Top 10 Cloud Computing Complaints
Leading industry experts respond to gripes that IT professionals have about the security, cost, and portability of cloud computing in the enterprise.
June 22, 2010
As the popularity of cloud computing is taking off, so have questions and complaints from IT professionals who are using -- or considering moving to -- the cloud. Industry leaders answer some of the main concerns that they hear from IT staff about the cloud.
Gripe #1: "Wait, this isn't really infinite, is it?"
One of the big draws of cloud computing is the ability to start small and then go big at a moment's notice. But this elasticity should not be mistaken for infinity.
"It seems infinite, but it absolutely is not infinite," says Imad Mouline, CTO of Gomez, the web performance division of Compuware. "In some circumstances, you may not be able to get the instance that you want, the data center or availability zone that you want, or the kind of instance that you want."
You may be exposed to operational risk if your business depends upon being able to provision any level of cloud resources at a moment's notice. "Are you willing to bet your business on it?" asks Mouline. "Or are you taking a chance that on the day that you need to ramp up that you'll have the capacity and that you'll get to it quickly, in hours instead of days?"
If several heavy users of cloud services simultaneously have the same idea to scale up, you may end up in the tech equivalent of a financial panic where everyone tries to withdraw money from a bank that holds inadequate reserves.
Gripe #2: "It's too slow!"
Your computing resources are only as fast as the slowest link of the information supply chain, and if your slowest link is an underpowered cloud computing provider, you may have grounds for a gripe.
"We've won customers that way," says Jonathan Hoppe, president and CTO of Cloud Leverage, a provider of cloud performance solutions.
"Say you've got a website that's going to pull images from cloud storage," Hoppe says. "You want that connection to be very fast, and you also need both to be very fast when delivering to the end users."
Perform some simple performance tests before you start doing business with a cloud provider, and make sure you understand the quality of service and performance guarantees in the service level agreements. "You can tell a lot by looking at the SLAs," Hoppe says. "If they're pretty aggressive, they have a lot of confidence in their infrastructure."
And just because you're using an Amazon- or Google-branded cloud doesn't mean that your website will have the same performance as Amazon or Google. Web performance stems from several factors, including overall web traffic, the location of the data centers to which you've been assigned, and even the behavior of other applications in that same data center. "You can't sandbox everything, and someone else's application may impact the performance of yours," observes Mouline from Gomez. "Performance is all over the place."
You can find Gomez's top-level performance results for major public cloud providers at CloudSleuth.net.Gripe #3: "I can do this cheaper in-house."
The benefits of cloud computing don't necessary scale up. "If you have a large enough organization, the subscription model tends to lose some of its clear cost benefit," says Mike Pearl, principal in PricewaterhouseCoopers' Advisory practice and Leader of PwC's digital transformation and cloud computing initiatives. "Turning potentially thousands of employees loose onto the cloud introduces variability into costs [relative to fixed budgets]."
Chris Weitz, director of Deloitte Consulting, also observes diseconomies of scale at the high end. "For some of the larger enterprise clients of ours, who are able to scale relatively high and have good volumes and get good discounts from vendors, they're finding that it's not particularly advantageous from a cost perspective to go to a public cloud infrastructure, particularly as it relates to storage or other services that are relatively commoditized," Weitz says.
Nor is capacity management necessarily a strong selling point, as large enterprises tend to have a good handle on their demand curve for IT services. "They tend to not be exposed too much to the spikes of usage that a smaller company would have," notes Weitz.
Instead, flexibility is the area where the largest enterprises find the greatest benefit in the cloud. "It's the opposite of a startup situation, which has spiky usage patterns but can provision quickly," observes Weitz. "Big companies have smooth usage patterns but are slow to provision new resources."
Gripe #4: "I don't have enough control."
With internally managed and collocated facilities, IT professionals can precisely match the availability and uptime needs of the enterprise using dedicated equipment, selecting the most appropriate power supplies, cooling equipment, and server hardware.
That's not so easy to manage in the cloud. "When someone puts their data and applications in the cloud, it's almost impossible for them to know what specific hardware they're on, where their data resides, where their power is coming from, or if there's adequate cooling," says Charles O'Donnell, VP of AC power engineering for Emerson Network Power.
If you want to maintain maximum control, you may end up doing it in-house. "We have one very large customer that keeps revenue-generating applications on an enterprise farm, Tier 4 facility, and keeps their e-mail and product development at a Tier 2 facility," says O'Donnell. "If e-mail goes out for a little while, it's not a disaster. It costs them time and money but it's nothing like what happens if their enterprise facility were to go down."
"If I had a mission-critical application, where if it goes out I start losing current or future revenue, that's something I want to have complete control over myself," remarks O'Donnell.Gripe #5: "We've got clouds popping up all over the enterprise."
Allowing unfettered, enterprise-wide access to cloud resources poses significant business risks, observes Philip Lieberman, founder and CEO of privileged identity management provider Lieberman Software.
"Business users see the cloud as a way of saving money without understanding the security, audit, or regulatory implications," he says. "Cloud is being brought in through the back door, and when auditors discover what's been done, they need to make a judgment as to what the exposure is."
Often, the risks aren't worth the ostensible cost savings from the cloud providers. "It's their business to give you compute power at a low cost," Lieberman adds. "They're not in the security business."
Enterprise IT departments are advised to reclaim the relationship between business units and external providers. "As you begin to look at cloud computing at the enterprise level, you need to first go throughout the business units to clean out the early adopters," says PwC's Pearl. "Bring those that jumped out in front into your overall enterprise strategy."
Gripe #6: "Without standards, I'm locked into my cloud vendor."
