Comments on: The biggest cloud-computing issue of 2009 is trust

Trust in the cloud is on a lot of minds today, centering on security, control, accountability, and privacy, and you can bet that it will be at the heart of a lot of innovation in 2009.

[randyb-gogrid]

James, insightful as always. I think another way to create trust is through transparency. We need to see innovation not only in technology, but in methods, process, and business models. We're going to release some great stuff in this vein at GoGrid this month and I'm pretty excited about it. More soon.

[jamesurquhart]

Absolutely. Transparency is one critical element of trust. Without feedback, there is no way of knowing the state of the assets you wish to control. Looking forward to hearing what GoGrid has to say.

[simonwardley]

Good article, but oh no, I can't help myself ....

Back from my blog post in Aug 2007 (http://blog.gardeviance.org/2007/08/commoditisation-and-web-20-worth-part.html) - this hits the whole area of fungitility / patration or what you use to call software fluidity. We should both be shot for coming up with such awful terms.

Anyway, in discussing the "cloud" ...

"Low risk in this context would mean multiple providers of the same service which you can swap between, as opposed to the details [infrastructure architecture] of any one provider. To be able to swap between services you need not only standardised services but multiple providers and the freedom to move data, application or framework (depending upon which level of the stack you are talking about) between the providers.

In this context open source is a necessity to provide not only the base standards but also an operational means of implementing that standard. It is neither a tactic or a strategy.

However, open source (and in this context I mean GPLv3) is not sufficient, you also need some form of additional information to ensure the users of such services that they aren't being locked-in, or that this provider is really compatible with another or they can run their own installation should they wish to.

This can only be achieved through monitoring and the use of trademarking, by an authoritative group providing assurance to end users that this provider meets the standard, that any primitives have not been modified and that what you run with one provider will work on another."

Can trust be created ... yes, just not by the cloud providers or even associated network providers. You need independence for assurance.

[jamesurquhart]

Simon,

Can you give me an example of a technology where this is the case today? I'm having trouble seeing how centralized control outwits an adaptive systems approach (where the market determines the standards and terminology that wins the day). Don't get me wrong...I think "impedence mismatch" and subsequent lock-in (intentional or accidental) is a big issue, but I'm not sure an independent authoritative group would work as well as corporate demand for interoperability.

[simonwardley]

Hi James,

Well as you know IT is currently undergoing a shift from a product to a service based economy, so we don't have clear examples of this in our industry yet because we're going through a transition. To find examples you need to look outside the field.

Obviously this will need corporate demand for portability (and hence interoperability between providers) for all the reasons of second sourcing, competitive pressure, pricing competition and so forth. I covered this in my talk at cloud camp last year ("Gang up now before the *aaS cloud gets you").

But even with corporate demand, there remains an issue with standards that those standards will need to policed (i.e. assurance given to end users that a provider is matching those standards).

For various reasons the standards will have to be open source operational code rather than specifications (including but not limited to reasons of speed of adoption, loss of strategic control by providers to a technology vendor and the need to ensure that standard covers the entirety of the services). Now with such standards any provider may make operational improvements to their implementation of a standard (without alteration of the primitives) and such service competition is ideal for a service based economy (it's also why GPLv3 is the perfect license for competition in the cloud and why AGPL is an abject failure for competition).

But even with an open source standard and competition on price vs QoS, you still need a mechanism to provide assurance to any end-user that a provider is still compliant to the standard, they are still providing a standardised service which you can move to and from.

If we ever want to get to a marketplace of providers with portability between providers rather than monopolistic situations then assurance services will become essential.

They don't have to create the standard but instead provide assurance that a service provider complies to a standard. A weak example of such assurance services would be the role of the FSA (UK) and the Stock Exchange in terms of providing and policing standardised financial instruments. (Before anyone starts quoting the current financial problems, that was mainly kicked off by OTC trades and we're not out of the woods on that yet).

So you need to start with corporate demand for portability (and hence interoperability of services) but such a goal will only be practically achieved if the standards are operational open source code rather than specifications, you have multiple providers of the standard and assurance services for compliance to the standard.

This is what I've been talking about for since 2006, and with everything that has happened I still believe it is the only viable route.

