Cloud Computing: Looking for Security, Reliability and Resiliency

As cloud computing continues to roll over the landscape, many enterprise IT organizations still struggle to resolve questions about its security, reliability and resiliency. These questions come up regardless of whether companies are considering a public or private cloud.

Enterprise IT leaders are examining the risks, benefits and issues of this approach, but many feel their judgment is still too cloudy to make the leap. In discussions at the industry group SHARE, IT professionals voice concerns about performance, availability, security, resiliency and usage accounting.

Cloud computing is a way of delivering IT services and resources over the Web, using rapid, self-service provisioning, while insulating the user of the services or resources from the management of the underlying IT infrastructure. In other words, as a consumer of IT resources, you can focus on using the resources, rather than managing them. So you don’t have to go through the hassles of procuring and implementing hardware and software to use IT resources.

The benefits of cloud computing for enterprise IT are pretty straightforward and well-documented. One of many benefits is that the cloud greatly reduces the time to market for developing new software applications. That results from the significant reduction in IT resource acquisition time—in many cases, from weeks to minutes.

In addition, if enterprise IT organizations are using a public cloud approach, they have to pay only for what they use, without committing to a long-term relationship. When the project is completed, the IT resources are returned to the pool for reuse or reallocation. That means companies don’t have to make capital expenditures to purchase their own IT resources, which would have to be repurposed once the initial project was completed in order to continue justifying that capital expenditure.

Underlying the cloud computing model is the notion of automation, which enables self-service provisioning, high scalability, elasticity and ease of “return” when no longer needed. This model has been associated with virtualization, since virtualization is typically required to dynamically provision IT services or resources.

However, cloud computing adds the capabilities of user self-service request of services and automatic fulfillment based on those requests. Potential uses range from short-term development, or test projects, to dynamic incremental capacity for mission-critical, customer-facing Web sites.

Public or Private?

The two primary types of cloud deployment have been called “public” and “private.” A public cloud refers to shared IT services or resources (a multitenant environment) obtained from a third-party service provider, while a private cloud is usually owned and managed in-house. In some cases, a third party provides a private cloud specifically for one company.

Examples of a public cloud include Amazon EC2 (Elastic Compute Cloud), Google AppEngine, IBM’s Blue Cloud and Microsoft Azure. A public cloud allows customers to create their own images, and they pay only for their hourly use, including data storage and transfers. While a public cloud offers the ultimate in convenience, a private cloud seems to provide better control and assurance of security and privacy.

Regardless of which approach an IT organization takes, enterprises that deploy mission-critical applications want assurances of reasonable system responsiveness through service-level agreements. They also want protection through data isolation in a multitenant environment, failover protection to minimize service outages and predictable recharge rates.

Portability is also an issue. For example, public cloud users want to know if they can easily change providers. What about software licenses? Can they be moved from one cloud provider to another?

Another area of concern: When an enterprise IT organization is done with its public cloud environment, what assurance does it have that all the private data that was used has been removed? Data privacy is a critical concern that requires tight standards.

Ideally, a public cloud offers zero capital costs of acquisition, since IT organizations pay only for what they use. There aren’t any facility or energy costs. But that still leaves concerns about public cloud security, resilience and service.

The public cloud does offer security, but it’s still not clear to many enterprise IT organizations whether the level of security offered will meet the needs of corporations that are notoriously protective of their data, including credit card numbers and medical records. Convincing corporate security management that data stored with a third party is safe remains a significant challenge, and there is also the question of liability if any data is compromised.

Reliability is another major issue. Public cloud providers offer reliable environments in which replacement instances can be created, but is that good enough? What about data and transactions in flight? Do partially completed transactions get backed out? Enterprise IT typically has disaster-recovery sites to take over operations if there is an event at their primary site, and significant effort is expended to ensure the integrity of transactions.

And, of course, the price of cloud computing is a key issue. The public cloud offers pay per use, which can provide low-cost options for short-term projects. Still, for long-term use, enterprise IT organizations may be better off making a capital investment to purchase additional hardware and software. Enterprises need to conduct a break-even analysis to determine whether a public or private cloud would be more cost-effective for them.

The public cloud offers benefits for application development resulting from rapid acquisition time and reduced capital expenditures. But for high-availability, data security and privacy reasons, enterprise IT organizations remain skeptical about turning to the public cloud for mission-critical applications and sensitive or confidential data.