Anna Frazzetto's Blog

Digital Innovations and Technology Solutions

Cloud Computing - Lots of Questions, Lots of Answers

My colleague Lance Hendrix, Practice Director, Technology Solutions for Harvey Nash and I kicked off our 2011 Harvey Nash Webinar series with a cloud computing presentation that had the chat room buzzing up until the last minute of the event. What was all the chatter about?

First, our client and good friend Alfonso Perez, Head of Technology at Beezag gave an inside look into how and why his company went whole-cloud in 2010. I know many of our attendees appreciated having the chance to hear and question exactly how an organization made the move to the cloud, the tools and providers they use and the results they are seeing. (And for those of you who attended and are still dying to know what kind of car Beezag helped donate to a heroic, hardworking American family here is the full, heartwarming story.)

In addition to Alfonso's story and case study in scalability, Lance Hendrix—Harvey Nash's Technology Solutions Practice Director, analyzed some of the biggest issues, controversies and challenges in cloud computing today. From security and compliance to cost and convenience, Lance gave an excellent overview of the cloud marketplace today and the issues that have organizations of all sizes thinking as they examine the cloud possibilities. (To view a copy of the full presentation and a transcript of the Q&A session, please scroll down to the bottom of the blog.)

While there were many great questions, one question rings in my mind—and it was the first question of the Q&A: What about the security risks of cloud computing? This is a question you see asked every day in the marketplace as businesses wonder... If my data isn't sitting here (on-site, in our data center) how can it be safe and how can I protect it?

What hit me about the question had to do with some security survey results from our newly launched 2011 CIO Survey, in which CIOs across the U.S. revealed that they feel they are better prepared to identify and deal with cyber attacks than they are to deal with data misuse incidents from their own employees. Here are the numbers: 11% of CIOs said they are exposed in multiple areas when it comes to cyber attacks while nearly double (21%) said they are exposed in multiple areas when it comes to data misuse from employees.

The fact that the higher security risk comes from inside rather than out made me wonder if some of the cloud computing security conversation is a bit of a red herring. Many businesses worry that by moving their data "out into the cloud" it will be harder to protect. But can that be true if internal employees are a greater risk than external threats? Isn't it better to leverage the cloud to distance data from a security threat rather than keep it exposed?

Obviously, it's not as cut and dry as all that, but cloud computing does ask us to look differently at the "where" and the "how" of security. Lance covered the complexity of this security question nicely in our Webinar Q&A, explaining the concerns businesses—and specific industries—have when it comes to controlling and managing intellectual property, personal identity and other critical data in the cloud.

As someone who worked in IT and security services before the Internet was even a question, I can say this: security will always be a top concern in any IT solution whether it's outsourced, leased or a managed service. And well it should be, which means there is a big market opportunity for cloud solution providers that are able to successfully address and manage the security concerns and needs of today's cloud-cautious businesses.

I invite you to view the presentation Cloud Computing - Clearing up the Fog below. If you'd like to set up a time to discuss the content in more detail, don't hesitate to send me an email at anna.frazzetto@harveynash.com.

Stay Tuned for Our Next Webinar
Keep an eye out for registration details for our next webinar, The iPad Goes to Work, Taking App Complexity up a Notch, on June 23 at 11 a.m. ET. This hour-long Webinar will be a dynamic and fun look at the complexities as well as the opportunities that come with developing apps for the iPad. What does it mean for programmers? How is it different from mobile application development. We will even explore some of the very best iPad apps increasing workplace productivity, collaboration and communication.

Harvey Nash May Webinar Q&A Transcript

On May 10, 2011, Harvey Nash's VP of Technology Solutions, Anna Frazzetto hosted a webinar for IT professionals including senior leaders of IT. Anna was joined by Alfonso Perez, Head of Technology at Beezag, and Lance Hendrix, Practice Director of Technology Solutions at Harvey Nash, to discuss the challenges and opportunities with cloud computing. The presentation concluded with a Q&A session; the following is a transcript of the session.

Q: Did you [Alfonso] move to a specific cloud application or company?
ALFONSO: We moved to Amazon Cloud (AWS), and at the same time, signed up for RightScale. So we were in a combination -- RightScale is managing automation infrastructure on top of the Amazon cloud.

Q: What kind of car did you [Beezag] give away?
ALFONSO: I'll tell you what I remember, and I apologize for what I don't remember. It was a red car, mid-sized, U.S.-made with four doors. Once again, apologies for the lapse on the other info.

Editors note: The full story about the giveaway can be found here.

Q: What is ORM?
ALFONSO: Object Relational Mapping is a technique for managing relational data in an object-oriented design. Essentially, software that maps databases to objects in code.

