Back in January 2013, Silicon Angle posted an article highlighting security challenges that Amazon Web Services (AWS) faces as it tries to make inroads into the Enterprise. In particular, the article highlighted the lack of visibility and control over the physical infrastructure when an enterprise decides to move to AWS. Two weeks later, David Linthicum, on his Cloud Computing blog, reported on new PCI guidelines for Cloud Computing. Both pieces highlight one of the primary concerns that I hear from companies as they evaluate the feasibility of moving workloads to the Public Cloud – the issue of security; other concerns include performance, reliability, compliance, data sovereignty, and data gravity. These concerns are the reason for the increasing interest in Private Clouds. Still, I frequently lean towards a “Public Cloud First” strategy when advising customers. I do so because I see at least three benefits for enterprises if and when they adopt a “Public Cloud First” strategy – agility, simplicity, and yes – security.
Sometime lost in the buzz around Cloud Computing is the fact that this is primarily a model to enable the Business to drive more revenues and/or to save on expenditures. Now how the Business accomplishes those twin goals vary but it is IT’s job to deploy and maintain technology that serves these two goals. Today, this means running an agile IT shop that can help the Business to roll out new products and/or services more quickly than ever before by allowing enabling IT resources to be elastically provisioned and accessed. How easily can established enterprises move to this model of IT? The reality, as I speak with these companies, is that most are not ready to make the technological, process, or cultural changes required to effectively spin up and maintain a Private Cloud. Many of them are still trying to figure out how to virtualize and automate their current infrastructure; most still have virtual walls setup between Operations and Development.
Moving workloads to a Public Cloud does not make all these issues go away, of course. But it provides a platform for Enterprises to test the waters and to get a quick return on their investments in the Cloud. I generally recommend that Enterprises start by moving some of their non-critical projects into a Public Cloud; however, in some cases, I’ve recommended that a customer spin out a “special projects team” that would work on moving and managing a workload into the Public Cloud because time-to-market was a priority and it would have been impossible for them to meet their deadlines if they had to procure, deploy, and manage the infrastructure themselves. In some of those cases, the customer chose to leave that workload in the Cloud and in others, customers chose to bring that application back in-house on a Vblock. This is the level of agility that I believe the Public Cloud can offer, particularly for companies where they are just not ready to make the internal changes required to roll out their own Private Cloud.
Stephen O’Grady, in his book The New Kingmakers, highlights the heightened importance of developers. Today, helping the Business to meet their goals usually means enabling developers to write new applications and APIs in the most efficient manner possible. For IT Operations, this means removing the operational constraints that often prevent development projects from moving forward. Again, most shops do not have the capabilities or the know-how to remove those constraints immediately. As such, Public PaaS Clouds offer a framework where developers can quickly write and test their applications; Public PaaS vendors, such as Cloud Foundry, OpenShift, and Google App Engine, accomplishes this by simplifying the entire process of building and managing an integrated development environment (IDE) so that IDEs can be rapidly provisioned and changed as needed. Developers no longer spend valuable time building their own development environment. For enterprises that want and need to move to a rapid development model, a Public PaaS can give them a quick return while showing Operations the benefits of supporting a PaaS model that helps to simplify the development train. In some cases, companies that have made that move have seen the benefits and decided to instantiate a Private PaaS instance in their own data center.
This may seem odd since I cited earlier the concerns many enterprises have over security in the Public Cloud. The reality though is that the Cloud providers often have more stringent requirements than that of many company IT Operations and they often have the competencies in this area that many IT shops do not have. I know of one enterprise that experienced an outage to their mission-critical application because a disgruntled sysadmin was able to plant a “time bomb” on a lab server and propagate it across their entire server farm; this was possible because the employee was able to spawn a remote shell, as a Root user, on the lab server and access all production servers with superuser permissions.
My point is not that Cloud Providers are the only ones that practice sound security. What I am saying is that many companies do not know how to secure their infrastructure to keep pace with the new attack vectors that exist today and that they are no worse off moving some of their applications to a Public Cloud; in some case, they may even be improving their security posture by doing so. Public Cloud providers, such as Amazon and Microsoft, are incented to hire qualified security engineers precisely because breaches to their Cloud are often times more visible than breaches to an enterprise’s Private Cloud.
So does this mean I am ready to throw in the towel in terms of advocating for Private Clouds? Not really, given the real concerns over issues such as compliance and data sovereignty that I listed earlier. My opinion is that enterprises are moving to a Hybrid Cloud model where:
- Every application and project is evaluated to determine their suitability in a Public or Private Cloud.
- Enterprises may initially move a certain amount of workload to the Public Cloud and move much of it back in-house as their IT gains more core competencies around managing a Private Cloud and the required cultural changes occur.
- Enterprises may initially move a certain amount of workload to the Public Cloud and move even more as their concerns are alleviated and they realize the benefits moving certain applications to the Public Cloud.
- The focus will be less on “basic” IaaS Clouds and more on platforms that enable application and API development so the Business can more quickly realize a return from their IT investments. I predict companies will move to and deploy AppDev enablement IaaS Clouds, like AWS, or full-blown PaaS Clouds, like Cloud Foundry.
From a vendor perspective, the winners will be those who can provide the enabling technology for building Hybrid Clouds and those who can help enterprises to make the necessary changes to become It-as-a-Service providers to their internal users.
- Platform-as-a-Service: 6 Ways PaaS Will Change The Enterprise (readwrite.com)
- Everybody Loves PaaS; PaaS is Failing (appfog.com)
- Barriers to the Cloud – what’s holding companies back? (intechnology.co.uk)
- Red Hat doubles down on platform as a service (PaaS) (computerworld.co.nz)
If it becomes easier to add encryption, do you think this will help convince those potential customers to make the move to the public cloud ?
What can also help is that cloud providers are more open about what they deploy (like with OpenStack), that way the potential customers can see how the public cloud is being build.
Because currently most have no idea how the public cloud is operated, thus they have no idea if it is secure. It is kind of like a fear of the unknown.
[…] was wrecking in the IT industry. By early 2013, I was writing about why most users should adopt a“public cloud first” strategy and about the unlikelihood that anyone could challenge Amazon in the public cloud […]