Cloud computing and cloud storage are becoming more viable, but a number of issues still remain - including security.
By Russ Fellows
-- The terms cloud computing and cloud storage have been gaining popularity over the past year, becoming the new winners in the marketing buzzword wars. However, obtaining mindshare and headlines is only the first hurdle in becoming a sustainable long-term trend that delivers value. Savvy IT professionals and business executives understand that market awareness of a term is only the beginning of delivering real functionality and value.
Since the term is relatively new, definitions for cloud computing vary. Recently the term has come to symbolize the delivery of IT resources as a service from either local or remote equipment. Cloud computing can be delivered in many ways, including the use of private equipment for delivery to users within the same company, delivery to the general public, or hybrid models.
The rationale for cloud computing has been to free companies from capital expenditures for IT equipment, while ultimately saving money and delivering IT services at a lower cost than using traditional means of providing IT. The various models of cloud computing include providing applications or core IT as a service, known respectively as Software as a Service (SaaS) and IT as a Service (ITaaS).
However, is cloud computing real, and if so, when will it deliver tangible benefits to IT organizations? In order to answer these questions, it is necessary to examine the changing business and technology climate.
A new business model
The idea of IT as a Service (ITaaS) is once again becoming a reality. Although the idea is not new and has been tried in various forms, it is once again becoming accepted as a mainstream business practice. In fact, ITaaS was the dominant business model in the late 1950s and 1960s when IT equipment was far too expensive for most companies to own. Over time, vendors continued to lower prices and businesses began to own and operate their own IT equipment.
More recently, the trend has been moving away from ownership of all IT resources, and a move back towards relying on services. During the past decade in particular, individuals have come to rely increasingly on IT services delivered over the internet. As consumers have grown confident, these same individuals have begun finding ways to utilize IT services for the businesses where they work. As a result, acceptance of IT services has continually increased.
One of the biggest changes that has occurred over the past decade is the change in individuals, and hence business organizations, in their willingness to accept and use internet-delivered services. In the 2000 time frame, few companies would have considered outsourcing something as critical as their customer relationship management (CRM) or email. Both of these applications are seen as business critical to most organizations, and the thought of outsourcing, much less using, these services over the internet would have seemed heretical to many in 2000. However, in 2009 it is becoming routine for these services to be delivered via a remote service provider in some form.
Several technology issues have stymied past efforts at providing IT as a Service, including virtualization, manageability, security, and billing and chargeback. These four features are a critical part of delivering ITaaS.
To a large degree, many of the technology issues impeding previous ITaaS efforts have been solved over the past decade, although some issues remain. For example, security remains an area where more work and constant attention must be focused in order to maintain the security levels required.
Some of the remaining challenges are partially issues of technology, and partially issues of how businesses choose to use services. These include the speed of access to IT resources, the availability of services, and security.
Speed of access
To many people, cloud computing and cloud storage bring connotations of public access to remote resources, thus the cloud metaphor. As the term evolves, cloud computing is now being used to describe other scenarios, with access to local or private resources in addition to remote services.
Some aspects of cloud computing are less impacted by network speed than others. Processing large data sets demands high-speed connections between the processing and the storage elements. A basic rule of networking is that long-distance connections will always cost more than local connections for the same speed.
As a result, applications and data will naturally be located in close proximity to each other when large amounts of data are processed. The more important the application, and the more data, the more likely data and applications will reside together. For applications that do not require fast processing, or for small data sets, data may be stored farther away.
Just as IT data centers do not separate their servers and their storage systems by hundreds of miles today, neither will cloud computing solutions separate components by large distances for important applications.
Thus, for many scenarios, network access speeds will not be an issue, since data and applications will be located in close proximity in either private ITaaS scenarios or public offerings.
Availability and reliability
The issue of availability is ultimately a combination of the successful delivery of all the other technology components required for ITaaS. The availability and reliability of service offerings is just as much a business issue as it is a technology issue. The technology available allows for internal and cloud IT service providers to design solutions that match nearly any set of requirements at a specific price level. Moreover, availability is not the issue but, rather, the availability levels offered at specific prices.
Acceptance of service levels and corresponding price differences continues to improve as the business model of ITaaS matures. Just as with delivering local IT services, each level of availability service costs significantly more than the previous level. Availability service levels are typically discussed in terms of the number of "9's" of availability. A two nines service level represents 99% uptime, with the inverse being over three days (87 hours) of downtime per year. An uptime of five nines (99.999%) represents only five minutes of downtime per year.
Currently, many of the service level offerings are provided with a "one size fits all" mentality. These providers typically have only one or two level offerings, with no possibility for modification of contracts or service levels. This approach is not flexible enough for many businesses that need to meet specific service levels for their internal IT consumers.
Ultimately, nearly any level of availability can be offered, if customers are willing to pay for the service. As the number of ITaaS providers increases, the flexibility of contracts and price competition will evolve to provide service levels and price points that ITaaS subscribers require.
By far, security is the biggest concern for most potential cloud storage users. When polled about their concerns, IT professionals consistently rate security as one of their biggest concerns, with good reason.
One issue is the lack of control over the network providing connectivity to cloud storage or cloud computing resources. Thus, users should expect that all data sent could be intercepted and even altered. As a result, any sensitive information such as login IDs and passwords should always be protected. This type of security is provided today by most email and CRM applications hosted as cloud services.
There are four elements to security in general:
-- Access control
In the past, security has implied perimeter security, ensuring that no unauthorized access is allowed from the outside. In a virtual world, with virtual IT services, a physical perimeter no longer exists. Therefore, businesses must assume that all data transferred may potentially be intercepted.
Without physical control over a system, enforcement of these principals must rely on some other method to restrict access to information. Encryption of information has come to be the most important way to restrict access to meaningful information, even when access to a physical system cannot be controlled. Thus, encryption becomes a critical component of security when IT services are delivered via the cloud.
The problems for cloud storage are particularly challenging, since data must be stored and retained in an encrypted format. If the encryption keys themselves are lost or comprised, then the data itself is effectively lost or compromised. For this reason, cloud storage and storage security is a more challenging problem than general cloud security.
There are the additional issues of dealing with transmission of data over international boundaries, and the varying laws of access, search and seizure of data that differ by country. European privacy laws are far different from those in the U.S. Transmitting data into or through another country can affect government or firms' access to information when a lawsuit, subpoena or national security concerns arise.
The business models, and acceptance of IT delivered as a service, are just as important as technology in making cloud computing a success.
Of course, there are issues yet to be resolved before cloud computing and cloud storage become a common part of the IT landscape. Many technology barriers that have prevented the spread of ITaaS are being overcome. Although a great deal of technology progress has occurred, more challenges remain.
Many users are concerned about reliability and meeting service levels. Ultimately, the prices charged for the reliability levels delivered will match the value users are willing to pay. That is, either the product features and prices offered provide a good value, or cloud computing as currently defined will need to evolve yet again.
Perhaps the biggest outstanding technology issue remains security. Although much of the technology required to provide secure cloud computing exists, the guidelines, use cases and required expertise are not yet widespread.
Cloud computing, cloud storage and ITaaS are becoming more viable every year. However, using these services securely will remain an ongoing challenge that will require diligence and attention to detail in order to circumvent potential breaches of data and corporate information.
Russ Fellows is a managing partner with the Evaluator Group research and consulting firm.