CIO Focus

Executive guides for strategic decision making

Forecast: Cloud Computing Looms Big on the Horizon
TaBLE oF ConTEnTs InTroduCTIon ovErvIEw

3 4

| |

QuickStudy: Cloud Computing What Cloud Computing Really Means

PuTTInG IT To worK

6 | Cloud Computing: Tales from the Front 8 | Capex vs. Opex 9 | Cloud Computing: Don’t Get Caught Without An Exit Strategy 12 | Early Experiments in Cloud Computing 14 | Cloud Computing: What UC Berkeley Can Teach You

17 | The Dangers of Cloud Computing 18 | Cloud Computing Survey

SponSored by


Forecast: Cloud Computing Looms Big on the Horizon
“Cloud computing” is basically the latest incarnation of grid computing, utility computing, virtualization and clustering. It differs in that it provides the ability to connect to software and data living on the Internet (the cloud) instead of on a hard drive or local network. Since IT is always on the lookout for new and better ways to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software, cloud computing holds much promise. It is, however, still in a nascent stage, and it behooves IT management to look closely and carefully at what’s involved and whether or not the concept is a workable one for the company. What follows is a compendium of articles about cloud computing in which we explore the current state of the art, early adopters, the economics, the potential pitfalls and what you can do to avoid them, and what IT leaders are saying about the concept. This is one time when it makes good, practical business sense to have your head in the clouds.

all content copyright CXo media Inc., 2009. all rights are reserved. no material may be reproduced electronically or in print without written permission from CXo media Inc., 492 old Connecticut Path, Framingham, ma 01701.



Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n


Now that they’re actually talking about using a remote. Cloud computing overlaps those concepts but has its own meaning: the ability to connect to software and data on the Internet (the cloud) instead of on your hard drive or local network. Amazon. Other significant concerns include data security and confidentiality. black-box approach to computing. there were mainframe computers. broadest development in a trend that’s been growing for years. For enterprises with huge investments in existing software and operational procedures. As computers became physically smaller and resources more distributed. data and servers that reside somewhere “out there. Definition Cloud computing describes a system where users can connect to a vast network of computing resources. In the early 1990s. That’s partly because cloud computing is merely the latest. Why it works Critical to the success of cloud computing has been the growth of virtualization. IBM’s Almaden Research Center and the University of Washington. you needed to buy and install software.600 processors. allowing them to talk with one another and balance computing loads.demand access to supercomputer-level power. hosting various kinds of middleware on virtual machines throughout the cloud. Located in data centers at Google. Where it’s going If cloud computing succeeds on a wide scale. the grid concept emerged: Users could connect to a network. and use service on a metered-utility basis. cloud computing allows users to access programs and resources across the Internet as if they were on their own machines. offers a couple of cloud services. There are lots of discussions going on right now about cloud computing is. Christophe Bisciglia. grid or cloud computing means users and businesses must migrate their applications and data to a third party or different platform. the University of Maryland and the University of California. Stanford University. Server virtualization lets clouds support more applications than traditional computing grids. teamed up to provide the hardware. Why a cloud? For years. Users didn’t care which CPU ran their program. IT pros tried clustering computers. PCs and servers. Their Academic Cluster Computing Initiative began when a Google software engineer. But clustering proved to be difficult and expensive. software and services needed to teach computer science students large-scale distributed computing. Cloud computing is the most recent successor to grid computing. it may well be because of recent initiatives from Amazon. Berkeley—are participating in the Google-IBM program. Cloud computing can give on. much as they plugged into the electrical power grid. but I feel there isn’t enough definition of what it isn’t.overvIew Quick Study: cloud computing users can hook into the power of “out there” locations was transmitted. but there could be significant processing delays while data stored at other CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 3 . And developers can use Amazon’s Elastic Compute Cloud (EC2) to set up a In the beginning First.” usually on the Internet. Also. rather than on a local machine or a LAN or in a data center. IBM and Google. Google’s CEO recruited his counterpart at IBM to join the initiative. A sk any five IT specialists what cloud computing is. Thus. The two companies say they will dedicate hundreds of computers to it. the old familiar cloud seems an appropriate metaphor. Carnegie Mellon University. MIT. then minicomputers. Meanwhile. virtualization and clustering. these resources are expected to eventually include more than 1. Grid nodes could be located anywhere in the world. and you’re likely to get five different answers. people have represented the Internet as a fuzzy cloud with communications lines going in and out of it. In 2007. utility computing. Web service developers can use its Simple Storage Service (S3) to store any amount of data. in flow diagrams and PowerPoint presentations. problems sometimes arose when users needed more computing power. six universities—the University of Washington. people began speaking of utility computing. wanted to improve computer science curricula by teaching college students how to solve problems involving massive computer clusters and terabytes of data. To do anything with a PC 10 years ago. and cluster software managed everything. Initially. even from a thin client or mobile device such as a smart phone or laptop. Now. allowing one computer to act as if it were another—or many others. this has been a real barrier to adoption of these shared Inc. One problem was where data was stored. IBM and Google Inc.