Q: To what extent has Beezag moved to the cloud?
ALFONSO: Beezag operates 100% on the cloud. No servers at all in the office, only desktops.

Q: It seems that first you took infrastructure to the cloud and then app, but have you completely outsourced app dev and maintenance or is that still in Beezag's control?
ALFONSO: Beezag's app offering has resided in the cloud almost from its inception. Application development has been in Beezag's control all along. Outsourcing vendors provide resources managed directly by Beezag.

Q: Alfonso mentioned two cloud providers for his company, can you elaborate on that?
ALFONSO: Amazon for cloud and RightScale for cloud management.

Q: Did Beezag negotiate its own contract with the cloud computing company?
ALFONSO: This may be a drawback to cloud computing: There's no big contract to negotiate because normally you're not pre-buying anything large, or you're not working on a large commitment of anything. This is basically pay-per-use. At least that's the more common concept, and the one that's more appealing.

So, usually you have to abide by what they tell you they'll do and won't do -- restrictions and regulations and so forth. It's all pretty straightforward. It's more complicated if you're in an industry such as healthcare or financial services. But I would say it's also fairly adequate. The prices are what they are. There's not a lot of negotiation back and forth with the cloud provider. They have discounted pricing for volume, and pay-per-use per hour mostly.

Now you can reserve instances for longer than an hour and that has its benefits. It also applies some lower discounts. But the simple answer is that there's no negotiation. You read the rules, restrictions and regulations in the documentation they have online and you do your math based on the prices they advertise, and you are agreeing to all their terms and conditions.

Q: What about security being a risk of cloud computing?
LANCE: That is definitely something that has to be evaluated on an organization-by-organization basis. And the debate goes both ways on this. On one side, there's the question of "Do I want my intellectual property outside of my physical control?" Physical access to servers, hard drives and things of this nature can be scary to some organizations, especially with the nature of intellectual property and the core value proposition that a business like mine brings.

In general, there's more risk around the business and the business model. Obviously, there are other risks around things like personally identifiable information such as credit cards, customer profiles and things like Google docs. The risk of developing business strategy and sharing it over the cloud needs to be evaluated on an organization-by-organization basis.

Now, the arguments on the other side of that, especially as a small or medium organization, are "Do I really have the ability to control and manage that, and am I willing to pay the cost of doing so?" To a certain extent, for a lot of these cloud providers, it's about trust. We have to assume that they're building their business and putting themselves at risk to a certain extent to this type of security breach. Specifically with the physical security access.

We've also got to assume that, given their expertise in the field, they can probably do a better job of it than any small or medium organization. When it comes to anything other than physical access, I personally don't view security in the cloud as any different than security in my enterprise, assuming I've got things like VPN access into my enterprise or that I'm hosting public websites that don't protect information that is external to my enterprise.

So, really, the question of security to me is no different than if the servers were sitting in my own facility. Again, the only difference that I see between the cloud and most enterprise IT infrastructures these days is the physical location of the hardware. Any other security best practice should be followed in the cloud with the same due diligence that would be performed if the hardware was sitting within your own four walls. And the same question also comes about within the context of co-location. Then I'm also relying on the physical security and physical access restrictions and capabilities of the co-location provider.

Q: Please provide an example of the most prolific application re-architecting typically required after moving to the cloud.
LANCE: It depends upon which cloud you're moving to. Some of the things that have to be taken into consideration are the storage and the way you access storage. Especially if you're using raw S3 types of capabilities versus standing up on an SQL database and leveraging S3 for data tables within the environment.

The other thing is that while there is scale-up capability for the hardware in the cloud, there are sometimes challenges in regards to the fact that the hardware just doesn't perform the same on an individual compute basis as it does on a dedicated server. And so you have to be prepared for more scale-out scenarios and more scalability horizontally as opposed to vertically. Those are some of the challenges that I see.

Again, some of the other unique aspects of most cloud providers are that the compute units themselves are relatively volatile. And so you have to be able to establish your infrastructure so you can bring servers up and down. Or, if servers fail, that your application can handle it by having standbys or network redundancy or various ways of ensuring that capability. Things will inevitably go bump in the shared infrastructure and it isn't as easy as saying "I'm going to stand up an application on a single server and I'm going to provide a redundant power supply and redundant hard drives and redundant network connections." Servers do fail in the cloud. There are ways of mitigating that with the application's architecture, but those are some of the things that have to be considered when taking an application to the cloud.