Portability has become the biggest gripe in cloud computing at the enterprise level, according to Edward Newman, global practice director of private cloud services at EMC. "It's not as if you can burst a workload out to Amazon today and then burst it out to Rackspace or Terremark tomorrow," he says. "The standards haven't yet been adopted that allow for easy movement of workloads and data to multiple cloud vendors."
Portability in the cloud would have to encompass a complicated set of policies and business requirements with regard to IT policies, regulatory compliance, and information security practices, which makes for a particularly challenging set of standards.
"You need the ability to migrate data from one cloud service provider to another, and there are cloud interoperability scenarios that need to be addressed as well," notes Matt Edwards, director of the cloud services initiative at TM Forum, a communications industry association. "There are multiple things that need to be addressed to avoid vendor lock-in and to remove the barriers for the adoption of cloud services."
Although the issues are widely recognized, consensus on the best solution is harder to reach. "New standards organizations for cloud crop up every day," says Edwards.
For its part, TM Forum has formed the Enterprise Cloud Leadership Council, with members from the banking, pharmaceutical, energy, healthcare, manufacturing, automotive, aerospace, government, and communications sectors. "While there are specific business requirements in each industry, there's no need to reinvent the wheel for every vertical," says Edwards. "The key is to have a coordinated approach, and to make sure that the actual business requirements of enterprise consumers are being addressed."Gripe #7: "My cloud's in the way of my M&A."
Before entering into an outsourcing arrangement, consider the likelihood that your organization will be involved in an acquisition or divestiture, suggests Daren Orzechowski, New York-based partner in White & Case's intellectual property practice. "One of the most important provisions in outsourcing for cloud is to have certain divestiture and acquisition support provisions," Orzechowski says.
Essentially, it's a matter of ensuring that you can scale up or down no matter the direction your business takes you. If you acquire a company, you'll want to support it with the same or better terms for enterprise cloud resources. Similarly, if you sell off a part of your company, ensure that both buyer and seller won't be held hostage by rate hikes after the deal closes.
"Make sure you'll get the assistance you need from your vendor, and that the terms of how that will work are fixed at the beginning of the relationship, when you have more leverage," says Orzechowski. "Like any commercial relationship, if you've signed the original big contract and you're in, and then you need help down the road, your leverage isn't as good."
Gripe #8: "I'm relying on reputation as a security policy."
High-profile technology providers face enormous scrutiny from customers and investors, with reputational risk involved with even the smallest lapses in availability and security. Accordingly, cloud providers have the incentive and wherewithal to retain teams of dedicated security experts capable of coping with a wide range of fast-moving threats. All things considered, public cloud providers may be better than you at information security.
Smaller, non-IT-focused enterprises find it harder to locate, hire, and retain top information security talent, and it's not uncommon in business to see small, overworked IT departments where the responsibility for security is diffused and even a few steps behind.
But just because the largest cloud vendors employ the smartest guys in the room doesn't automatically mean that they should have oversight of your enterprise data.
Before entrusting enterprise data to a cloud provider, do your homework. "Go to their website and read the discussion boards and blogs. Go to the analysts. Go to the regulations in your industry," advises Mohammad Zaman, head of global solutions at Logicworks, a low-latency hosting provider in New York. "There are many different ways to find the right cloud service provider from a security perspective."
Or, simply follow the herd. "Everybody publishes customer references on their website," Zaman says. "How do you match up against them?"
Unfortunately, it's all too common that these reputation-based approaches to due diligence represent the extent of information that's available from cloud vendors for purchasing decisions.
It's a "buyer beware," remarks Zaman.Gripe #9: "Good enough for government work? Nope."
You won't find more security-conscious users than in government, and it may take a while before they go into the cloud. "Until someone says that they can meet the NIST criteria for cloud security, I don't see many government customers trusting their applications and data to the cloud infrastructure," says Jim Sweeney, principal solutions consultant for GTSI, a government solutions provider.
Security concerns include the integrity of data, protections in a multi-tenant environment, management of loading and offloading of data, and the trustworthiness of vendor employees, along with questions about the financial stability of vendors.
But it's not just information security that's holding up adoption. "People are using security as an excuse to not move to the cloud in order to protect their jobs," Sweeney says. The typical game plan: "I'm going to have my own internal cloud for my customers."
That's not much of an improvement over existing infrastructure, Sweeney counters. "Why move to a cloud at all?" he asks.
An alternative model places the most technologically savvy agencies as operators of cloud-based services and infrastructures on behalf of other agencies. Leading the way in this regard is the Defense Information Systems Agency (DISA), an arm of the Department of Defense that provides computing infrastructure and services to the military.
At the InformationWeek Government IT Leadership Forum in June, DISA's CIO Henry Sienkiewicz announced plans to deliver storage and office productivity applications through DISA's private cloud, which could potentially be extended elsewhere within government.
Gripe #10: "Cloud computing is going to put me out of a job."
For the people responsible for maintaining enterprise hardware, the cloud can appear to have the guise of a deadly fog. Should IT professionals fear the cloud?
"If your dream is to build servers and to be on call 24x7 when routers or servers go down, maybe you should be afraid," Stephen J. Roux, founder and president of Farmington, Conn.-based solution architect Innovative Computer Systems. "But if your goal is to see your company grow and become more agile, they still need someone to show them how to make the whole thing work.
"Rather than turning a wrench, sit down and have strategic conversations with the business," adds Roux. "Instead of provisioning servers and data centers, help the business get the most out of their applications."
For Further Reading
Bringing Cloud ROI Down To Earth
About the Author
You May Also Like