Utility computing loud computing is all the rage. with none of the maintenance of buying and installing server hardware and software. InfoWorld talked to dozens of vendors. from full-blown applications to storage services to spam filtering. non-mission-critical As a metaphor for the Internet. Some analysts and vendors define datacenters from commodity servers. such as Google Apps and Zoho Office? C 2.” says Gartner senior analyst Ben getting new life from Amazon. Based on those discussions. Liquid Computing’s LiquidQ offers similar capanet. analysts. On the customer side. but SaaS is also common for HR apps and has even worked its way up the food chain to ERP. training new functionality over the Internet. Today.” the meaning Other providers offer solutions that help IT create virtual gets bigger and fuzzier. You can contact him at russkay@charter. here’s a rough breakdown of what cloud computing is all about: 1. cliché. and even conventional credit of providers large and small delivering a slew of cloud-based card processing services. n russel Kay is a Computerworld contributing writer in worcester. but this form of cloud computing is phrase du jour. Web the next wave of innovation increase capacity or add capabiliservice providers offer APIs Cloud computing is an evolving concept 54% ties on the fly without investing in that enable developers to exploit that will take years to mature new infrastructure. Others go very broad. They range from Cloud computing is a passing fad 18% passes any subscription-based or providers offering discrete busipay-per-use service that. echoing many of his peers. but it’s not so fuzzy when you view the value proposition from the perspective of IT professionals This type of cloud computing delivers a single application through the browser to thousands of customers using a multitenant architecture. arguing anything you consume bilities. And who could have predicted the sudden rise of SaaS “desktop” applications. I/O. or licensing new softrather than delivering full-blown appropriate for my business ware. mass. with players such as Workday. ers development environments as a service. in real ness services—such as Strike Iron SOU RCE: CIO RES E a RCh time over the Internet. but so are SaaS (software as a service) Another SaaS variation. available over the network. enabling IT to stitch together memory. Web services in the cloud Cloud computing will cause a radical 58% shift in information technology driving what IT always needs: a way to Closely related to SaaS. and IT customers to tease out the various components of cloud computing. outside the firewall is “in the cloud. emerging.0) everyone seems to have a different access on demand. for the most part. Early enterprise adopters mainly use definition. APIs offered by Google Maps. Salesforce.” including conventional and computational capacity as a virtualized resource pool outsourcing. utility-style infrastructure providers 4. but own applications that run on the provider’s infrastructure cloud computing aggregators and integrators are already and are delivered to your users via the Internet from the pro- CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 4 . Cloud computing Platform as a service are part of the mix. IBM. services. with a motley crew U. Bloomberg. The problem is ers who now offer storage and virtual servers that IT can that (as with Web 2. but one day. You build your IT must plug into cloud-based services individually. storage. and othPring. Postal Service. Both services are offered on a pay-per-use basis. this form of cloud computing delivproviders such as extends and Xignite—to the full range of IT’s existing capabilities. utility computing for supplemental. it means no up-front investment in servers or software is by far the best-known example among enterprise applications. the Cloud computing is at an early stage. with just one app to maintain. Current on-demand offerings are not 36% personnel. ADP payroll processing. such as 3Tera’s Appcloud computing narrowly as an updated version of utility Logic and Cohesive Flexible Technologies’ Elastic Server on computing: basically virtual servers available over the InterDemand. “the cloud” is a familiar needs. “It’s become the The idea is not new.overvIew virtual server in minutes. The Cloud: Your View Cloud computing comes into focus only when you think about 3. but when combined with “computing. SaaS what cloud computing really Means The next big trend sounds nebulous. they may replace parts of the datacenter. on the provider side. Sun. costs are low compared to conventional hosting.

Think of it as an automated service bureau. cloud computing might be more accurately described as “sky computing. cloud-based mashup platforms abound. Prime examples include Salesforce. cloud computing is the hardest one to argue with in the long term. Supply Chain. Grand Central— which wanted to be a universal “bus in the cloud” to connect SaaS providers and provide integrated solutions to customers—flamed out in’s Force. recently introduced the OpSource Services Bus. Managed security services delivered by SecureWorks. which employs in-the-cloud integration technology from a little startup called Boomi. SaaS provider Workday recently acquired another player in this space. CapeClear. such as Yahoo Pipes or Dapper. such as a virus scanning service for e-mail or an application monitoring service (which the idea of loosely coupled services running on an agile. It’s a long-running trend with a far-out horizon. these services are constrained by the vendor’s design and capabilities. but you do get predictability and pre-integration. Internet integration The integration of cloud-based services is in its early days. MSP (managed service providers) One of the oldest forms of cloud Well- Describe Your Plans/Usage of the Following Cloud Offerings On the radar/ Currently actively using or researching implementing application platforms & development software (web servers. known examples include Rearden Commerce and Ariba. recently acquired by Google. this cloud computing service offers a service hub that users interact with. so you don’t get complete freedom. a managed service is basically an application exposed to IT rather than to end-users. 7. But among big metatrends. e-mail. which mainly concerns itself with serving SaaS providers.” with many isolated clouds of services which IT customers must plug into individually. web conferencing) Enterprise application software (CRM. For extremely lightweight development. such as expense management systems that allow users to order travel or secretarial services from a common platform that then coordinates the service delivery and pricing within the specifications set by the user. among others. 6. as do such cloud-based anti-spam services as Postini. Coghead and the new Google App Engine. Like Legos. 5.overvIew vider’s servers. Today. OpSource. as virtualization and SOA permeate the enterprise. provides). n Galen Gruman is executive editor of Infoworld. an ESB (enterprise service bus) provider that was edging toward b-to-b integration. On the other hand. design tools) Collaboration tools (wikis. desktop management) Networks Servers Storage SO URC E : C I O R E SE aRCh Planning to use next year 4% Planning to use one to three years 3% Planning to use three to five years 2% No plans to use 30% 27% 34% 17% 19% 50% 35% 8% 4% 4% 5% 4% 3% 17% 34% 22% 23% 4% 4% 4% 43% 21% 33% 5% 7% 2% 32% 16% 18% 22% 27% 32% 31% 4% 4% 6% 5% 5% 4% 2% 2% 7% 45% 39% 30% CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 5 . and Verizon fall into this category. Other offerings include desktop management services. with such cloud-based interconnection seldom in evidence. Way ahead of its time. spam filters. spreadsheet) Utilities/management software (anti-virus. such as those offered by CenterBeam or Everdream. They’re most common in trading environments. Service commerce platforms A hybrid of SaaS and MSP. scalable infrastructure should eventually make every enterprise a node in the cloud. BI) Personal productivity software (word processing. Eric Knorr is editor in chief at Infoworld. IBM. ERP.

