The shift to cloud computing is well past the tipping point. Incumbents like Microsoft, IBM and Cisco are all dumping wheelbarrows full of money into their cloud efforts.
Even the once-constant cloud skeptic, Larry Ellison, is now on board – albeit reluctantly– and behemoths in the making like Salesforce.com have the cloud to thank for their rise.
Moreover, every time a research firm studies adoption patterns or asks the IT community about their future plans, the cloud continues to trend upwards. A new Savvis survey found that 75% of companies will use enterprise-class cloud computing solutions within five years. A MarketBridge cloud surveyechoed those findings. Of the 1,000 small-to-medium enterprises surveyed, 44% already have at least one business application running in the cloud, and more than 70% said that they intended to move more of their business into the cloud sometime in 2011.
However, concerns and questions marks abound. Every time I write a cloud story, I get emails and my stories get comments from cloud deniers. This comment from “AngrySparrow” on my recent cloud prediction storyis representative:
Cloud computing? Hmmm… I’m not convinced. Naturally, could be wrong, but I work for a very, very, very large IT services company and frankly, the sales just aren’t there – at least, not in Europe. It’s mostly hype at the moment – like WAP – and it seems it’s mostly sales guys talking it up – making predictions about how glorious “it’s all gonna be!!”
Now, I don’t want to pick on AngrySparrow here – well, not too much, anyway. The rest of his comment makes some good points about regulatory issues in the European Union that will slow adoption there, but if you’re not convinced that you’ll be heavily invested in the cloud sooner rather than later, you might also be a charter member of the Flat Earth Society.
Comments like these do serve a purpose, though. They point to the fact that there is still a lot of work to be done by cloud providers before the cloud can be truly considered a mainstream technology and not one on the cusp.
Here, then, are five questions to ask cloud providers before you commit to their services.
1. What models do you offer (private, public, hybrid), and what if I want to transition from one to another?
There is plenty of debate about the best cloud model for various types of businesses. Anytime there is a high premium on data privacy and security, organizations are nudged towards private clouds.
What, though, constitutes a private cloud? Can hosted services still be private?
That’s a debate I don’t want to go too far into now, but your cloud plans need to cover these issues. If you classify certain data as verboten in public cloud environments, how will you know that the private and public clouds are kept separate?
Just as importantly, what if you change your mind? Is there an easy migration path from private to public and vice versa? What if regulatory compliance forces you to strip certain applications out of public clouds? Can the provider offer some alternative, such as air-gapping?
If so, how do you know that they have the administrative controls in place to ensure that the air gap isn’t breached by something as simple as a misconfiguration?
2. What is covered in your SLA?
For any enterprise-class service, SLAs are a big deal. Yet, a joint Ponemon Institute-Symantec cloud security studyfound that 65% of organization evaluate cloud vendors by word of mouth alone. Few require proof of security compliance and more than half just trust vendors to do what they claim they’ll do.
It goes without saying (but I’ll say it anyway) that few are proactively negotiating the terms of SLAs. “SLAs, security, reliability and uptime can all vary greatly from provider to provider,” said Rami Habal, Director of Product Marketing for ProofPoint, a SaaS security and compliance provider. “Ensure that you can hold cloud vendors accountable through SLAs, not just operationally but at an application level. Insist on SLAs for applications.”
If something important – data privacy, disaster recovery and automatic backup, logging – is not in the SLA, ask why it’s not there. Next, either go elsewhere or ask them to accept the revised SLA your management and legal team put together to cover all of your concerns.
3. How will you protect my data?
Just because a vendor claims that cloud security is a priority doesn’t mean that their security practices are up to the challenge of warding off ever-evolving threats. For instance, everyone knows that they need to have an IPS in place, but does your vendor have a cloud-capable IPS?
“Many appliances have packet-inspection settings that are designed to fail on,” said Joe Anthony, Director of Security Product Management for IBM. If the device is overwhelmed with peak traffic or by, say, a flood of rich media, the bulk of the traffic will, by default, pass through with only small samples inspected for threats.
This shortcoming will typically be logged, alerting administrators to the problem, but how many will actually follow up? Anthony recommends IPS solutions with 20 GBps capabilities, at minimum, for public cloud environments.
Trust is another major concern. “In the cloud, previous outsiders quickly become insiders,” said Mike Gault, CEO of GuardTime, a provider of keyless signatures used to validate the integrity of data. “There is no distinction between the two. With all of the new risks inherent with cloud computing, it’s especially important to recalibrate trust. To be blunt, you really can’t trust anyone anymore.”
This means having security in place for data protection and integrity, to protect against data loss and to secure the application layer, not just the network and access.
4. How will I know that you are properly protecting my data?
Okay, so your vendor says that they have strong security. Now, prove it. What are the monitoring and logging policies? Who audits them for security compliance (and to what standards) and what sort of access will you have to those audits?
5. How can I trust that you’ll be a viable company in the long run?
Cloud computing has accelerated the challenges that incumbent providers face from upstarts and startups. It’s cheaper and easier to get a full-blown IT service up and running today than it was even a couple years ago.
With that sort of upheaval, though, comes uncertainty. You can be pretty confident that the old vendors you know and trust (and sometimes loathe) will be around to support and service you. If one of them implodes, that’s not even such a big concern because ISVs and various consultants will be able to step in.
Stability in the cloud is something that is still a ways off. “We’re a cloud provider, but a question we ask before adopting cloud or SaaS internally is ‘are you going to be around for the long haul?’” said Aaron Levie, co-founder and CEO of Box, a cloud content management provider.
If it’s a startup, how well are they funded and by whom? What is their exit strategy, be it independence or acquisition? How sound is the business model?
Of course, I asked Levie how he answered that question for Box. “We’re focused on being independent. Period,” he said. Levie noted that the company’s recent $48-million round of VC funding will be used to build out infrastructure, recruit more high-profile senior executive talent, build out a larger IT and support staff and expand the service portfolio. They currently have over 5 million users, and count more than 6,000 companies as customers, including 73% of the Fortune 500.
How often do you ask vendors about financials and its business model? In the cloud, it’s a question you neglect at your own risk.