Welcome to Part 3 of The Cloud Understood series. A quick recap: in Part 1, I defined “Cloud” and described the most common XaaS (Anything-as-a-Service) offerings. In Part 2, I discussed the interaction of Cloud Providers, Consumers, Service Owners, and Service Consumers and mentioned the features and benefits of the Cloud. In this edition, I will describe many of the Cloud’s features, benefits, weaknesses, and risks. As with any IT strategy, with Cloud technologies there are trade-offs. Trade-offs made or accepted during the initial adoption of Cloud design—between the risk and benefit side of the equation—often have long-term effects. These trade-offs are typically driven by high-level business goals and guidelines such as financial and regulatory restrictions, risk tolerance, line-of-business contraction/expansion, and available resources.
In the following sections, we will explore the benefits and risks of Cloud design.
The common benefits/features of Cloud design:
- Reduced up-front capital expenditures
- Reduced data center operational costs
- Redirection of capital to core business initiatives
- Budget based on metered IT resource services
Many businesses are making the move to the Cloud primarily based on financial considerations. While there are sound financial benefits to support this change, many early adopters are finding that there are hidden and long-term costs that aren’t necessarily obvious. It is true that initial capital and operational costs can be dramatically reduced—especially for a new, start-up business. But existing businesses that have already heavily invested in data centers, infrastructure, licensing, maintenance contracts, and skilled human resources will encounter considerable extra operational and liquidation costs during the transition period, which can easily last for a few years. In the long run, most businesses will see financial rewards as a result of migrating to the Cloud due to decreased capital expenditures, reduced skilled IT human resources, and easier-to-budget operational expenses. Moving to the Cloud, however, cannot be considered a panacea for any business looking for a quick fix for troubled financials.
- Quick provisioning/de-provisioning of IT resources
- Rules-based scalability of IT resources
- Upgrade to the latest and greatest IT resources
The ability to dynamically and quickly size technology’s resource pool is one of the most compelling reasons to move to the Cloud. Many businesses have seasonal or cyclical IT requirements. In a traditional datacenter design, businesses either over-build their infrastructure resulting in wasted capital expenditure dollars or attempt a just-in-time build out of their infrastructure which easily equates to lost revenues if the timeline or sizing estimates are too low. Leveraging the Cloud’s on-demand and metered usage features, infrastructure can be expanded and contracted manually in a matter of hours or even automatically in a matter of minutes based on thresholds and demand rules.
- Infrastructure designed for redundancy and failover
- Larger Cloud providers have interconnected, geographically disparate data centers
- Increased quality-of-service guarantees to end-users
Most of the businesses that I have consulted have limited or non-existent disaster recovery (DR) or failover capabilities. Most of the dollars budgeted for DR get reallocated to other capital projects. Typically, only the largest of enterprises have afforded the luxury of secondary data centers that are required to design and build true disaster-recovery and high-availability solutions. Many, though not all, Cloud providers have multiple interconnected data centers located across the continent, hemisphere, and globe. To protect their clients and themselves, the Cloud providers make periodic copies of all virtual appliances from one data center to another. This provides at least a minimal amount of assurance for recovery in the event of a disaster. However, it is better to design disaster-recovery and high-availability capabilities across multiple data centers by provisioning redundant resources and utilizing load-balancing and failover routing logic in the networking layer of the Cloud.
The common risks/weaknesses of Cloud design:
- Reduced Control
- Reduced Operational Governance
- Infrastructure-related standards are dictated by the Cloud provider
- Based on Cloud Delivery Model, consumers may have limited or no knowledge of the supporting physical, hypervisor, VM, or connectivity layers
- Identity/Access Management, Cryptography, and other Security Protocols may be dictated by the Cloud provider
- Amount of Organizational Control based on Cloud Delivery Model
- Reduced Operational Governance
In every use of Cloud-based IT resources, some amount of control is relinquished. For the typical end-user of the Cloud, this is not an issue, but often IT management and strategists are reluctant to give up control of versions, patching, maintenance, and vendors.
- Lack of standards
- Differences in virtualization software
- Difficult or costly to migrate from one Cloud provider to another
While all of the significant Cloud providers offer similar resources, the virtualization software or the software products installed on the virtual appliances may vary. These differences—and the lack of standards for Cloud services such as compression and encryption—locks-in a business to its Cloud provider. It likely isn’t possible to take a copy of a virtual appliance from Cloud provider A and send it to Cloud provider B and make it work. In cases of acquisition and merger—or worse yet abandonment, such as in the recent announcement by Verizon Cloud—the Cloud consumer can face the time consuming and costly tasks of reclaiming all of its Cloud-based assets and re-design/re-deployment of these in the realm of another Cloud provider.
- Attacks on shared IT resources can affect all users/consumers
- Since Clouds are “remote IT resources,” data and credentials are more vulnerable than in a closed on-premise compute environment
Once computing shifted from stand-alone, closed systems into interconnected local-area-networks, wide-area-networks, and Internet-enabled networks, security became the most significant risk in IT Cloud technologies—adding to the list of security weaknesses, and forcing the consumer to be ever more diligent in the pursuit of safe computing. In the Cloud, even with strong trust boundaries and segregated multi-tenancy, a well-crafted Denial-Of-Service attack on one consumer’s virtual server will affect all other consumers whose virtual appliances reside on the same “bare-metal” infrastructure. Cloud technology also challenges hackers to create horizontal intrusion attacks, where malicious code running on one virtual appliance will scan through addresses and ports looking for a pathway into someone else’s virtual machine with bad intent. There are various tools/services to help prevent and recover from security breaches, such as encryption and monitoring, but it is the consumer’s responsibility to ensure its systems and data are protected.
- Geographic location of Cloud provider data centers may be a consideration when storing sensitive data
- Governments or other oversight entities may dictate and regulate cryptography minimum requirements
In the US, there are guidelines, rules, and laws that dictate how specific types of data (PID, PCI, PHI, etc.) must be stored, transmitted, and shared. There are also industry standards established for locating disaster-recovery sites and redundant connectivity. Other countries have added laws that restrict the storage and transmission of sensitive data outside of the country’s physical borders. As with most laws and regulations, ignorance is not an excuse for non-compliance, and it is the responsibility of the consumer to know, understand, and apply them.
I hope that, as intended, this article has given you questions to ask yourself and your potential Cloud provider. Unlike some of the marketing materials for the Cloud, I don’t believe that there is any one right solution for Cloud consumers; the answer is found in who you are, what you do, and where you want to go.
Next time, I’ll explain various Cloud Deployment Models.