and software as a service. Amazon’s related storage service. which was mostly about raw processing power. have encouraged significant numbers of startups—and a still small number of enterprises—to move more infrastructure into a third-party provided cloud. says he expects to move toward the cloud in the next few years. Rather than buy enough servers and other infrastructure to meet peak needs. “It’s the logical corollary of what happened in computing over the last 30 years. the minimum level of resources needed to run the business at all times. says André Mendes. to name two of the issues most commonly raised by the IT community. too. that different vendors will spin cloud computing differently. that is. who’s now moving much of his data center outside his enterprise via conventional hosting services. time-sharing on steroids. Why now? Enabling technologies.” says analyst Dennis Byron of Research 2. “It helps the CIO abstract another layer of complexity from the organization and concentrate on providing the higher levels of value. notes William Fellows.” Mendes. You have a data center with many servers and they are all turned into virtual machines.” says Mendes. W riter Nicholas Carr will earn the enmity of even more tech veterans with his newest prediction: Cloud computing will put most IT departments out of business. CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 6 . CTO of IBM’s High Performance On Demand Solutions. Pell suggests that IT executives considering cloud services start by closely examining which resources their data center uses all the time—and which are only needed during periods of peak demand. “The Big Switch: Rewiring the World. Concerns around security and application latency. To be sure. com’s vision of the cloud looks much like the SaaS you know today. A big goal of cloud computing. “The cloud is basically a combination of grid computing.” Dennis Quan. the use of an elastic service gives IT time to establish a baseline. Cloud computing. from Edison to Google.0. the CIO of Special Olympics. His company is attempting to index an enormous chunk of the Web. Yet another issue: transparency. which is one reason that some CIOs who did not reap the desired ROI from SaaS now look at cloud computing skeptically. Pell means the ability to stretch out when needed— and then snap back. freeing up significant amounts of cash. But there’s a kernel of truth beneath the hyperbole. personnel and hardware. “The concept of cloud computing makes enormous sense. At the provider level. Keep in mind. providers have not fully formulated their business and pricing models. Entrusting mission critical applications and data to a third party means the customer has to know exactly how cloud providers handle key security and architectural issues. once a concept as murky as its name suggests. a desire to simplify. “In effect the cloud is network virtualization. it’s a return to the past. What’s more. That approach helps the vendor maximize its resources and lets the customer ask for more computing power on the fly. Pell says.” One difference from the now familiar.” Carr writes in his new book. the goal is to dynamically assign computing workloads as customer jobs come in. says Barney Pell. but it’s easier to get analysts and IT insiders to talk about the features and goals of a cloud than it is to pin down an exact definition. are encouraging CIOs to think further outside of the data center. a San Francisco-based startup company building a natural language search engine. plus the lessons learned from the rapid ascent of software as a service (SaaS). But elasticity is probably a better term.” An exaggeration? Of course. The work involves major spikes by users that would exceed the company’s normal computing capacity. Powerset pays for the resources as it uses them. By elastic. an analyst with The 451 Group. True enough. limited space in data centers. How transparent providers will be about those details remains an open question. and above all. Powerset became an early customer of Amazon’s EC2 and S3. multi-tenant SaaS model. in which numerous clients access a provider’s application: Cloud computing environments also allow the customer to run his own applications on the provider’s infrastructure. In a sense. founder and CTO of Powerset. says “We’ve designed the cloud around virtualization. “IT departments will have little left to do once the bulk of business computing shifts out of private data centers and into the cloud. is rapid scalability. are real. whether IBM’s Blue Cloud or Amazon’s EC2 (Elastic Cloud Computing). is becoming a legitimate emerging technology and piquing the interest of forwardlooking CIOs. IBM’s vision includes mashups of massive customer data sets on the fly. it’s still the early days of cloud computing. Also. That’s a key point. Salesforce. and that compute-intensive task goes on most of the time. Out-of-control costs for power. including nearly ubiquitous bandwidth and widespread server virtualization.PuttInG It to worK cloud computing Tales from the Front A new level of scalability Unlike many “next big things” cloud computing didn’t just spring fully-formed from the brain of a Silicon Valley whiz kid.

But setting up and rester principal analyst James Staten. at a cost of $40. thousands of contracts among his company. Security. he says. groups or departments within enterprises often have the need to prototype or handle a specific project. Schumacher staffs emerthere’s also a less concrete. Those moves. but don’t have the budget or desire to buy the needed infrastructure. poses an issue. “Your traditional whose revenue was growing 20 IT staffer is going to be resistant. Amazon’s vice president for product manMenefee. plan to use within one to three years 5% with the demands of a company Menefee says.” Indeed. Not every project uses that internal cloud.S. We need the flexibiltions call for specific hardware.” says the CIO. If that’s the case. plan to use within three to five years 2% faster when measured by the numence developing for the Web. “It was an eye-opener. Upon joining the Lafayette. but while you keep your feet firmly on the ground. CTO ning at least some of his applications outside Schumacher’s of Rackspace. Not sure 5% percent to 30 percent a year—even Enlist the guys who have experiYes. though. including more scalability.” says Adam Selipsky. data center would solve a number of problems. wrote in his blog. “We didn’t have disaster agement and developer relations. On the other side of the ledger. but more than 100 have.” No.000 a year. says Fority to move data quickly. Control fears Louisiana-based company three years ago. plus a large outlay for Bill snyder is a freelance writer specializing in technology and additional hardware. instead of buying hardware for the project. and a simpler data center. as was the case for Schumacher Group CIO Doug Menefee. of course. The company deals with very large image files and charts scanned into the system. when asked what advice Yes. he says. Derek Gottfrid senior software architect for the CRM application to handle benefits from cloud services. avoided the expense of it’s time to take a peek into the cloud. decided to combine a custom application built by Apptus. service levels and availability are issues tackle a disaster-planning gap and find new ways for IT to that rightly concern IT executives when the talk turns to keep up with rapid business growth.000 to $80.” Flexibility up.puTTInG IT To worK Similarly. IBM itself is using its internal cloud to supply the resources needed for prototyping new applications or services. cloud computing.” Menefee says. an IT hosting company based in San Antonio. issue on the cloud gency rooms for 150 hospitals across the U. Vendors will have plenty of work to do in Headquartered two hours west of New Orleans and 35 the next few years to resolve them to IT’s satisfaction. “But for me. While very upbeat about his experience in the cloud. for example. I find a problem and look for a solution. that type of work stays in house. Menefee says his data center isn’t going away anytime soon. some applicaturn on five or six hospitals tomorrow. he adds. Had our headquarwith the idea of data leaving their Yes. cloud computing can help a CIO tackle several problems at once. So for now. which involved about half no rush. with a Salesforce. recovery and business continuity “They’re starting to come to terms Is Cloud Computing On Your Organization’s Tech Roadmap? capabilities. says John Engates. And database performance in As Menefee settled into his new job. of the company’s IT infrastructure. but important. “We can go out and a common issue. says Quan. Is Schumacher utilizing cloud technology. Menefee had to Security. forget about running provisioning new regional offices was taking months. Schumacher’s he has for other CIOs considering Yes. on the radar or actively researching 17% At the same time. costs down For some enterprises. he realized that runthe cloud can still be problematic. currently using or implementing 30% ters gone down.” Menefee says. It only takes computing table: culture. CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 7 . used Amazon Web Services (EC2 and S3) to generate PDFs of 11 million articles in the paper’s archives in less than 24 hours using 100 instances of EC2.” SOU RCE: CIO RES E a RCh ber of complex contracts it needed More caveats: Although it’s not to manage. the idea of us using an infrastructure that isn’t our own. Schumacher’s Yes. it would have four walls. latency. a glance at the map to see how close it came to being hit by “Some people still view this as a loss of control. CIOs will find an ISV. plan to use within one year 10% IT group was struggling to keep cloud computing. or is it really SaaS? “There’s a lot of gray area around that term [cloud computing]. the application in the cloud. business. There’s and the doctors. but we’re not there taken all of the regional offices yet. not on our technology roadmap 29% down with it. Indeed. Menefee Texas. n his hiring an additional three to five full-time IT staffers. “Single sign-on service and password management were the biggest pain points. which means that latency becomes an issue.” says hurricanes Katrina and Rita. that is managed outside makes it a cloud. But I’m not looking to be part of a trend. But miles north of the Gulf of Mexico. There’s also “a beast” of a legacy billing system to deal with that wouldn’t fit well into a hosted environment. The New York Times. the hospitals faster deployment times.