The big question remains whether the cloud computing industry can create the marketplace on its own (under pressure from corporate demand) or whether the government will need to step in and regulate for all the reasons discussed in Jesse Robbins post (see http://radar.oreilly.com/archives/2007/10/you-become-what-you-disrupt.html)

[BenjaminWright]

Watch this issue: Will records in the cloud will be easier for a legal adversary (like a prosecutor) to get via a <a href="http://hack-igations.blogspot.com/2008/02/collaboration-e-discovery-and-record.html">search warrant or subpoena</a>? --Ben

[kai6novice]

If everyone has their own cloud, that would eliminate the "trust" issue, just like back then when computer is shared by multiple users, and now we have Personal Computer. Same thing will happen to the cloud, where the cloud platform is share by multiple user, but in the future, everyone will host their own cloud server and that would eliminate the issue of trust. And after that, we will have the "sky" network which link all the cloud servers together provide free maintain and troubleshoot, and keep all the cloud stable, so user won't need to worry about their cloud server.

[jamesurquhart]

Hmmm. How do the economics of "personal" cloud servers work? How are they better than the economies of scale offered by large scale multi-tennant clouds?

[alainyap_morph]

Regarding cloud computing at present, it is obvious that a vendor will never be able to satisfy user demands upfront and it will take a while, by bits and pieces, before a satisfactory valuation on the service can lead to reliance. After all, like any other business, pursuit of a working relationship is the goal but onus on hyped technologies bec of the history of big failures (and also in part because of shrewd marketing strategies). Where's authentic customer feedbacks when you need one?

Anyway, something about 'trust': 'Trust is a measure of belief in the honesty, benevolence and competence of the other party. Based on the most recent research, a failure in trust may be forgiven more easily if it is interpreted as a failure of competence rather than a lack of benevolence or honesty.' [Wish it was mine but it's from Wiki]

Sounds web 2.0, huh..

Thanks for sharing, James!

Best.
Alain

[SteveCaughey]

At the moment there?s a clear difference of opinion amongst cloud aficionados on this subject of trust. The Web 2.0 optimists argue that informal trust is good enough. They?ll say ?I?ve rarely had a problem with EC2/FlexiScale/Mosso and when I do I just restart my app some time later. Oh, and I get some credits too when that happens?. The business sceptics on the other hand say ?How can I expect some third party to take the same care and attention over my critical applications that I do myself? How can I trust someone else not to lose, accidentally expose, or sell my confidential data??

Trust is often treated in these cloud discussions as if it was a binary property. I either trust ?the cloud? or I don?t. But things aren?t as simple in the real world. I might trust you, James, to look after my pint whilst I go to the restroom but not to look after my Porsche (if I had a Porsche, that is). Whereas I?d trust my colleague Barry with my Porsche but I wouldn?t leave him alone for 5 minutes with my pint. Trust between two individuals / organisations is a function of their previous interactions.

In the business world (and in the pre-nuptial arrangements of the very wealthy) trust is codified in legal contracts and in the legal system that supports those contracts. So, when you ask me if I trust my bank to look after my money then I?d say ? (no, wait, that?s a bad example). When you ask me if I trust my airline to deliver the seat I?ve booked then I?d say ?yes, in the main?. But if they don?t, then I know that there is a contract in place and an audit trail and that there are laws that will result in my being compensated for their failure to deliver. This knowledge bolsters my trust and is ultimately what makes my business with the airline, indeed all business, possible.

I don?t think we?ll see broad take-up of cloud infrastructure until we can capture the contractual relationships between cloud customers and vendors (and incidentally I believe that in the cloud this distinction will become increasingly blurred). At Arjuna (www.arjuna.com) we think this can be done by allowing service requirements to be clearly defined and then by constructing service agreements (effectively contracts) between independent parties intended to support those service requirements. (Thomas Bittman of Gartner has recently blogged on how potentially complex some of the requirements might be - http://blogs.gartner.com/thomas_bittman/2009/01/08/virtual-cloud-privacy-is-gray/). These agreements need to be very dynamic in nature and to be sufficiently flexible so that they are capable of supporting everything from complex, tightly defined business relationships backed by legal documentation, to the very loose and non-contractual relationships. Once an agreement is in place both parties can then build their own audit trail recording their view of how they and the other party have performed. This knowledge can be used to inform further agreements i.e. build trust, and to help to settle (or avoid) disputes between the parties. Business requires contracts and, if it means business, then so does the cloud.

Incidentally, James, I too enjoyed Rueven?s ?unsession? in San Jose ? my hat is off to him for sacrificing a marketing opportunity in exchange for moderating such a lively discussion.

[jamesurquhart]

Stephen,

Thanks for the thoughtful comment. Funny enough, I just amended my description of "trust" in the cloud to include the following: security, control and service level management.

I'm right there with you, man.

[bookfly]

good

[zetaeditorial]

The level of data security is questionable, but accessing files and applications over the internet has the potential to change the way we work and play. Read our blog post about cloud computing: http://www.zeta.net/blog/2009/01/what-cloud-computing-means-for-you/