Well, I thought that I could get away with no more articles in 2008. I guess that I was mistaken. I just read a good article by Chuck Goolsbee on SearchDataCenter.com titled: “Don’t buy cloud computing hype: Business model will evaporate” and I figured that I would put in my 2 cents on some of the items mentioned within.
Goolsbee takes a very pragmatic approach to “slicing through” traditional datacenter hosting (using Occam’s razor to boot), so that he could evaluate each and every aspect of what is contained in a physical environment. To summarize (and I’m paraphrasing, hopefully accurately), he mentions:
- Payment Card/eCommerce systems – hard to audit the purchased virtualized hardware within the Cloud
- Security – this works with auditing, but is the environment physically secure? Is there “data mingling?”
- “Fully acronym-compliant” – is the Cloud HiPAA, SOX, SAS70, GLBA, etc compliant?
- Data retention – for legal purposes, how can you ensure data retention?
- Cloud Computing Success Stories – pure cloud solution successes are marketing driven
- Margins for Cloud Providers – how can a cloud provider keep a good profit margin?
- Data Center On-Demand – that is what Cloud Computing is
- AWS is only real “successful” cloud provider – they are selling unused capacity
- “Buzzword overlap” – SaaS is NOT a cloud
Those are just a few points that I wanted to call out and respond to from my own perspective. First of all, I don’t disagree (completely) with the items that are listed above. Any company looking at the Cloud as the end-all solution for their IT needs may be disappointed unless they fully think it all out. To address the points above:
- I somewhat agree with this assessment. It is impossible to fully audit what I call “disposable IT.” However, the shift from CapEx to OpEx means that auditing methods need to be re-evaluated. In the past (and currently), if you wanted to requisition hardware, there was a process for doing so. It took time and had rigorous approval processes built in. Now, with the Cloud, you can do this “on the fly” and servers in the Cloud can be created and disposed of extremely quickly. With data in general, you can never fully have “absolute certainty” with an audit. Compliance requires a “reasonable certainty”, especially since data isn’t persistent in or outside of the Cloud. So, saying that the Cloud model will fail because it isn’t compliant or can’t be audited is erroneous.
- Physical security is left to the hosting provider or even to an outsourced 3rd party whose specific job is ensuring security and complaince therein. This is true with traditional datacenters, “cloudcenters” (a term that we at GoGrid are using to describe our Cloud Infrastructure), and even shared hosting. Just as Credit Card fraud initially got a lot of hype due to the launch of eCommerce, security in the Cloud will undergo a similar scrutiny. There is (unconfirmed) more Credit Card fraud that happens over the phone or physically at merchants than with eCommerce. When you choose a hosting provider, cloud or traditional, you need to think about data mingling anyway. Just ask your provider those questions. As standards arise and Government and Enterprise adopt Public and Private Clouds, security, as I have said previously, will be as robust if not more so than traditional centers. As in the Credit Card example, it’s probably safer to use a credit card online now than over the phone, but that depends on the site.
- Yes, the ever-persistent acronyms are important. GoGrid and parent company, ServePath, are SAS70 Type II certified, for example. But, these regulatory organizations will ALSO have to adopt to this new business and technology model. This could prevent some traction of the Cloud for a few corporations but I don’t think it will slow down others that much. And audits like we have, like SAS70, are widely-accepted industry standards for showing reasonable assurance and allowing auditability.
- I agree with the assessment that the Cloud will make it difficult for Law Enforcement to ensure data retention. Cloud Storage and/or backups can be used to allow for data retention to take place. However, if data retention is a requirement due to compliance or legal issues, processes can be built in to any IT infrastructure, cloudy or not. The other thing to consider here would be “hybrid solutions.” Since GoGrid is run by a traditional managed hosting provider, ServePath, we understand that there are certain items that are better fit for physically residing somewhere. To that end, we developed Cloud Connect. Corporations or businesses that are concerned about data persistence and the physicality of that data could opt for a solution like Cloud Connect to meet this need.