Chief Scientist at Cassatt. opex territory—and even most cloud advocates. if you rent a car. This is because a payment on a capital good like a server is one of a series—each of which the enterprise is committed to. I just completed a series on “The Case Against Cloud Computing” and TCO was only one of the five issues discussed. even if the cash outflow was roughly the same. but you get the point—the assertion is that. senior general corporate management. storage. since cloud providers seek to make a profit. The indirect costs of running a server: network and storage infrastructure and IT operations to manage the general infrastructure. you’re stuck with it. floor space. and fails to comprehend why cloud computing will be so popular among senior corporate management. and what decision criteria should be used to make that assessment—and for sure.” This refers to the fact that stocking your own data center requires capital expenditure. (This naturally does not address the topic just discussed. much of this discussion is wrong.” Another perspective about why this comparison falls down comes from a blog posting by Steven Oberlin. and. divide it by 36 (the number of months in the typical expected service life of a piece of equipment) and show that it totals less per month than renting from Amazon. because these businesses are managed as profitable enterprises with a strong attention to cost. This isn’t really surprising. you are committed to it only as long as you want to use it—and once you’ve paid for that CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 8 . the effective cost of a given level of computing is actually five times higher than typically assumed in these cost comparisons. which means it’s inappropriate for typical corporate apps that require round-the-clock availability. Even if you’re no longer excited about owning it. and whether the expenditure is for a capital good or an EC2 payment. fail to limn the full range of reasons cloud computing is attractive in this respect. Opex. more crucially. the cloud alternative would be more attractive. Once you purchase a capital good. Therefore. are interested in cloud computing. it’s all cash flow. the finance company still expects its monthly payment. Some of this advantage is due to purchasing power through volume. opex most people miss the point about cloud economics Y ou don’t have to spend much time around cloud computing before you run into arguments regarding cloud economics and you will undoubtedly encounter the phrase “Capex vs. Opex. and misdirects the conversation away from where it should be directed. The overhead costs of owning a server: procurement and accounting personnel. it’s still the same amount of money. 2. This is where we move into capex vs. the actual cost of internal data centers vs. In my opinion. even this does not fully explore the reasons IT organizations and. as anyone who has purchased a car understands. they are ipso facto more expensive than internal data centers. Usually people take the average selling price of a 1U server. I have heard people describe the difference between the two types of expenditure as regards cloud computing as unimportant—after all. To turn to the most apprehensible part of the discussion. By contrast. commenting on a recent post of mine discussing cloud TCO. This is enormously wrong. He noted that these kinds of cost comparison ignore the utilization of the internal server: if it’s running at 20% utilization. Comparing the monthly cost of an EC2 server against a putatively similar piece of hardware in a data center is simpleminded. cloud computing is bound to be more expensive than selfowned. For starters. they conclude.puTTInG IT To worK capex vs. dare one say it. In the recent UC Berkeley Cloud Computing Paper (see page 14). the RAD Lab estimates that cloud providers have lower costs by 75 to 80 percent vis a vis internal data centers. not to mention a critical resource in short supply: IT management and its attention.” The next go-round of the argument then devolves into a tussle about which alternative is cheaper. who pontificate about the opex advantages of cloud computing. external cloud. while using an external cloud service that offers pay-as-you-go service falls into ongoing operating expenditures: thus the contrast of “Capex vs. which is that they probably aren’t the same amount of money. which is what proportion of the total portfolio of corporate applications are appropriate for external cloud hosting. economics is not the sole criterion. these factors significantly raise the monthly overall cost to host a server. the typical cost discussion regarding internal data center versus cloud provider costs is typically oversimplified and fails to assign a true cost structure to the internal data center side of the comparison. 3. A further nuance often thrown in is the faintly ad hominen attack that. There have been many discussions comparing the cost of a 7X24 use of an Amazon EC2 instance against the cost of hosting a server within a company’s data center. Therefore. given a set amount of payment. misunderstands the real key issues for most companies. When added to the cost of a internal server. they point out. the type of “bucket” it comes from is irrelevant). some through more efficient management practices. no matter if the server is being used or not. However. On the other hand. and IT operations to manage those resources. The direct costs that accompany running a server: power. because it overlooks: 1. given that most IT organizations really don’t have a clear understanding of their true costs to begin with. as my discussion about Activity-based Costing pointed out (see the section headed “Do the Math Correctly.

Moreover. most agree there are technical reasons for concern. trying to fight cloud computing by making comparisons between the cost of running an internal server versus the cost of a cloud-based on is off-target. says John Willis. carries an option value.” With a perspective like that.. “’The cloud is dead because of lock-in. Given all these factors. In MBA-speak. one can conclude that.” the bestselling book on virtualization to date. it’s easy to understand why any initiative that promises to reduce lumpy capital investment and transform it into smoother operational expenditure would be extremely attractive to bean counters. This is why IT reports to the CFO in many companies. Tim Bray. a rental car costs more per day than the same car would.e. and more flexibility. As one colleague who consults on financial strategy with many large companies said “You know what we think of IT? We think it always shows up. and manage it with an eye to minimize its cost. there’s growing concern about how to get out. pretty much everyone understands that you pay a premium for that flexibility. the engine behind more conferences. a portfolio analysis can be undertaken to make a set of recommendations and create an action plan. Cloud computing is an architecture in which companies consume technology resources as an Internet service rather than as an owned system. maker of a cloud-based enterprise application development system. for which a premium is paid. cloud computing and related issues. He is also the author of “virtualization for dummies. But providing “proof” that internal servers are cheaper is a losing strategy. you have no further financial obligation. The debate rages Last October. When people talk about lock-in. it will certainly remember the global financial crisis. And the recent announcement that Coghead Inc. there is an imputed value to the scalability offered by the cloud alternative—the fact that I can easily grow my consumption in a short period is itself valuable. many companies view IT as the latter type of investment. director of Web technologies at Sun CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 9 . “People wind up saying things like. but by lenders who benchmark against public company ratios). Companies are limited by the public markets in the amount of capital expenditure they are able to make (in the case of privately held companies. spouts unintelligible jargon. With defined criteria. it’s understandable. there are many attractive aspects to cloud economics that would cause general senior management to view it as very desirable. they often don’t distinguish among the several cloud types that exist. conversations and marketing collateral than seemingly any other technology in development today. he says. naturally. Much of the fear of lock-in is caused by misconceptions. there is an option value in that flexibility.” But while some vendors debate whether lock-in exists. if purchased. what cloud are you talking about? I can give you five scenarios where lock-in is an issue and five others where it isn’t. i. n Bernard Golden is CEo of consulting firm Hyperstratus. And amid all the hubbub about whether and how to get into the cloud. Because capital investment is limited. A much better strategy would be to identify decision criteria for determining whether a given application should be hosted internally or could be moved to a cloud environment. Vendor lock-in is one of the primary fears expressed by IT leaders considering a move to this setup. Unless the cloud numbers are significantly higher. This is why many companies prefer to lease real estate rather than purchase—they don’t want to tie up precious capital in dead assets. more transparency. and. Rightly or wrongly. Consequently. Furthermore. Therefore. and asks for huge lumps of cash.’” he says. a systems management consultant and author of an IT management and cloud blog. the degree of lock-in needs to be weighed against the advantages of using the system. be sure you know how to get out W hen the IT world looks back at 2008. cloud computing: don’t Get caught without An exit Strategy Before you trust your business to the cloud. “Well. and other administrative groups—just before their responsibilities were outsourced to providers who offer fixed costs. which specializes in virtualization. companies might be willing to pay more than the cost of an equivalent amount of internal server capability. each of which requires varying degrees of commitment.. since there is no implied commitment beyond the duration. legal. is shutting its doors has exacerbated that fear. and reminds me of arguments I’ve heard made by HR.puTTInG IT To worK use. But it will also likely link that time frame with the takeoff of cloud computing. the limitation is not imposed by public markets. And guess what. companies usually want to direct their investment toward revenuegenerating activities. even if the cloud alternative were more expensive over a given duration. The really crucial aspect about the opex character of cloud computing should be based on a better understanding of the role of capital expenditure within companies. given the option values associated with cloud computing.