Q: Do contracts include remedies for lost data, SLAs, etc.? Are they written for specific needs or are they generic?
ALFONSO: You can sign up for the cloud and accept terms and conditions online, but it's not much of a contract. You are signing a contract and agreeing to terms and conditions, but it's not negotiable unless you're going to be a large consumer.

You can always go to the one of the providers and see if you can get away with something that's more specific to you. While they are starting to adapt to industries that need more accountability such as financial services, they're not really willing to be accountable for loss of data.

So, let me add to what Lance said earlier and maybe provide a bit of a contrasting perspective to the comment about reliability and so forth as it relates to cloud providers being accountable for loss of data. Infrastructure is infrastructure. You have a server sitting right next to you, or you have a server sitting in a shared hosted environment, or you have a server sitting in Amazon's cloud. It's basically a server, right? And, as Lance said, servers will fail. Infrastructure fails. But it's no different than failure of a server right next to you.

In the case of data, the analogy is very similar. You have a database, which may be sitting right next to you, it may be sitting in a shared hosted environment, or it may be sitting in the cloud. The way you access the database is very similar. You establish a connection; you open up a port in the firewall in the cloud environment and it allows you access to that database that you set up special security around and so forth.

Even though personally I don't necessarily see a difference in terms of where the power sits -- yes, it's in somebody else's infrastructure and belongs to somebody else and somebody else is managing it, but it's no different. It's just hardware sitting somewhere that's managed. So, in terms of reliability, it's up to the service and the terms and conditions they offer.

In terms of accountability, they style it to say, "no, we're not accountable for the data," hence the challenge is with getting PCI/DSS Compliance for financial services companies that are trying to leverage the cloud. But I think they're becoming more flexible and they're starting to put measures in place to be able to embrace this.

LANCE: To add to what Alfonso said, your standard back-up and recovery procedures and your standard disaster recovery procedures, especially with regards to critical data, probably should not be significantly different, other than maybe the way you go about it, whether your infrastructure is hosted in the cloud, or whether it's in a co-location facility or whether it's hosted within your own four walls.

Q: Can you give us a little background on the concept of "the cloud"?
LANCE: I don't know of any specific definition per se, but have always thought of it in terms of a concept I was introduced to many years ago when I learned object-oriented programming and a form of diagramming called Booch diagrams.

This was back when I also learned OMT and was studying Jacobsen's use cases. These early design and architecture diagrams described their functionality in aggregate groupings that were represented as clouds on the diagram (they actually looked like clouds that a child would draw). I often think of cloud computing as those clouds on my Booch diagrams.

That is, we are provided a service (in respect to Amazon) that looks and behaves like a computer, albeit with some very specific parameters. But the actual magic of what is going on inside the specific unit that we are using is sort of hidden. In this respect, we are using a resource, but are unconcerned with how or where the service is being offered.

I feel this definition also holds true for other services that are starting to call themselves cloud, such as Google Docs or Dropbox.

Q: It sounds like cloud computing pushes the burden of computer scaling to the cloud provider, right? So, instead of my company needing to scale in a small way, the cloud provider will need to scale -- and do so adequately enough to cover all its customers. But that fluctuation may be huge (think of the Mississippi River fluctuating to provide drainage for tributaries -- ie, flooding). Wouldn't that cost be passed on to me anyway -- with a clear threat of loss of service?
LANCE: There are many different aspects to scaling with IT systems, so we need to first be sure we are all talking about the same aspect of scaling.

If you are talking about scaling from the aspect that I need "N" computing units now or "N+1" or "N+X" computing units, then yes, that becomes the issue of the cloud provider; however, this does not mean that my application has been architected, designed, or implemented to even be able to scale by adding additional computing units.

Now, we come to two other aspects of your question -- the first being about the provider you have chosen to scale to your needs in conjunction with demands from other customers; the second being about the cost or risk to your business if that provider fails to be able to scale or as a result of attempting to scale, you see a degradation in service or complete failure of the infrastructure.

This reminds me of discussions we were having in IT as recently as 5-6 years ago when we were faced with the decision to continue investing in expensive leased (private) network infrastructures or to leverage the "open Internet" and utilize technologies such as VPNs to secure traffic.

On one hand, we were spending significant dollars on a private infrastructure for two primary reasons: dependability (and the probability that we could recoup any revenue or losses associated with outages from the provider) and security. While I know that there are still a significant number of leased infrastructures still in existence, many companies have made the shift to leveraging the Internet for at least a certain amount of their communications infrastructure.

In the same way that we still have to evaluate the cost and risk of the network infrastructures that we use, we now also have other options for hosting our services and hardware resources. That is not to say that it makes financial sense to shift everything to the cloud. Again, you have to balance cost against risk in your evaluation of how much you want to shift your organization from other hosting options to the cloud.

