Cloud Computing: the IT sector is going Cloud crazy - but much risk remains behind the silver lining, with several key aspect of the technology untested.
If you are not directly involved with running IT systems, or setting their strategy, you may be a bit hazy about Cloud Computing - 'Is it something to do with meteorological monitoring?', a delegate at the recent Internet World exhibition was heard to ask. Even more computer-savvy colleagues may wonder why the 'C' word lards so many media headlines and conference agendas, while seasoned computer engineers continue to protest, 'Cloud Computing is not a standardised technology, it is a marketing buzzword, and as such does not exist in my book'.
Truth is that Cloud is both a buzzy marketing term and a tangible technology; it is also not the first emerging solution that has found market take-up before it has been 'officially ratified' by an ISO designation (although work on Cloud standards is ongoing). It is not surprising that any topic that enjoys acclaim among industry proponents is bound to raise suspicions, and a few heckles to boot; but Cloud-challenging voices are few. There are pundits who will append a cautionary spin to Cloud appraisals; but the prevailing consensus is that the Cloud model is a viable and credible direction for enterprise application provisioning, a nascent de facto standard. 'Within the current state of enterprise IT there is no option other than Cloud,' insists Nlyte Software CEO Jon Temple. 'You either accept it, or you don't.'
Despite this apparent fait accompli, several key Cloud precepts have yet to be fully tested, and market watchers reckon that many major would-be adopters are waiting to see how Cloud plays out before committing. So what are the concerns around Cloud?
Caveat 1: How innovative is it?
Cloud is often couched as an innovative approach to architecting enterprise applications, and for managing datasets. There are those, however, who say that the Cloud concept is nothing new and that innovation-strapped vendors are trying to reheat an idea that proved unworkable first time round. Eighteen per cent of respondents to an IDC survey said they believed that Cloud Computing was 'just the renaming of an old concept'.
This is correct only insofar as every computing technology has analogues in the past. Cloud Computing's essentials, arguably, originated in the 1960s when computer scientist John McCarthy wrote that 'the computers of the future, then computing may someday be organised as a public utility just as the telephone system is a public utility'. Indeed, the term 'Cloud' borrows from the early 1990s when telecommunications carriers launched Virtual Private Network (VPN) services. From then onwards, the Cloud icon was used to demarcate the responsibility of the provider from that of the virtually 'private' user. Notionally, Cloud Computing extends this boundary to cover servers as well as the network infrastructure.
As soon as VPNs met the Internet, the possibility of using this 'seamless' connectivity to host applications or to enable off-site data back-up, say, between PCs and servers that were physically distant from each other and had different owners, was put forward. New models for outsourcing application development, and collaboration techniques to re-engineer the way applications were used, were evinced by forward-looking solutions providers: the much-anticipated broadband roll-out promoted these possibilities.
Internet connections in the late 1990s were generally not sufficiently capacious or resilient to support sophisticated applications between PCs and servers, and were too expensive to make large file transfers feasible for SMEs and MLEs using dial-up links. Most organisations that dabbled with early hosted software service soon returned to the more traditional hosting of client/server applications across in-house infrastructures, or private links to host systems via terminal emulation front-ends. Just as broadband began to replace dial-up in the early 2000s, online security concerns quashed many organisations' interest in having third-party retention of valuable data unacceptable.
Many of these inhibitors no longer constitute such ardent challenges to the basic Cloud ideal. Integration of a wide range of applications with standard browsers has created common access possibilities. Broadband services are fast, fat, and (largely) reliable. The conflation of these factors have underpinned the Cloud proposition and endorsed its viability in recent years; but, as with any technology cycle, the remediation of one set of obstacles has given rise to a new lot.
None of the risks associated with Cloud are 'showstoppers' for all enterprises and for all specific use cases within any single enterprise, says Gartner's research vice-president Bruce Robertson, 'but they will be for some'.
Caveat 2: Apps and downs
One view asserts that any Internet-based application is an application in the Cloud - but that does not necessarily make it a 'Cloud application'. Search engines, for instance, and video streaming are, in effect, hosted applications. Each time you enter a search in Google or in Bing, or watch a YouTube item, the software that delivers results is running remotely; it could be loaded on a server in Stevenage or in Sarajevo, or across both.