“But the reality is that it’s like money: If it’s in a pull my app and its data off X. we can ing to the cloud doesn’t require access to skills/capabilities we have 28% experiment.’s Azure Services Plat“You’ve made a choice to be involved in a certain ecosysform. and others to respond. “There are APIs and platAs Staten points out. “that we’re going to market. he explains. users Other 5% or third parties need to program *RESPONd ENTS S E l ECTE d UP TO Th RE E CRITE RIa to those specifications to varying Staying out of the vault SOU RCE: CIO RES E a RCh degrees. vendors use Capacity . which provides an operating system and a set of develtem. To take to test. Barron is movIn general. What “The common misperception is that because data is within that means if that I’m deploying my app on Vendor X’s center 16% cern if you’re using it for a shortunique and proprietary interfaces. Oracle or Microsoft is just as locked in as any tion off one system and move it fairly easily to another. which could be complex and costly. Scalability on demand/flexibility to the business 50% cesses that fit into this architecsays James Staten. but with deployment is tied to the vendor.puTTInG IT To worK which provides a cloud-based application life-cycle manageMicrosystems Inc. with Azure.. “When the shake out comes. and it’ll all run with minimal vault.” Staten says. he 11% term project like a promotional application programming interFrequent software updates 10% service or an application you want faces (API) and databases. It’s locked up.” he says. The calls to the SQL database. Not using or planning to use 19% mitment risk. through the unique virtual cloud software and platforms come nonstandard APIs. over your IT budget? Gimme a break. the higher the risk of lock-in. Capacity . blog post. senior vice president at Serena Software Inc. but people are more concerned because the “If cloud computing is going to take off. says Server calls.” Staten says. or the unique configutem calls and other proprietary technologies.” the Amazon or Google offerings qualify. ensued. I don’t think either regardless. a lack of standards Primary Reasons You’re Using ing into cloud computing slowly. that’s not true in no interest in developing in-house mitigating a large financial comsome forms of cloud computing. While the Reduced hardware infrastructure costs 38% entire enterprise to the cloud. some degree of your able because it’s stored in Linux servers. full advantage of the system. If they grow dissatisfied Another way to approach the lockwith the service. a oper services to build cloud-based applications. Staten says. head of developer provendor for a multiyear time period without knowing if they grams at Google. it’s somehow more accessible than when it’s remote. cloud infrastructure provider. but you’re also restricted. CEO of RightScale Inc. CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 10 . an analyst at ture without having to commit the Forrester Research Inc. totally. there’s fear itself to understand how to translate those API calls into SQL Technicalities aside.” form. Rene Bonvanie. sysmachine or unique APIs you write to. wide-eyed. are different from the calls in Azure. the twin tragedies of the great desktop ask. users write to a set of forms in the cloud world that create a walled garden.” he said in his systems are not on their own premises. is this vendor going to suite lock-in and the great proprietary SQL lock-in? You make it?” know.” same services deployed in their own environment. A case in point is Microsoft Corp. cloud system. data and/or applications would need to be reforrule of thumb: The higher you go in the cloud taxonomy.” Exacerbating this fear is the immaturity of the cloud “Are we so deranged. it doesn’t matter whether the vault is. “it absolutely. At the moment. With cloud storage. must be lock-in-free. ration or composition of the application. there have to be other vendors Y and Z such that I can he says. You get cloud services in a way that’s different from writing to the the benefits of that garden. began a robust debate about lock-in on ment system and runs most of its own business on the cloud.. users would have Then. the ones where you give a platform vendor control That’s the case for Christopher Barron. for instance. or if the vendor in conundrum is to use Willis’s goes under.” he continued. For that reason.” “We are very concerned about being locked into a specific This inspired DeWitt Clinton. and a lively debate have the capability to serve us properly. CIO at CPS Energy.. he says. tweaks on either Y or Z. data is easily transport“If you deploy to any cloud out there. To move to a different provider. adding that IT leaders can’t help but re-enact. popular hype implies that movReduced IT staffing/administration costs 35% “By taking it in pieces.” notes Michael Crandell. tune and adjust while any heavy lifting. hampers the portability of data or Plan to Use Cloud choosing certain business proand applications between systems. matted in order to switch providers or move it back in-house. He argues that data housed in traditional systems such as He argued that lock-in exists if you can’t pull an applicathose of SAP. lock-in is also an emotional issue. Particularly with software and cloud computing offerings “Vendor viability is less of a conplatform as a service. his Cloudy-Times blog.” he says.

