Interop: Cloud Computing Adopters Ready To 'Trust, But Verify'
That was the key message at an afternoon keynote session at Interop New York: The barrier to widespread cloud adoption is no longer understanding how cloud works, it's how the cloud is going to keep data safe and available -- something Joyent founder and CTO Jason Hoffman called "the last issue" for cloud proliferation in IT.
Cloud evangelists from the technology companies led off the keynote extolling the various virtues of the cloud model, from Google developer advocate Don Dodge emphasizing simplicity and cost-savings to Microsoft's Yousef Khalidi, distinguished engineer for Windows Azure, explaining how to leverage public and private cloud models to maximize efficiency for enterprises both public and private.
All well and good, agreed end user representatives John Merchant, assistant vice president for The Hartford Financial Services Group; Rico Singleton, deputy state CIO of New York; and Louis Gutierrez, CIO emeritus of Massachusetts and CIO emeritus of Harvard-Pilgrim Healthcare. But that might not be enough -- yet -- to convince regulators, government officials or even citizens that cloud-based solutions offer trust-worthy levels of security and resiliency.
"I hear a lot about security and the accessibility of data centers all over the world," Merchant said. "But how in the world will all of the information my company collects be protected? How will I be sure when I give my data to you that I can comply with all those regulations?"
"I would argue that it's no different than your own data centers and your staff, except that it's our data centers and our staff," Hoffman said. "The fundamental limit is that networks and systems exist to do things with data. Depending on the sensitivity of that data -- which we can negotiate contractually -- it may never move out of your data centers and [the cloud] may lead to greater utilization of your existing data centers. Most of us are ignoring this aspect of things. APIs of the future will become much more rich and interesting when we can guarantee data around regulatory compliance and see real auditing information."
Merchant argued, however, that the possibilities of the future of cloud aren't often strong enough to convince auditors of its security and resiliency.
"If my data is lost, I'm on the hook," he said. "If you have an issue, it's me who's on the hook."
Adam Selipsky, vice president of Amazon Web Services, said that concerns about cloud security are as much a matter of control as anything else.
"You have to look at the perception of control versus the reality of control," he said. "It may feel like you have more control over your data centers, but do you actually?"
New York State's Singleton said that because cloud-based data centers aren't tied to a particular geography, the storing of certain legal items -- such as subpoenas -- brings up questions of jurisdiction.
"What if different laws regulate it if it's stored in a different state," he said. "That said, we're seeing a lot of good discussion around critical applications and how they work in government, and that really starts to get into some of the benefits."
"It's not an all or nothing proposition," said Google's Dodge. "I'd urge you to take in the simple things cloud can provide -- email, applications, those things -- that you'd be paying a fraction of the cost for what you're paying now. If you do that, you can focus on the harder things."
Gutierrez urged a "trust, but verify" point of view for agencies, enterprises and organizations looking to the cloud as a way to make infrastructure more efficient.
"There's a lot that's hugely attractive here," he said. "But risk management is essential to any movement in that direction. I have to go to my department and say this is great stuff and what we've heard from the vendor is here are the risks to date. How do you handle the need for client audit?"
"I don't see one company being able to handle all of those," said Microsoft's Khalidi. "We do believe we need to have those who understand segments and regulations and can step up to become partners with vendors. [No] one vendor is big enough to handle all of that."
Khalidi further urged Interop attendees to consider virtualization and cloud computing as separate concepts with separate benefits.
"Virtualization is part of the cloud. The cloud is not just virtualization," he said. "The application set has to fit the cloud model, and be more service-oriented than taking one business app and moving it to a VM unit."
New York's Singleton said that ROI remained the big issue. While companies like Google could promise to bring New York's state and local governments huge cost benefits thanks to Web applications like Gmail and other Google Apps, the flexibility and scalability of those applications might mean those benefits might be fewer than expected.
"Can you give me a public cloud that you build, provide and scale, using the benefits now in the public cloud, on my private network that's closed to the outside, and give me similar ROI?" he asked.
"Yes, it can be done," Google's Dodge responded. "But again I'd encourage you, do the easy things first. If you just look at e-mail and productivity applications for the 190,000 users of the city of New York, you can save, I'd bet $50 million a year just by converting to our Web-based services. Maybe more than that. That's big money, it's easy, it's low-hanging fruit. Start with the easy things."
"There are shortfalls to the simple quick-and-dirty," Singleton countered. "Once you start looking at BlackBerry services, retention services, those aren't things that are included in the $50 [fee-per-user for Google Apps at the enterprise level]. There's definitely value in it, but the savings shrinks. Maybe it's not as quick and dirty as you suggest."