With regards to scale and whether your provider can scale with your needs, this is going to be dependent on both your organizations needs and the provider that you choose and you should carefully consider both factors when evaluating a move to the cloud.

Q: Will cloud computing facilitate telework/telecommuting -- employees working/consulting from home for employers in other cities without having to relocate?
LANCE: Not directly. However, once corporations and managers embrace the idea that they are provisioning services that they "can't physically touch" with regards to hardware, it does open the door to the concept of leveraging other resources that we "can't reach out and touch" such as people...

Q: Would you recommend placing business-critical documents on a cloud solution?
LANCE: It depends on your organization's tolerance for risk and the costs associated with securing those documents outside of the cloud. Remember, anything that is not locked in an impenetrable, inaccessible location is not "safe," and then it basically becomes useless.

That is to say that there is no such thing as absolutely safe and you should evaluate the risk and cost of the information getting in the wrong hands and balance it against the risk tolerance of the organization as a whole (the more risk-tolerant, the less likely you are to allocate capital costs to securing that information). If you crunch the numbers and the cost of securing outside the cloud is greater than you are willing to allocate capital resources to, then by all means, host in the cloud. This is going to vary from business to business and the nature of the information.

I would suggest that, as an organization, you work with your security officer to classify the various levels of information and attach values to those groupings of information. Then create corporate guidelines around what can and can't be stored in the cloud. If you have a corporate risk officer, they should definitely be included in this discussion. Legal considerations will also pertain.

Q: Which database applications, such as SQL 2008 and Azure, are preferences of yours?
LANCE: That depends on the cloud solution or provider being targeted. For instance, the Microsoft cloud offering is obviously focused around their Microsoft SQL Server platform; however, if you are targeting Amazon as a cloud provider, then the solution is basically only limited by the operating systems offered by Amazon (Windows, Linux, etc.). It appears that there is a strong preference for MySQL on EC2/S3 but that is probably just the nature of early-adopter businesses that are already providing solutions in the cloud.

Q: How do you manage Quality Assurance (Testing) with the cloud?
LANCE: From the standpoint of process, the cloud should not be different than other hosting options. If you mean managing the QA environment and the impact of this, the picture is obviously different. If you move your infrastructure completely to the cloud, you probably don't have physical hardware available to create these environments.

However, creating and leveraging the cloud for the QA environment can provide significant cost-advantages because you don't have to have physical hardware available for various test scenarios. This includes ones that were cost-prohibitive on physical hardware but can now be accomplished easily and relatively cheaply in the cloud.

Additionally, if you don't have to have the QA environment always available, then you can stand up an environment and tear it down as needed and not have to incur the capital expenses of physical hardware. This is the essence of the cloud and the concept of "pay for what you use."

Q: Do you find that the cloud requires different kinds of IT expertise? How much different?
LANCE: It depends on where your organizational focus was to begin with. For instance, if you were an organization that had to manage and maintain a large set of hardware resources, once you moved to the cloud, you might find that your organization no longer needed this skill set as it would then be handled by the cloud provider.

However, you will still need your usual complement of systems administrators, developers, testers, operations personnel, etc. Additionally, you will need to either develop or hire people with experience in managing specific aspects of the cloud (persistence being one) or who know how to manage systems effectively in the cloud (this is slightly different than managing systems on physical hardware and infrastructure).

Q: Can you have two cloud providers in one infrastructure? One for the web server and one for the database server?
LANCE: It is possible, but probably not a good idea. One specific aspect of this type of architecture that makes it suspect is cost. With someone like Amazon, you have to consider the cost of moving information into and out of your instances. Usually data moved within a specific provider's cloud has little if any cost. But sometimes there are costs for moving data between regions, so always consider and study the cost model carefully.

However, one aspect of reducing the risk of infrastructure failure for any provider or any single location would be to first leverage the "geoplex" capabilities of a provider (again, carefully consider costs). Beyond that, you can leverage multiple cloud providers. But rather than "horizontally slicing" an application in terms of tiers across providers, I would look to leverage more of a "vertical slicing" of the application such that you have a fully functional application across both providers. I would then look to balance workload between the two platforms or leverage an "active/passive" type of architecture between the two providers.

Q: What's the difference between cloud and regular infrastructure outsourcing?
LANCE: The simple answer is that they are differentiated by the level or function of IT that is being outsourced and will vary depending on what type of infrastructure outsourcing you are doing.

Q: Won't moving to the cloud decrease use for technical staff?
LANCE: Depends on your organization, but in general, I would say not by much.