More recent Cloud-aligned services such as Google Apps, Salesforce.com and social networking sites like Facebook finesse this basic approach; and they keep their data - the user-generated content that fills every Facebook profile or customer record - remotely.
Although they are not meant as prima facie business applications, social media sites are highlighting some of the challenges that Cloud adoption throws up. Data ownership is one example that represents the thorniest issue: many organisations do not like the idea of a third-party holding their most valuable and sensitive data, even when that party is bound by law not to peek and to protect the data as well as is technologically possible.
'There are clearly some application domains where Cloud Computing will be successful,' says Nlyte's Jon Temple, 'but as a general rule, the more mission-critical an application is, the more fear and trepidation there is: ceding possession of data is a major stumbling block for many businesses.'
Caveat 3: Service level disagreements
Comparisons drawn between Cloud potentialities and successful online brands like Google and Amazon can be misleading. Such online megabrands differ from the world of standard business applications. For example, these are providers of Cloud-like services, not consumers of them. Google famously owns its own data centres (19 in the US alone, reportedly). The impact that the huge technological resources that these sites have must not be understated. It means that, for the time being at least, no matter how many millions of users are accessing such systems at any one time there is sufficient processing power, software and storage to ensure that performance levels are maintained. Such guaranteed uptime comes only with tremendous investment.
For providers of Cloud-based enterprise services, to match and maintain this degree of resilience and redundancy is a considerable challenge and it is something that raises concerns among their customers. Partly, the issue is scalability through growth. Service level guarantees may be maintainable at the earlier stages of a contract's term; but a Cloud service provider's ability to keep it up two or more years down the line - as both their clients' businesses expand and their own operations expand - is as-yet untestable. If they are doing well it is likely that they will still be in business to service the needs of their client base going forward; if a Cloud service provider is doing very well, it might make it attractive to acquisition and/or merger, which may prove an unsettling influence on its customer's plans business.
'Defining service-level agreements (SLAs) must be a key focus, despite the fact that Cloud service providers are less interested in negotiating custom contracts than traditional outsourcing partners,' says Robertson. 'If nothing else, the SLA review should indicate which commonly assumed service levels are not supplied by a Cloud service provider.'
Contention ratios are another Cloud bother in this context. Network bottlenecks can occur at any stage of the connection between server and user endpoint. Due to the concerted broadband fibre infrastructure build-out of recent years, contention is less of an issue than it used to be, but can still have an impact on connection (and therefore application) stability within local area networks. There is a cost dimension to this issue as well, as organisations that embark down the Cloud route to find IT cost savings discover that, although they have reduced software licensing overheads, they've had to shell-out for network infrastructure upgrades so that the Cloud-based versions can work.
This touches on another area where Cloud Computing attracts critics: user experience. Average enterprise computer users have become accustomed to high levels of system performance. When a business application that they use every day - for instance, customer relationship management, transaction processing, order processing, desktop publishing - starts to 'run slow', 'throw-up error messages', or 'seize up', it not only impedes productivity, it also causes a psychological disconnect between individuals and their electronic work tools. This issue becomes acute when an application was previously hosted on servers within the enterprise and was accessed via sturdy local connections, rather than through an Internet browser and people start saying 'We never had these problems with the old set-up'. Smart service and applications vendors will do their utmost to resolve these issues, but sometimes problems occur within the Cloud and are beyond their control.
Cloud is about connectivity. In the Cloud model, if the connection is impaired so is the application, and so is the business. Few are the enterprises that have not experienced a communications outage at some time. It may last less than an hour - because their ISP has suffered a hardware failure, or a pneumatic drill has accidentally severed a local trunk - but it could last a day or more.
It is Sod's law that unscheduled downtime will occur when backlogs of customer orders are being approved, or a project deadline looming. Quite how organisations will react when critical applications are suddenly switched-off is yet to be seen. The change will be that, although many of us now lose Internet connections and notice, not everybody in an organisation is affected; those who were using the Net find other things to be getting on with - usually they involve outstanding tasks assigned to applications that are hosted on in-house system that will still be available. Even if the VoIP telephone system is deactivated, we can use mobiles to make any important calls.
