What I learned at Cloud Exchange 2011
Having completed my last road trip of the year, I dusted off the notes I took during this year’s Cloud Exchange events (and a few others) to see what I might learn from them. (The first thing I learned was that I take a lot of notes.) In the spirit of the Cloud Exchange events, I thought I would share what I discovered, which I will do in a 2-part series.
The Top Five
The following five topics were top of mind for Cloud Exchange participants, which included IT leaders from large enterprises, government agencies, defense, small businesses, consulting organizations, and hardware and software vendors: security, resilience/business continuity, data, finance, and the user experience. These received roughly equal attention, so they are not listed in order by rank. Though each attendee’s most top of mind issue was heavily influenced by the maturity of their cloud implementation (or preparation).
In this first post, I will share my notes and observations on security, resilience, and data. Check back next week for part 2 covering finance and user experience, plus a few that deserve an honorable mention.
It probably comes as no surprise that security on the list. I cannot recall a single event where it has not come up in some form. However, it’s not always in the context one might assume. The discussion was not always “cloud risky, on-premise safe”. There was also much discussion regarding how cloud services can actually be more resilient and secure than on-premise services in some cases.
The conclusion: Don’t let security be an excuse not to think about cloud.
Of course, there was also discussion regarding cloud computing risks and how they might be addressed. And there was a lot of exchange on how to make environments more open to consumers. Participants spoke about how to improve the user experience by providing simple access while maintaining an adequate level of protection over corporate assets. I was very encouraged by the fact that even discussions regarding security were often from the perspective of how to deliver more to the consumer (safely).
Mobile computing and consumer driven IT often arose in this context (which is in part why they were not listed separately). There were often two viewpoints: “It’s too complex and risky. We’re not even considering it.”; and, “We want to take advantage of it (often because a competitor was) so we need to better understand it”. I must declare a personal bias in this case. I believe that teams that choose to ignore consumer driven IT because it may introduce risks may, in fact, create more risk than they hope to prevent. Though, I have already written about that.
In summary, security concerns are valid. They need to be addressed. “No cloud is secure enough for anything” should never be accepted as a reason to take cloud options off the table.
Resilience / Business Continuity
Discussion often turned to resilience (reliability, high availability, business continuity…). Again, there were several angles. The most common was the viewpoint that cloud infrastructure, especially public cloud infrastructure, is not resilient. This was, no doubt, fueled by a few very visible public cloud failures that occurred around the time of the events. And while this statement is an over-generalization and what I would consider a cloud myth, the concern is valid. There was agreement that those who are considering cloud solutions need to ensure that there is sufficient resilience in the service, whether they provide it themselves or procure it. Essentially, nobody will care about “your assets” as much as you do.
Other detailed discussions centered on speed of recovery. Many believe that the objective is to have sufficient resilience such that nobody would notice the failure of a specific component. (It is achievable.) It is also the case that not every service requires the same level of resilience, and that more resilience usually means more cost. So care must be taken to apply the appropriate level of resilience. And some spoke of plans to use cloud services to increase the level of resilience in their business services.
Open discussions often turned to the topic of “data”. Certainly protecting data and maintaining access to data were discussed when security or resilience were being discussed. Though “data” came up on its own in other contexts as often as each of the other top five items.
From my notes it looks like data location was the top topic of data related discussions. Participants were concerned about knowing where their data is stored and who might have access to it. There were concerns that moving data to a cloud environment where data might reside in a different nation than it was created could result in violation of laws and/or compliance regulations; or that it might make the data subject to search or seizure by agencies of “other nations”. This may be one of the most challenging of the concerns voiced by participants, though cloud providers are beginning to offer “local” services in more nations and to address data location concerns. So,businesses need to pay diligent attention to whether the location of data they plan to put into a cloud matters, and if it does they need to pay even more diligent attention to the laws of their nation, the nation and locale where the data is hosted, and the provider’s contract and reputation.
There were also discussions regarding the protection of data stored in the cloud (more or less data security) and regarding providing simple access to data (“how do we make it easy for people to access data they are entitled to see”). And there was quite a bit of discussion on the benefit of public clouds in the context of storing public data. This was often brought up by government agencies that see public clouds as a perfect fit for providing non-sensitive data to their citizens at a reasonable cost.
Watch for my next post to learn more about our finance and user experience discussions, as well as a few honorable mentions.
This blog is cross-posted at Cloud Storm Chasers.