Serena inserts escrows to regu- Maturity takes time Over time.” he says. Contract confusion There’s more than one way to get locked into a cloud vendor’s system. An often-overlooked method is through a contract.” To determine a vendor’s viability. no one was writing custom applications in Salesforce or leveraging their APIs. so if a competitor made us think of switching to a different cloud. because customer demand will be offset by the advantages that vendors see in lock-in. It’s also essential to set policies early on as to how your company is going to use the cloud and under what circumstances. In addition. which might specify a commitment of several years. “You have to do things above and beyond what the cloud vendor provides to be secure or compliant.” he says. which effectively minimizes user reliance on proprietary technology and makes its tools portable across providers. Gartner Inc. such as FlexiScale. you would need to unwind and then redo all that work. say. This won’t happen without tension. GoGrid and Amazon. because they didn’t know if they’d be around. [moving away from EC2] would be easier than [exiting] an on-premise system. how does data come out. Bonvanie says he has found that cloud vendors are more forthcoming about doing this than most traditional vendors. “Now that they’ve been around 10 years and are well capitalized. He also talks to the venture capitalists backing the company about their commitment to it. he says. asking the vendor to provide under a nondisclosure agreement information such as its cash position. Staten points out that security customization is yet another way to get locked into a particular vendor. because if you wanted to move to a different provider. standards will develop. Take Salesforce. That’s what RightScale claims to pull off with its management tools. we could just set up a whole other cloud system. the hope is that lock-in concerns will grow more rational and less emotional. which uses a proprietary programming language and APIs. Crandell says. One crucial area is in using open Web services in application-to-application communication. “The CIO has a role to play in ensuring several vendors are involved in the assessment. This approach makes Christian Taylor. feel that his company’s infrastructure product offers freedom of choice. As Gartner analyst Richard Ni points out. For that reason. Ni warns. Staten proposes doing in-depth research. CEO of MeDeploy. Staten says.” he says. “If anything. for instance. For instance.” he Inc. selection and due diligence process. which often requires customization by the user. As Crandell Creating these types of policies is not something many companies are doing yet. “because use of the cloud right now is a bit like the Wild West. “It uses standard hardware. “The imperative is that you agree with your vendor on what the procedures are for abandoning their application. you need to be sure beforehand that you can apply those customizations to all five platforms. “We shield companies from having to write a specific solution for.” Staten says.. However. So if you want to use five different cloud vendors.” As the hype about cloud computing begins to settle down. those things are in high use. he says. which work with a variety of cloud infrastructure providers.” he says. analyst Richard Ni contends that IT leaders can encourage standards development by ensuring that their teams consider a wide range of vendors and technologies beyond the obvious leaders.” he says. “We will encourage lock-in if we close our eyes to other vendors in the industry. MeDeploy offers a system—based on Amazon EC2 and managed with RightScale tools—that allows film distributors to build online ecosystems for distributing and selling films. You need to weigh the advantages of using provider-specific technology against the vendor’s vulnerability. they could. Staten says. Staten says. so if they wanted to move away from RightScale.puTTInG IT To worK To minimize the complexity and cost of doing that. Staten recommends asking references whether they’re just dipping their toes in the water with a vendor or making a bigger commitment. its tools create an abstraction layer on top of these services. users need to be adamant about which standards they desire and where they’re most important. because cloud computing is seen as a utility that you can turn on and off at will. Staten says. “Years ago.” late what happens to its cloud software vendors’ source code if the vendors cease operations. he says. Ensure that your team has a full understanding of the contract terms and conditions. That will be a welcome development to CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 11 .” he says. This is especially important when it comes to securing data in the cloud. Serena Software’s Bonvanie also advises companies to specify an exit strategy in their contracts. if needed. What’s more. load it up and then switch over. RightScale’s source code is available to users. Amazon and then have to rewrite again for each cloud. and what is the vendor’s involvement in making that happen? How much time do you have to get the data out after service nonrenewal? In many of its contracts. “People don’t even realize they’ve been locked in if they have weak contracting knowledge or expertise. most likely driven by customer demand. some people don’t look at the terms of the contract. cloud users should try to touch proprietary and nonstandard elements as lightly as possible. The risk/benefit dance Avoiding the proprietary aspects of a vendor’s system really comes down to a risk/benefit tradeoff.

rather than add the load to its own database and computing infrastructure.”’s Internet-provisioned computing and storage services— Elastic Compute Cloud (EC2) and Simple Storage Service (S3)—to augment their own IT resources. analysts say there’s a long way to go before they’re a mainstream part of your datacenter. the ungainly name for this online IDE service. using a credit card to get the service going in a matter of minutes so that it could convert scans of 15 million news stories into PDFs for online distribution. Cloud computing is the latest buzzword that vendors are using to spruce up the usual sales spiel. com grid-in-the-cloud utility to scrub customer addresses rather than stand up that infrastructure internally. “The cloud is just the furniture.” So Nasdaq took its market data and created flat files for every entity. cut up into columns to fit in the scanners (as TIFF files). something very real is happening. here we go again. Both have tapped into Amazon.’s Web-based ERP software has convinced him that they have easier interfaces and procedures to retrieve and unload data than SAP AG does. to make them available through its Web site search engine.” While the skepticism is platform as a service. “Is there lock-in in the choices I’m considering?” n mary Brandel is a Computerworld contributing writer in newton. companies such as medical robotics firm Intuitive Surgical and recruitment services provider Jobscience use in-the-cloud development environments to create a provision their own applications. The Times scanned in the stories.’s Web-based business software and IntAcct Corp. (It adds 100. Willis says. And the price is right.puTTInG IT To worK Bonvanie. So it turned to Amazon’s S3 service to host the data. “It’s the wrong question.” he says. where people normally run mixtures of three or four different breeds of Unix.000 files per day to the several million it started with. Willis looks forward to the day when people stop asking whether the cloud causes lock-in. Courbois says. In another realm of cloud computing. early experiments in cloud computing Cloud computing has many faces. “It’s much harder to move from AIX to Sun than to move from Amazon to FlexiScale. some just beginning to take shape. his use of NetSuite Likewise.” Willis agrees.” says Nik Simpson.” he says. Both companies use Salesforce. Contact her at marybrandel@verizon. Infosolve Technologies uses Sun’s Network. and IT needs to pay attention. remove the word cloud altogether and ask. “Dot-com boom. or do you experiment so that you can get early advantage when they’re enterprise-class? Computing in the sky Nasdaq OMX has lots of stock and fund’s Force. it’s a cheap experiment. So the question is: Do you sit back and wait for them to mature. the company didn’t want to worry about optimizing its databases and servers to handle the new load. recalls Claude Courbois. who sees just as much risk with traditional computing systems. In fact. an associate vice president for data products at Nasdaq: “The expenses of keeping all that data online was too high. and created a lightweight reader app using Adobe’s AIR technology that let users pull in the required and then creates the replay animations from them. But despite early promise. The Times processed 4TB of data through EC2 and S3. mass. The result: “We don’t need a database constantly staging data on the server side. they’re aimed squarely at IT users.) The Adobe AIR app Courbois’ team put together in just a couple days pulls in the flat files stored at Amazon. Nasdaq uses S3 to deliver CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 12 . So what are Nasdaq and the Times doing? In a phrase. then uploaded those to S3 — taking 4TB of space — over several WAN head connections from the Y ou know there’s substance behind a technology buzzword when companies such as the Nasdaq OMX stock exchange and the New York Times publishing company use it for real production efforts. But for this offering. The traditional approach wouldn’t have gotten off the ground economically. utility computing. called Market Replay. and the fever pitch is enough to make you think. each holding enough data for a 10-minute replay of the stock’s or fund’s price changes. “If I’m someone like Nasdaq. Unlike SaaS (software as a service). first steps into on-demand infrastructure show promise historical stock and mutual fund information.” The New York Times also used S3 for a data-intensive project: converting 11 million articles published from the newspaper’s founding in 1851 through 1989. a senior analyst at the Burton Group. but other firms such as Coghead offer their own platforms. on a second-by-second basis. not at business users looking to bypass IT (or that IT is happy to let someone else take care of). and it wanted to make extra revenue selling historic data for those stocks and funds. “What gets me nuts is that the same people who are concerned about lock-in in the cloud are not concerned about it behind the firewall or on-premise systems. These two forms of cloud computing—utility computing and platform as a-service—are exciting developments. But at the new York Times and nasdaq.

