Cloud computing: issues and challenges
The IT services now known as cloud computing have been around for decades, but they’ve never been under the spotlight. Now however, their time has come: over the past few years cloud computing hardware and software packages have emerged and been offered over the internet.
According to International Data Corporation (IDC), clouds accounted for 15% of IT spending in 2011 and will grow at a compound annual rate of about 26% for the next four years. This is roughly five times the growth rate of the technology industry as a whole. In addition, 80% of all new software offerings in 2011 will be available as cloud service. But there is a long, hard road of difficult transitions and adoption decisions still ahead.
Indeed, cloud computing service providers (CSPs) need to position themselves: their offerings and their future development strategies for the rapid changes to come. Likewise, business users of cloud services require immediate insight into the benefits and risks of cloud computing – along with how to exploit the former, while avoiding the latter – as they adopt this “new mainstream” IT approach.
First of all, CSPs and their customers must consider interoperability issues in many dimensions. Assuming that no medium or large organization will migrate their IT operations to a cloud model overnight, the biggest interoperability issues are likely to be those between the customer’s existing infrastructure, data and applications and the CSPs. For example, a customer database migrated to the cloud may still need to interact with in-house marketing automation and ERP systems.
However, while interoperability standards are not yet mature, several coalitions of technology vendors, CSPs and service users have formed to drive the creation and adoption of open standards.
While there is no doubt that cloud computing appears to be well on its way “across the chasm” to mainstream adoption, concerns over security slowed its early adoption. Indeed, turning over control of the security of their IT infrastructure and data is an inherently uncomfortable situation for senior corporate managers against the existing culture of many large corporate organizations. It is no surprise therefore, that a research survey of North American and European businesses found that 50% of respondents said their fundamental reason for avoiding cloud computing was security concerns.
Indeed, simply communicating data over the public internet, as opposed to keeping it entirely within a private corporate network, may increase data vulnerability. In addition, the business models of CSPs involve sharing infrastructure among many clients and managing IT workloads among many different physical machines or even geographically dispersed data centers. That workload management issue means that a given cloud user may not be able to determine precisely where its data is located or how that data is protected. The shared infrastructure issue effectively links the security fates of all users in a given cloud in a sort of unintended commune. These issues were cited in a recent European Commission report as the key reasons why cloud computing will require entirely new security governance models and processes. On the privacy side, there is the concern that personally identifiable information stored in the cloud can be breached more easily than if stored in-house. Beyond data protection, the core privacy problem for enterprise businesses adopting cloud computing arises from the diversity of privacy regulations from country to country. For instance, a cloud provider may be subject to privacy laws such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI/DSS), the US Patriot Act and EU Data Privacy Act. Even though the cloud computing is often “borderless”, the compliance is not.
Finally, CSPs and their clients alike need to be concerned with the fact that data sometimes persist in servers through which it has traveled, even after having been “deleted”. This is effectively raising the concern that once it is shared, data will persist in that environment forever, being in volatile memory and/or on hard-drives.
Thus, the new vendor management challenges stem from the loss of control and lack of transparency into infrastructure details that often come with moving to cloud services from in-house or traditional outsourcing models. Previously companies could design systems to meet precise requirements for security, data integrity, system availability and other factors. Moving to the cloud means buying from CSPs that do not always provide a transparent view into the inner workings of their infrastructure. While the exact nature of the issues vary depending on the type of cloud service (e.g. application, platform or infrastructure), the overarching principle is the same: instead of specifying technical requirements, business users typically must manage vendors to meet service levels using SLAs. In this vein, over time, the experiences of early adopters will lead to standardized SLAs that help define critical components of the relationship between organizations and their CSPs, as well as how to manage those relationships. Such standardized documents can be put to use by organizations that do not have their own direct experience.
Although SLAs are traditionally related to the overall availability of service, including disaster recovery, cloud users have traditional concerns because they typically lack other ways to enforce their requirements. Indeed, even seemingly mundane issues can create challenges if they are not anticipated and processes agreed upon in advance. For example, CSPs must upgrade their infrastructure and perform maintenance from time to time. If the timing and scope of such activities are not defined and agreed to in advance, they might occur at a moment that interferes with a user’s critical business model process.
Importantly, not all “down time” is equal in value: for example, an e-commerce site selling football apparel will lose more value during the Super Bowl in the US, or the World Cup in the rest of the world, than at any other time of the year. How will SLAs be written to account for such variability? Therefore, it is important to understand a CSP geographical coverage and how this may affect cloud users who are de facto entirely dependent upon their CSP business continuity program and disaster recovery capabilities.Aforementioned considerations, interoperability topics, security and privacy concerns, legal and compliance issues, as well as reliability and continuance questions are all likely to influence the types of applications and business processes that are candidates for cloud deployment. Once addressed and considering the cost saving opportunities of the cloud, strategic sourcing opportunities that were not considered yesterday might become feasible today depending on market evolution.
By Olivier Lemaire, EMEIA Telecommunications, Medias and Technologies Leader, and Sébastien Cara