Just about every modern business relies on IT to deliver and support critical services that keep the doors open and revenue flowing. But IT is also a huge cost center for modern businesses. Consider that hardware and software must be maintained constantly, added as businesses grow and completely updated every few years. Business data must be protected, secured and guarded against disaster. And everything must be overseen by a trained and experienced IT staff. The emergence of cloud computing may well change this traditional paradigm by providing businesses with subscription or demand-based IT services and infrastructure—treating IT as any other “utility” such as electricity or water.
Cloud offerings are available today, but the technology and practices are still evolving. Organizations should consider the pros and cons of cloud computing carefully before making the move to the cloud.
Cloud computing migration is about shifting costs
A primary benefit to cloud computing migration is cost optimization. Most organizations that adopt cloud technology see a fundamental shift in the way they spend money. For example, the huge sums of capital that would traditionally be invested in hardware, software and labor would shift to recurring operational costs tied more closely to the actual use of computing resources from the cloud provider. Rather than buying everything outright, you pay for what you use.
Beneficiaries of the cloud
All sizes of organizations can take advantage of cloud offerings, but those small- and mid-sized can generally make the cloud transition more quickly and easily than larger organizations with a greater proliferation of different equipment.
“Larger organizations tend to be more heterogeneous,” said Phil Cox, principal consultant with SystemExperts Corp., a provider of IT compliance and security consulting services. “Smaller businesses tend to be a little bit more agile. They can go to more of a homogeneous environment, and they can change quicker to adapt to what the cloud can offer.” This also holds true for larger organizations with independent departments or divisions that act like small- or medium-sized businesses.
The notion of computing as a utility is profound because it allows organizations to pay for services as they are needed. A traditional business might only need access to an application for a few crucial hours on any given day, yet the business would have to buy the entire server, install it, run it 24/7/365 and maintain it to have that application available. By accessing that application through a cloud provider, an organization can buy access only when they need it, and scale that access up or down as needs dictate.
“An application that is only in use during the day and has peak use times, say at 9 a.m., 2 p.m., then 5 p.m., is a good fit as you can scale down the application outside of these times to a very small—or no—footprint and scale them as high as necessary during these peaks,” said James Staten, principal analyst with Forrester Research Inc. But it’s not just a reduction in—or elimination of—hardware purchases that warrant the attention of business owners. Overhead associated with owning and operating hardware is also eliminated.
“You also remove the headache of dealing with hardware, and the management, asset tracking, memory problems,” said Philip Cox, principal consultant with SystemExperts Corp., a provider of IT compliance and security consulting services. “Everything that goes along with maintaining hardware goes away," he said.
Every business that embraces the cloud will need to consider management. Cloud providers usually offer Web-based portals or tools that can aid end-user management, but third-party tools like RightScale, enStratus Networks, Cloudkick and others are pivotal in controlling cloud costs by managing deployment, scaling, monitoring and asset movement.
Assets can become liabilities
Although the benefits of cloud computing migration can be quite compelling, there’s also a downside to consider. The first major issue is security. The simple fact is that a business with data in the cloud has absolutely no control over where that data actually lives. This is a deal-breaker for healthcare or finance organizations that must retain tight control over their data. There are also security concerns around multi-tenancy, although Staten said that serious breaches have yet to manifest themselves.
The second issue is availability. It’s important to realize that a cloud provides no more availability than any other data center—the provider is still vulnerable to outages, congestion, human error, hacking, cyber-attack and other problems.
“All hosters are vulnerable to congestion due to not monitoring resource use as effectively as they should and for not optimizing resource configuration,” Staten said. Even the most conscientious cloud provider may carry planned downtime that may unduly interfere with your business needs. Consequently, organizations with high-availability requirements may have trouble adapting to the cloud.
There are broader areas of disruption that can affect cloud users. For example: A regional disaster can take a cloud provider offline for an extended period. Or the provider may go out of business. These are all real possibilities that can have profound consequences on businesses.
In addition, backups and data protection are not automatic with cloud providers, so clients should still establish, review and test their business continuity plans in the event that a cloud provider becomes unavailable or business needs dictate moving to a different provider.
When good clouds go bad
Reliability is a major concern for cloud users—and with good reason. Business users have no control over the cloud provider, and disruptions in service can have a tremendous impact on every client’s business. Consider the Salesforce.com outage that occurred in January 2010. Although the outage lasted only an hour, it affected both primary and backup systems, which disrupted service to all 68,000 Salesforce.com customers. Luckily, no customer data was lost in the incident.