Again, migrating applications to a Cloud model to find savings can result in losses if crucial factors like in-building Internet connections fail. Organisations can pay more and upgrade to premium public network services, but even these are supplied on a 'best endeavours' basis. Only the world's richest organisations can maintain private circuits with so much redundancy built into them that 99.99 per cent uptime is assured.
How applications will integrate inside a Cloud architecture is another area that could throw up problems. 'The IT industry has [over the last 20 years] spent a lot of time mastering data management techniques so that, on the whole, application program interfaces from different software vendors will work together,' explains Nlyte's Jon Temple. 'If in the Cloud data becomes distributed across different domains, physically and virtually, then that could create real complications.'
Caveat 4: Risk appraisal
In spite of the potential attendant jeopardy, many organisations see Cloud Computing not only as a way forward, but the only way forward for enterprise IT strategies. One of the anomalies about Cloud seems to be that the technology is being welcomed by small- and medium-sized enterprises - those that have the most to gain from it, but also those whose livelihoods would be most in jeopardy if things don't work.
Having concerns about an emerging technology is one thing; the key decider is the extent to which they will be swayed by those concerns. A primary driver for a Cloud-based model is cost reduction, and the current climate is compelling a significant proportion of CIOs and IT directors to accept a controlled degree of risk in return for Cloud's CAPEX savings. Evidence for this comes the ISACA IT Risk/Reward Barometer, a rolling initiative designed to gauge organisational attitudes and trends surrounding risks and rewards associated with IT projects.
'Cloud Computing promises cost saving, [but also] new sets of problems in relation to IT risk and compliance' which could account for the more cautious approach from North American organisations, as opposed to those from India and the EMEA region,' according to the Barometer's latest edition: it found that 45 per cent of North American IT professionals believe the risks of Cloud Computing outweigh the benefits, compared to 31 per cent of Indian and 28 per cent of EMEA IT professionals.
'Employees in India, EMEA and North America are working around controls and using non-approved devices and programs, so that they have the tools they need to do their jobs,' explains John Pironti of ISACA's CRISC Certification Committee. 'However, because Indian organisations have aligned IT more effectively with the needs of the business, they are better-equipped to identify and manage high-risk IT practices across the business.'
Caveat 5: Cloud governance
The predicament alluded to by ISACA - Cloud Computing as a disruptive force that brings its own baggage and upsets existing polices and procedures - is prime Cloud caveat. Cloud services can make it easy to procure software and services online that previously took an age of evaluation periods and sign-off before approval was gained. Here, Cloud is bypassing control of some aspects of enterprise IT away from IT managers. Such 'autonomy creep' could result in chaos, with different departments ordering what they feel they need, and rendering existing IT management and governance somewhat irrelevant, warns Laurent Lachal, senior analyst/Cloud Computing at Ovum.
'Cloud governance is not a destination, it is a journey,' says Lachal. 'Existing governance is made redundant because their specific simply do not apply to the new Cloud model.' Gung-ho adoption of the Cloud could result in a haphazard enterprise IT landscape. 'There are concerns, but despite the high levels of interest it is still early days, so we shouldn't overreact,' he says. 'However, the time to act is now. Governance policies are still important, they are absolutely relevant to Cloud Computing.'
Lachal adds: 'You don't want to lock-down Cloud too much; that would be self-defeating, and denude Cloud of the qualities and features that give it value. IT practitioners have to set a balance between control and convenience. The governance parameters do not have to be conspicuous, or even visible. Laurent argues for a kind of 'controlled freedom': users get the benefits of Cloud, but working within certain controls set by the IT department.
'Cloud governance is not a destination, it is a journey,' Lachal says. 'It should flow with, and fit with, an organisation's structure. In actual fact, the advent of Cloud Computing reinforces the need for governance in general; but it is not yet fully evolved in this respect. This does not imply a bleak outlook: these are early days and we are still moving forward, we must move forward; it's just that Cloud creates new challenges that call for good governance.'
Cloud Computing 'redefines the role of the IT department and pushes them out of their comfort zone' because if the bulk of IT management becomes outsourced, it leaves a lot less for IT department to do,' Lachal says. Determining and applying governance to the Cloud environment is an area that IT departments of the 2010s should make their own, he suggests: 'There's a lot of ICT governance already in place - SOA governance, data assurance governance, security governance, and so on. So some starting points do already exist.'