Managing Cloud Risk

A friend and client said to me the other day that “hell would freeze over” before he moved his key business data to the cloud. I was surprised by his firm resistance and asked him to explain his reasoning. It boiled down to a lack of trust in:

1. the ability of the cloud provider to protect data from being accessed and possibly stolen by the staff of the provider and their agents; and
2. the ability of the provider to protect against malicious external attacks.

These risks are the same risks as in any outsourcing contract and I believe they are the fundamental risks that any organization should consider in either outsourcing generally, or a move to the cloud.
The first risk, agency risk, is amplified in the cloud because it is so easy for supply chains to lengthen to a point well outside a customer's control, and it is very easy to move virtual machines between cloud providers. Backup copies of your data could end up with a multitude of cloud providers over just a few years.

For example, (see figure right) you may buy access subscriptions to a CRM SaaS application (1), that is hosted by a third party ISP (2). The ISP, in turn uses an IaaS provider (3) for the virtual servers the application is hosted upon. Additionally, the SaaS provider may use an offshore outsourcer (4) to support and maintain the application, whose own infrastructure may similarly be provided by a chain of third-parties (5-7). In this situation you have might have 7 (or more) different organizations with access to your data, only one of which you have a binding contract with.
The answer to mitigating agency risk is twofold. Firstly, ensure that the contract you enter into with a cloud provider or outsourcer ensures that all sub-contractors of the provider are covered by the same confidentiality, privacy and professional liability conditions your provider guarantees and that the sub-contractors are forced to guarantee these same conditions are contracted down the supply chain. Secondly, you should encrypt all sensitive data, possibly all data, in the database using the encryption methods supplied by your RDBMS or, industry-standard 2048-bit public-private key encryption. This way, even if someone does maliciously access your data, it is encrypted to a level impossible for an individual acting alone to decrypt.
Addressing the risk of hacking is always problematic. Given the security flaws that are regularly discovered and addressed in Microsoft Windows and that may exist in other operating systems, this is a problem for everyone with an IT system connected to the internet. The first thing you need to do is research and investigate the security practices of your provider. Most of the big providers, such as Amazon, Google, Microsoft and SalesForce have large security teams dedicated to protecting their cloud systems from hacking attempts and have the best firewalls money can buy. Their ability for success is likely to be much greater than smaller organizations and those who do not have IT as their primary competence. Even smaller cloud organizations are likely to have devoted much time and money to security. If you're in doubt of an organization's ability to protect your data from hacking attempts, you need to make them demonstrate that their security practices are robust. Ask them about the firewall they have implemented, how many security staff they employ and what measures they take to actively detect and protect against malicious attacks.
Following these few simple rules will ensure your cloud experience is as secure and risk-free as it can be and should ensure that security in the cloud is as good as you could provide yourself.

Is Cloud Computing Fundamentally Different?

The short answer is: no. Cloud computing is not revolutionary. It is merely an incremental improvement in delivering system characteristics such as scalability, availability, resilience and disaster recovery. With the right system architecture, cloud computing is certainly capable of delivering same or better standards of these characteristics that you currently provide, at a fraction of the current cost. Additionally, the cost differential allows small-to-medium business to deliver robust, enterprise-strength computing.

Scalability

The great thing about the cloud and scalability is the scalability-on-demand aspect of the offerings of the largest providers. If you need more more processing power and/or memory at certain times of day, week or month or for ad-hoc periods, then you can temporarily schedule an increase in power and are only charged for the time you are using the higher specifications. The primary example of this is Amazon's Elastic Cloud Computing (EC2).
This is “scaling-up”. However, with all n-tier applications there is still a need to “scale out” to provide robust online applications. This is done in the cloud in the same way you would do this in-house or hosted, by authoring applications to be stateless, clustered and/or load-balanced with robust RDBMS back-ends.

Availability & Resilience

Amazon offers its EC2 service in a number of geographically distinct zones which do not rely on the other for availability. Therefore when one zone is unavailable for whatever reason, the other zones remain active. Scaling your applications out over multiple zones, or using Dynamic DNS to cut between zones when one zone is unavailable, means that cloud computing offers a lot of potential to guarantee the 99.97% up-time that many service level agreements require.
The platform-as-a-service (PaaS) vendors also have a great deal of geographic redundancy in their systems, meaning that your PaaS applications may well be available when a particular part of the providers infrastructure is unavailable. Economies of scale mean that having a third-party provide this kind of infrastructure is going to be a lot more cost-effective than providing it in-house.