Network. But where a task can be such as uses the EC2 service to deliver mobile videos over the Interonline commerce and services and apps delivered to mobile net. the expectation of real-time response. Thus. But now.” he adds. management’s EC2 computing platform. A more in-the-enterprise example is Intuitive Surgical. so it had gown comfortable with the backup for its provisioning. not build the basics that everyone else technology at Infosolve Technologies. The company had been using Salesforce. and customers have no Then.” recalls Derek Gottfrid. Luby pany struggled to manage its Adobe ColdFusion-based notes. so CEO Ted Elliott began looking at Over time. using Amazon.” Manchiraj says. That Times’ datacenter. streams them from Amazon.000 processors and get the data back quickly. “After The grid’s quick scalability has meant that Infosolve about] such as calendaring and scheduland image transformation. it’s a grid. So Digital Fountain now service’s EC2 servers. not just do not currently use any cloud computing offerings 37% provider. When the company decided to launch this new offering. Other 8% ing platform. How Is Your Organization Currently ensure a geographic diversity to “But they manage to the using a credit card. It is involved in clinical trials of its Infosolve has used the Sun grid for the past 18 months equipment. meaning it internal: His developers didn’t SOU RCE: CIO RES E a RCh specializes in parallel processing. “It’s an offsite someone in IT just signed up for the service on the Web datacenter. That data is inconsistent and hard to integrate to get street addresses are properly segmented). then began uploading the data. and so needs to collect and distribute data across to scrub names and addresses. These are intended for apps that will be delivered Digital Fountain. the basics [in Force. over the Internet and through the browser anyhow. data scrubbing. making sure they are cora range of clinical facilities. “It was cheap experimentaapp dev and app hosting platforms provisioned over the tion. “Not everything can be thrown ing. That limits they can build that doesn’t exist [in Force. Using 100 Linux comput“We can just restart the job. so its application development from all trial participants.puTTInG IT To worK skills were easily tuned to the style of Sun’s grid’s Force. “It Testing out online IDEs would have taken a month at our doesn’t guarantee availability.” says CTO Mike Luby. the customer won’t ever know. But if this would be a perpetual load. ensuring built-in customization tools.5TB of PDF files. since we only had Less mature than the cloud infrastructure plays are the a few spare PCs.” Gottfrid says. So it’s no surprise that most early “we didn’t want to buy our own servers and get the people to adopters of these online IDEs are themselves Web-based do that work. vice president for differentiating apps. Ditto if there’s a failure: TIFF data into 1. to the app. Because A typical example is Jobscience. can run 2. adding a second day to the effort—and increasing the tab by just $240. a the benefit is huge.” says Subbu Manchiraj. to sion customers over the Internet. all of which are separate firms or rect (such as verifying the ZIP code and ensuring that the entities. if resources do run Times ran a PDF conversion app that converted that 4TB of out. Luby expects to rely on other providers using an outside hosting firm to simplify its ability to proviin addition to Amazon. a provider of data already has. and he Running applications using a software 51% as well as to increase server denwanted an environment that was as a service (SaaS) model sity without overloading any one operationally optimal. Unlike Elliott’s biggest challenge was EC2. technically correct. “they’re starting to see what large array of processors can tackle all at once. “We could build it using just their CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 13 . a provider of recruiting Amazon. want to let go the control over the where a task can be broken into independent steps that a app environment. “With Sun. scheduling: The jobs are] while using its use to applications such as rendering. So he turned There’s more to utility computto Salesforce. we got an e-mail [from Amazon. Internet. And we pay only for what we use. So the in-house developers get to innovate at the Sun grid. Infosolve is a Java shop. and the learning curve isn’t steep. Sun also platform as a service to create and access to extra computing power on demand 19% has its own cloud-based computhost the apps. the job took about 24 hours. another factor also helps Infosolve avoid worrying about senior software architect at the Times.] to ask doesn’t need to worry about balancing customers’ loads. he said.” com to create a forms-based app to collect that clinical data Plus. So Intuitive Surgical used Force. Digital Fountain services. a digital-media distribution company. At the same time. ers.” he notes. not Using Cloud Offerings keep streaming times manageable. and remote’s streams the video from several servers. we meaningful analysis Storage 24% ing than Amazon. server environment. Then a coding error was discovered that required the job be rerun. And it can throttle the numunderlying service availability.” Elliott says. surgical-robotics maker. let Infosolve offer its customers a turn-key data-scrubbing The Times didn’t coordinate the job with Amazon — service it couldn’t afford to stand up itself. the comber of servers to match demand as it rises and falls.