- Success Stories generated by providers are great. But what is better is blog posts or end-user reviews of the service. There aren’t too many reviews on successful implementations with datacenter deployments, mainly because it takes a very long time to roll out fully within a data center. And, it’s not “sexy.” Deploying a full IT infrastructure in the cloud in a matter of hours (vs. days or weeks in a datacenter) IS sexy, and people are talking about that. Time is money. If you can reduce your time to market by using the Cloud, then you will be many steps closer to monetizing than if you took a traditional method. Again, this could be where hybrid clouds (e.g., Cloud Connect) might come into play. I don’t agree with Goolsbee’s statement that “the cloud cannot contain anything critical”. Just look at SalesForce or EC2 or GoGrid. Plenty of critical data is contained within those Clouds. I do agree that Cloud Computing IS great for start-ups, but if you stop there, you are missing many larger opportunities.
- Margins for traditional data centers is a topic unto itself. I will only scrape the surface here. GoGrid, for example, was born from traditional managed, dedicated hosting provider experience. In order to roll out and deploy servers, there is a large capital and operating expense. When new clients come on board, servers have to be configured to their needs, hard drives formatted, memory installed, cables connected, etc. The man-hours spent to roll out a single customer is quite large. We saw these inefficiencies as well as the fact that once deployed, servers sat idle and under-utilized. GoGrid was developed to combat these internal and external cost and labor inefficiencies. Not only could more “servers” be “contained” within fewer larger physical servers (reducing datacenter footprints, power, cooling, etc. metrics), but also, automated deployment reduced the human capital needs. Coupled with the fact that the control was now in the hands of the end user (in terms of scalability and configuration, for example), time to deploy was reduced (equating to less grumbling on all sides). If you read between the lines here, there are better margins for a hosting provider to convert some internal infrastructure over to providing Cloud “services” than not. Once the technology is created, rolling out Cloud infrastructures within a hosting provider for end users to later use is better than rolling out a handful of customized dedicated servers.
- Some Cloud Computing providers are data-centers on demand, but very few. As I mentioned, we now refer to GoGrid as a CloudCenter, the equivalent of a DataCenter but in the Cloud and using the requirements of Cloud Computing: dynamically and rapidly scalable, paying for what you use and using only what you need, programmatically controlled through an API (or web interface), and somewhat “virtualized”. To be a true “datacenter in the cloud” you must have all of the components of a datacenter (servers, switches, firewalls, load balancers, storage, multiple network pipes, internal and external networks, etc.). Only those Cloud Providers that give out Infrastructure solutions (e.g., GoGrid and potentially EC2) can be considered “data-centers on demand” and even then, EC2 doesn’t quite fit.
- AWS had a few things going for it to get it on its way to being considered a “successful provider”: its name, its size and the fact that it was first to market (or appeared to be). Don’t get me wrong, their entire suite is very impressive and they have a lot of extremely happy customers. Also, they have truly cut the ice for other Cloud providers to come along (to which we are thankful). I’m not sure about the accuracy of what Goolsbee says (that they are “selling unused capacity”). This may have been true initially, but I believe they are their own business unit by now and their data centers have nothing to do with their “book selling.” Also, the mention of uptime and security guarantees being lacking will change (they recently released an SLA for EC2…it’s not as robust as GoGrid, for what it’s worth). The general pessimism about AWS not being good for mission-critical IT functions is not really warranted, I don’t feel. Datacenters fail, as do servers. This is not specific to the Cloud. If you are worried about your data, back it up! That is the best practice and not something that you should only do if you are using the Cloud.
- I agree that Cloud Computing as a general buzzword is over-used and vague, but it is here to stay until something better comes along. We are already seeing segmentation within it. It is a general encapsulation of many different things. I do think that SaaS belongs as one of the Cloud layers (Cloud Applications) provided it meets the Cloud checklist. Google IS a cloud provider (Google App Engine as a Cloud Platform; Gmail as a Cloud Application). Buying application time (specifically “hosting” your Python application within their datacenters) IS using the Cloud, but not Cloud Infrastructure but rather Cloud Platforms. In fact, you will be able to buy additional capacity on App Engine soon.