Disaster Recovery

The cloud is a great option for disaster recovery. If you have DR capability, or are thinking of investing in it, then you have to consider the cloud. The key area to consider is transferring large amounts of data over an internet VPN, which you may need to do in order to guarantee a seamless cut-over in the event of a disaster. The bandwidth provided by your ISP may not be enough to compensate for the dedicated WAN which most companies are using for DR at the moment.
Statutory requirements regarding privacy and storage of certain information may mean that you are unable to move all of your disaster recovery needs to the cloud. But there is certainly scope for every organization to implement cloud DR for at least some systems.

Conclusion

The cost differential and the provision of scaling-up on demand is likely to be the key drivers moving systems to the cloud. There are increased risks that need to be considered before using the cloud to host a new or existing system. I'll cover these in my next post. Put simply, cloud computing isn't for every organization in every case. There are some situations where you'd be crazy to use it, some situations where you'd be crazy to use anything else and some situations where the value it adds to a system may be marginal. Every project should consider the cloud in its own context.

What is Cloud Computing?

Cloud computing – the number one IT “buzz” phrase for the last 12 months or so. The vendors and hype say it's a computing revolution, but if you're like me, you're tired of hearing about computing revolutions from the IT industry! Most IT managers I've spoken to recently want to know the basic facts and if cloud computing is fundamentally different to what we have now. This article deals with the basic facts. I'll post a follow-up article addressing the second issue.

We should start with the question, “What is cloud computing”?

Like most IT “buzz” words and phrases, the definition depends on who you speak to. First, you need to know that the “cloud” in cloud computing comes from a common practice in network architecture diagrams, where the Internet is represented as a cloud.

The best complete definition I have found is Wikipedia's.

“Cloud computing is a paradigm of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet.” (Wikipedia, links theirs)

Let's break that definition down into its constituent parts and examine them in more depth. The most important part is that actual computing happens on the Internet, on a provider's hardware and software. Thereby eliminating capital expenditure on owned hardware and software, and operating expenditure on expensive dedicated WAN links. This is the key financial driver behind a company's decision to engage in cloud computing. If it doesn't happen on the Internet, it's not cloud computing. Some offerings may be massively scalable and virtualized, but if it is not accessible on the public Internet on a public IP address, it is not cloud computing.

Second in importance is the idea of dynamic scalability. This means that computing resources, basically memory and processing power, are allocated on an as needs basis. With most providers, you only pay for additional resources when they are required. At the moment, this really only includes scaling out. However, it would be possible to modularize your cloud computing applications and have them scale up dynamically. In the near future, I believe providers will deliver APIs that make this process much easier than it is now. The economies of scale that the cloud providers achieve means that this scalability is available at a much lower TCO than is currently possible for organizations of any size to do in-house.

Thirdly, virtualization of resources is an important aspect of most cloud computing products. I would argue that it is a mandatory feature, rather than “often” found, as described in Wikipedia. Virtualization of resources does not necessarily mean that the services are provided on the basis of virtual machine instances, though this is certainly the case with Amazon Web Services, the biggest player in the market to date. As the link provided in the Wikipedia definition suggest, this is more about platform virtualization, abstraction of the underlying computing infrastructure and operating systems from the user. This is performed via virtual machines providing generic operating system installations, or by providing an Application Programmer's Interface (API) which allows applications to be developed without any knowledge of, or direct interaction with, the underlying computing platform.

As with dynamic scalability, the main business benefit of virtualization of resources is in the economies of scale achieved by the providers. They can spread the cost of hardware and hardware administrators over an enormous user base. Additionally, the elimination of owned hardware means that costs that previously needed to be capitalized can be charged straight to operating expenditure.

It is the virtualization of resources aspect that differentiates the two definitive product types in cloud computing: Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) . Essentially, IaaS is where you buy virtual machine instances and manage them as you would your own servers in your own data center. PaaS is where you are given an Internet API to develop custom applications which then run on the provider’s hardware and infrastructure. Google Apps and Force.com are the big names in PaaS at present.

Additionally, Software-as-a-Service (SaaS) is sometimes grouped as a cloud computing product. I would argue that SaaS is not true cloud computing because SaaS predates cloud computing by many years, it does not have to be massively or dynamically scalable and does not have to provide any virtualization of resources.

In the next post, I will discuss whether cloud computing is fundamentally different to what enterprises have now and if cloud computing is likely to live up to the hype surrounding it.

Welcome to the blogosphere

Better late than never, Ben Slack, principal consultant at Virtual Xpert, comes to the blogosphere with interesting thoughts and facts about information and communication technology (ICT).

I'm going to use the name ben.eficium and publish the site at http://ben.eficium.net/.

While it's impossible to be a truly independent and objective observer when one is employed in the industry, I promise that the blog will be as independent as possible. It is not for spruiking Virtual Xpert's products and services.