how to identify and implement secure cloud computing solutions, the Cloud Security Alliance was announced earlier this year at the RSA Conference.

The CSA is a collection of the finest minds on cloud security in the world, including leaders from Symantec, Dell, and Salesforce.com. I reviewed the initial draft of the CSA?s Security Guideline document and found it to be well thought out and very broad in it?s spectrum of domains being covered. So I decided to become involve and help further develop details within the guideline. With my background in security and working at a SaaS provider I have some pretty good insight in to the trials and tribulations of working within the cloud model.

Basically, when version 2.0 of the guideline is complete around October, IT managers around the world will know what to look for in a cloud computing vendor. The guideline will cover domains from Governance and Legal, to Datacenter Operations and Business Continuity. It will include provisions and guidelines for Compliance and Audits as well as Incident Response and Remediation. It will also cover areas of Storage, Encryption and Identity Management among others. Basically it?s going to be the foundation for how cloud vendors should function and what IT managers should look for in a strong reliable cloud solution. Yes, this will upset those trying to build cloud solutions quickly and cheaply. It?s a small price to pay.

Imagine a time before medical school and licensed doctors ? you would never know if the surgeon you were seeing practiced legitimate medicine or was actually a witch doctor. Not exactly the way any of us would operate. The same is true with cloud computing. If you?re going to move your valuable assets into the cloud (because the productivity, cost, energy, etc. advantages are really that great) you better be able to recognize the professionals. The Cloud Security Alliance intends to be the source of resources needed so even the most inexperienced person will have the tools they need to securely move into the cloud.

David Lingenfelter, www.MEvolutionBlog.com

[mevolution]

The other day, I was locked in conversation with a man who has been a long-time customer. He?s a particularly bright individual and his company is extraordinarily well-respected as an authority on many subjects. Normally, I look forward to any exchange of ideas with him, but on this occasion, I found him particularly perplexing.

We were discussing cloud computing, a topic that has been constantly on my tongue recently, when it occurred to me that he had fallen prey to some of the most common misconceptions I?ve been hearing from many cloud nay-sayers.

Companies will not fully adopt solutions in the cloud, he said, because they would continue to require users to first remotely connect to the corporate network before accessing the cloud. The main concerns in his view: security and control.

But, I told him, there are services in the market right now that can give IT departments the ability to secure and control all mobile devices through the Internet without touching the corporate network at all. And besides, there are many other downfalls associated with a policy that forces mobile workers to do everything through a remote connection the LAN.

Productivity ? Imagine if every time you were out and wanted to go someplace else, you had to drive home first. Could you imagine how much time that would waste? The same is true about the corporate network. It just slows down the ability for employees to get their work done.

Bandwidth ? The difference between dozens, hundreds, or thousands of mobile workers logging in the network from outside the office and going directly to the cloud? Pretty significant. As more and more people work outside the office, this number and its drag on the corporate network is only going to grow.

Cost ? Providing all the infrastructure a company needs to secure the LAN and provide access to it from outside the office is significant. I know, I?ve been in this business for a long time. On the other hand, securing the cloud can be easy and inexpensive. And the cost per seat for wireless workers to connect to the Internet ? well, most companies are already providing that.

The truth is that many people (like my client) are scared of cloud computing because they don?t know that much about it. I completely understand ? which is why I?m making it my mission to get some truth out there and help companies save time, money, and headaches with an Internet-based corporate network. You can bet he?s still one of my best customers.

Jeff Ward, www.MEvolutionBlog.com

[ghaff]

Absolutely. I've gone into a lot more depth in other pieces I've written but the future is in a variety of clients (including many that are owned by employees themselves) accessing applications through standard Web protocols. And once that's your architecture there's really not a whole lot of advantage (in many cases) running that application's infrastructure in-house.

[Len Bullard]

And just as the cloud topic gels, it's opposite emerges: servers at the edges. How disruptive can that be to software and hardware companies that have been trending back toward the "we only need four or five mainframes" domain?

While the cloud pundits rightfully extol the benefits of bigco service computing (say server farms owned commercially), the sense of the end user down to the home desktop is one of losing both privacy and control.

Good article.