There was a time when we questioned the viability, if not the necessity of investing in cloud computing. Yet over the last couple years, that question has been answered with a definitive yes.
Today, the subsequent debate has turned to benefits of the private cloud over the public cloud. With pundits on both sides still weighing in, this is a discussion that still rage in many quarters.
Many organizations, citing concerns around security, have been less than enthusiastic about the idea of turning over sensitive customer information and company intellectual property to a 3rd party. They point to breaches such as those experienced by Amazon EC2 and RSA Verisign as evidence that public cloud vendors are less than capable of properly security their data.
For these organizations, the private cloud is the answer.
Yet while it may seem the private cloud is the best compromise – providing the virtualization benefits, cost savings on server hardware, and more security, this is a decision that is still wrought with its own set of perils. It is imperative that organizations understand that housing data internally still requires careful evaluation and planning.
So before you set up a private cloud, here are six things to consider.
The first and most widely publicized concern is security. The private cloud is not inherently more secure.
In fact, a study conducted by Forrester concluded that over half of the companies surveyed had experienced a security breach in the last 18 months. These were private, application development companies, which confirms the fact that security is no less an issue for the private cloud.
In enterprises both large and small, there exists a system of data segmentation that dictates who has access to what information. In essence, security access is handled on a need- to-know basis.
This might imply that there is a lack of trust between business units, but it is a basic tenet of security that the less people that have access to sensitive data, the better.
What this means is that internal network and security staff must be well versed in securing both hosted and bare-metal virtualization. Concerns include locking down the console, controlling software installation, and robust monitoring.
The challenge here is that even companies with mature security departments haven’t gone so far as to have a defined cloud security policy.
Certain industries and business sectors, particularly in healthcare, data storage and financial operations, have a wide and often confusing array of regulatory requirements.
Examples include the Health Insurance Portability and Accountability Act (HIPPA) and the American and EU Data Privacy Directives – each with stiff legal penalties for non-compliance. Among other things, these directives dictate data access, storage and retention requirements.
Factor in the multi-national nature of many of today’s enterprises, and the challenges of managing regulatory and legal requirements go up exponentially. This issue is further complicated by the fact that requirements differ depending on the country in which business is conducted. And conflicting regulations are not uncommon.
Before implementing a private cloud, it is imperative that an assessment of regulatory requirements be performed and that a plan is developed that addresses how to implement the cloud infrastructure accordingly.
Similar to what you might find in terms of agreements between an organization and a public cloud vendor, there are also often agreements set up between business units and IT departments internally. This exists not only in the cloud space, but sometimes in the provisioning of hard disk space, bandwidth or other network resources.
So in order to ensure a set level of service, various types of service level agreements (SLAs) are implemented. This will ensure that expectations for service delivery are established and agreed to by all involved parties.
The SLA simply outlines security and risks. There is also an Operating Level Agreement or OLA, which helps lay out relationships between groups and identifies who does what in terms of support. This is essentially a responsibilities document.
And there are other documents, including the Terms of Usage or User License agreements. These documents also often outline penalties if terms are not met. Company size and needs are determining factors of which agreements are signed.
This next concern should actually be included in the initial planning, prior even to security. Organizations have a myriad of applications, some better suited to the cloud environment than others. Some applications, because of the way they are architected, are not suited to run in a virtualized environment.
Evaluating criteria could include technical requirements of the app, cost savings, and how critical it is to the company mission.
Take, for example, an internally developed legacy application currently running on a Unix-based system. Though there may be benefits to porting to a private cloud architecture, it is highly likely that it may not be technically capable of operating in a virtualized environment. In this case, one would have to consider a complete application rewrite or purchasing a commercial product.
The one constant in technology is change. Consequently, even this initial analysis should continue periodically as technologies, application and organizational requirements change.
Network and Application Performance
Depending on where data resides — on a virtualized server in Europe, versus one in the U.S., for instance — end users will experience different application performance levels. So before implementing a private cloud, an organization must decide on the best location for the data.
In addition, tools or technologies (like caching and packet manipulation) that help deal with performance issues can be evaluated.
All of the considerations mentioned above really point to one glaring issue. Whether it is security, regulatory compliance, performance planning or other tasks, an organization must have the skills, in-house, to support the private cloud implementation.
Cloud vendors often have the advantage here, and lack of skills in-house is often cited as a reason that many enterprises select to go with a public cloud. Third party vendors often have the specific skills needed to perform the evaluation, implementation, maintenance and ongoing support. In contrast, smaller companies and even some larger ones do not.
Let’s look at some of the necessary skills:
• IT Security Project/Program Manager
• IT Application & Network Security Analyst
• Network Performance Analyst
• IT Regulatory Compliance and Assessment
• Virtualization Experts
In addition to these skills, there may be a need to have certain staff available on-call on a 24-hour basis. And as cloud vendors are able to provide more perks in the way of education, focus on technology, and room for growth, companies that have a different business core may not be able to offer the same benefits and enticements. And there are also the issues of budget and learning curve for retraining existing staff.
In the end, despite all the challenges, the private cloud may still the best option for many organizations. And this is not an attempt to persuade them otherwise. The key takeaway is that planning from technical, human resources, and regulatory perspectives is essential to a successful private cloud deployment.