But even more disturbing was the lack of transparency or explanation from Salesforce.com surrounding the incident. Salesforce.com representatives said the company would not provide any information or explanation beyond what had been posted on the firm’s status page.
Most IT professionals and business owners recognize and accept the reality of cloud service disruptions, but this kind of closed response may do more to hinder cloud adoption than the actual incident itself. It certainly does little to assuage the concerns of other prospective clients. After all, how can a company trust its operations and data to a provider that won’t communicate definitive answers when problems occur? This is an issue that providers and clients will grapple with more as cloud services grow.
And SLAs don’t help much. Cloud providers do little—if anything—to ensure security or availability or response times for their clients. Most SLAs leave large time windows and “best effort” hedges that really don’t provide any concrete guarantees for business owners.
Cox said that the cloud is a lot like the electric company. When the power goes out, it’s fixed when it's fixed. And when disruptions occur, there is typically no recourse for clients affected by the outage. If an SLA is breached, the most a customer can expect is a rebate for the charges they would have paid during the outage. The point is that prospective cloud users really need to read and understand the SLA and then map it to their business needs before moving to the cloud.
Striking a balance between reward and risk in cloud computing migration
Experts say that the trick to successfully leveraging the cloud is to understand that it’s not an all-or-nothing proposition. Given the limitations and concerns of cloud technology today, it’s best to use the cloud with noncritical applications and nonsensitive data.“If it’s down for a day, we can live with it. Or if this data does get compromised in some manner, we’re not going to lose our business,” Cox said, adding that these direct benefits are ideal opportunities to evaluate the cloud paradigm and provider. Don’t put mission-critical data in the cloud, such as trade secrets, and avoid putting regulated data in the cloud such as healthcare—HIPAA-compliant—data, social security data, financial data and credit card—PCI-compliant—information.
Staten said that other types of services, too, should not be placed in the cloud, including any applications that don’t work well as a virtual machine or applications that depend on complex clusters, such as Oracle RAC.
The real deal-breaker for potential cloud adopters today is the lack of flexibility and responsibility delineated in the provider’s SLA. An SLA is crafted by the provider, and it’s designed to protect the provider’s interests—a provider simply won’t take responsibility for anything beyond the uptime for its base services—typically, no more than 99.5%.
Providers make no guarantees of network bandwidth or latency and no guarantees of high-availability for your apps or your storage, Staten said. “These all fall back to the IT ops guy who uses the service.”
Because a client generally can’t negotiate more IT responsibility for the cloud provider, the client has two simple choices—accept what the cloud provider is willing to do or don’t use the service.
Looking to the future
Cloud computing is not a new idea. The notion of leasing access to applications or IT infrastructure and paying only for what you use is compelling to any business. So why does it seem to be taking so long for the cloud to mature?
More on cloud computing migration:
Cloud migration strategies for smoother P2V2C transitions
Legacy application migration to the cloud and security
Cloud migration requires network retooling
There are several aspects. The first is accessibility—adequate and affordable business bandwidth has been around for only a few years. Another consideration is the provider’s understanding of the market, identifying the need for new capabilities and learning to optimize those services as the client base grows. It’s a natural progression that’s still taking place.
“The Infrastructure-as-a-Service market is only three years old,” Staten said. “SaaS took nearly 10 years to reach critical mass, and some would say it still isn’t there yet.” Security concerns need a great deal of attention before the cloud can really become a major IT force. Typical security models don’t apply in the cloud and will have to be re-engineered—to the satisfaction of businesses and regulators—before cloud services really take off. Staten expects cloud providers’ infrastructure to improve and become more robust, along with better APIs and support services that allow clients to exert a greater degree of control over the cloud services, utilization and cost.
Ultimately, regardless of what the next few years bring, it’s unlikely that the cloud will ever become a universal solution for every IT need. SLAs will continue to be a sticking point for cloud adoption. Continued pressure from clients will eventually prompt more favorable SLA terms—even if consumers wind up paying more for them.
“It’s a new option in the IT portfolio,” Staten said. “There will always be justification for running your own servers, just as hosting didn’t kill the corporate data center.”
Stephen J. Bigelow, a senior technology writer in the Data Center and Virtualization Media Group at TechTarget, has more than 15 years of technical writing experience in the PC/technology industry. He holds a bachelor of science in electrical engineering, along with CompTIA A+, Network+, Security+ and Server+ certifications, and has written hundreds of articles and more than 15 feature books on computer troubleshooting, including Bigelow’s PC Hardware Desk Reference and Bigelow’s PC Hardware Annoyances.