” he notes. they have to be available publicly. it will inhibit adoption in equal measure. 2. Dick. “It doesn’t have the rigor that the FDA would require. it would be easy to dismiss internal clouds due to requirement #1. that’s a difficult situation. RAD defines cloud computing as having the following three characteristics: 1. From a definition perspective.puTTInG IT To worK tools. primarily as a result of addressing the topic with an academic detachment. cloud computing what uC Berkeley can teach you A long way to the cloud Despite the successful examples of the first wave of infrastructure-oriented cloud computing. Amazon’s S3 had an outage in February. Such issues have kept Merrill Lynch from using cloud-provisioned infrastructure.” says Mark Burns. what is often referred to as “internal clouds” is not part of the RAD discussion. This is an interesting perspective on the part of RAD. “If half the IT infrastructure is unavailable. I will have more to say about internal clouds in the near future. To the degree that cloud computing raises risk. Data Lock-In 3. a clinical data specialist at the company. RAD does not identify the lack of infinite resource illusion as the reason to exclude internal clouds from the cloud computing discussion. It also..” The report is an excellent overview of the move to cloud computing. it’s well worth tracking down and giving a read. The illusion of infinite computing resources available on demand. For example.” he exclaims.. Certainly a significant part of the vendor community (e. addresses the top obstacles to cloud use. connected future. notes Burton Group’s Simpson. understates a few aspects of cloud computing as well. “We’re very bound by regulators in terms of client data and country-of-origin issues. i. a chief architect at the financial services firm. and any large-scale shift to them is a good decade away. there was no programming. The ability to pay for use of computing resources on a short-term basis as needed (e. and makes some excellent points about cloud economics.. For them. 3. L ast month the UC Berkeley Reliable Adaptive Distributed Systems Laboratory (aka RAD Lab) published Above the Clouds: A Berkeley View of Cloud Computing. Intuitive Surgical can’t use it to submit trial results to the FDA. It identifies some key trends. notes Ben Pring. around auditing of the data and tracking everything’s that done to ensure the data has not been compromised or altered. RAD goes on to list ten objections (or impediments) to cloud computing: 1. Data Confidentiality and Auditability 4. and therefore RAD is standing apart from that trend. provider availability is a big factor. and a significant number of small businesses fall in the same category. an underlying requirement for these capabilities to be considered as cloud. a senior analyst at Gartner. thereby eliminating the need for Cloud Computing users to plan far ahead for provisioning. as the Times did.) Some companies can’t rely on Internet-provisioned infrastructure services because of regulatory compliance and security issues. by definition. “Many have scary compliance issues. Therefore. so in essence. thereby allowing companies to start small and increase hardware resources only when there is an increase in their needs. or Harry can access them. Instead. n Galen Gruman is executive editor of Infoworld. rather than whether or not any Tom. thereby excluding internal clouds altogether.e. thereby rewarding conservation by letting machines and storage go when they are no longer useful. processors by the hour and storage by the day) and release them as needed. Although it can be easy to set up an S3 account using just a credit card. Data Transfer Bottlenecks CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 14 . adds Williams. experimenting with cloud computing could put them on good footing for an agile. But while the app is handy to collect data. for security or compliance requirements. it defines external availability as the key condition. however. but I believe the key issues involving them relate more to the characteristics listed above. so it’s very difficult to use the cloud. But it is coming. From RAD’s point of view. in my view. it’s early days for these IT-oriented forms of Internet-based provisioning. CIO of Kaplan Test Prep and Admission. Availability of Service Use Multiple Cloud Providers 2. He notes that the early infrastructure services aren’t audited. How do you demonstrate what you are doing is in compliance when it is done outside?” says Burton Group’s Simpson. notes Jon Williams. But every large company has noncritical areas where low cost of entry and quick deployment trump reliability. externally. The elimination of an up-front commitment by Cloud users. That’s exactly what pioneers like Nasdaq and the New York Times have found. Overall.g.g. or take the liability. (Another outage occurred the day this story was published. particularly among enterprises.” says Rupert Brown. IBM et al) are trumpeting the transformation of internal data centers into cloud environments.

as that is the minimum level at which it will be purchased. posing a Hobson’s Choice: either overprovision capacity to be certain of meeting peak demand (thus probably wasting capital by purchasing unnecessary capacity). which is a new requirement for software systems. they are presented as if they are all of equal weight. your Internet connection can effectively throttle the speed at which you can upload it and delay starting work on the data. this risk is enormous. as it is very difficult to retrofit an accounting system. RAD identifies key characteristics of cloud as reflecting an easy-to-get-going. no upfront commitment computing environment.” This sentence carries significant implications for IT organizations.” Overall. this type of situation is risky. By using a cloud provider that operates on a scale one or two magnitudes greater than any one end user organization. For example. and networking. it needs to have billing built in from the beginning. the average animated movie is an ideal candidate for cloud computing as the task can be spread across many machines and the load is transient. it suggests that cloud-based applications need to be architected with specific capabilities—easily partionable. The cloud piece needs to both scale down rapidly as well as scale up. To sum up. Animation rendering is a good poster child for this. Its recommendations reflect systems that are attuned to that infrastructure and operating characteristics. RAD suggests that “the emphasis should be horizontal scalability to hundreds or thousands of virtual machines over the efficiency of the system on a single virtual machine. which is not the case for many Web 2. My reaction is that Pixar can probably get special handling for its situation. they need to strive for energy proportionality by making it possible to put into low power mode the idle portions of the memory.Software Licensing Pay-for-use licenses The report also offers ways to mitigate each of the impediments. however. since there is a finite amount of time rendering goes on: at some point the movie must be released. ending the need for rendering until the next movie comes down the pike. scalable upon demand.Performance Unpredictability 6. and it will need to facilitate flash as a new level of the memory hierarchy between DRAM and disk. Hardware Systems of the future need to be designed at the scale of a container (at least a dozen racks) rather than at the scale of a single 1U box or single rack. Applications Software of the future will likely have a piece that runs on clients and a piece that runs in the Cloud. very close attention.puTTInG IT To worK 5. which already happens inside a microprocessor today. Hence. RAD recommends exploring “fedexing” entire disks to the cloud provider to overcome bandwidth limitations. the provider’s large infrastructure can easily manage fluctuations in overall demand. They say: 1. their list of impediments is not incorrect. able to incorporate additional resources without need for CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 15 . They quote calculations that show that this option is 75 times as fast as using the network. Cost of operation will match performance and cost of purchase in importance in the acquisition decision. I will discuss the most important impediments in this list later in this post. Bugs in Large Distributed Systems 8. Scaling Quickly 9. impediment #4: data transfer roadblocks refers to the fact that if you have large amounts of data to process. Transfer of risk is a really intriguing concept. we need improvements in bandwidth and costs for both datacenter switches and WAN routers. Finally. the user can be comforted that. storage. Essentially. Hardware should also be designed assuming that the lowest level software will be virtual machines rather than a single native operating system. they identify a number of impediments to cloud computing and recommend ways to mitigate them. As to implications. Reputation Fate Sharing 10. and some of them which don’t. Essentially. And finally. For traditional IT shops. whereas some of them will have more impact on cloud adoptions than others. an IT organization transfers the risk of capacity planning to the cloud provider. I’d like to address some implications of the report as well as what I view as its—if not shortcomings—its rather tooglib assumptions regarding this new environment. no matter what level of its own demand it puts to the cloud provider. this risk boils down to being uncertain about how much hardware capacity to purchase. 2. in its first recommendation.0 applications today. Scalable Storage 7.. Moreover. By relying on a cloud provider to provide sufficent capacity to absorb whatever user load might occur. Infrastructure Software of the future needs to be cognizant that it is no longer running on bare metal but on virtual machines. they are referring to a situation of uncertain or fluctuating demand. or purchase capacity to meet average demand and thereby forego having the processing capacity available to meet user demand greater than average. so the attractiveness of this option will remain theoretical for most users. and this is where you should pay very. they strongly recommend use of cloud computing due to its elasticity and transfer of risk. in environments with potential for extreme swings in demand. In particular. Such software also needs a pay-for-use licensing model to match needs of Cloud Computing. Elasticity refers to the first point in their description of cloud computing— the ability to scale up and down rapidly under conditions in which the illusion of unlimited capacity (should it be contemplated) is present. Overall. but that a typical medium-sized IT shop is unlikely to get Amazon’s attention. RAD then goes on to make three recommendations. The client piece needs to be useful when disconnected from the Cloud. some of which make sense. 3.

the type of applications that clouds enable.e. no ballooning or limited-duration pricing. are just the type that could not be countenanced in traditional data centers.” This is a commonly-cited issue. a trained employee base. Oracle has announced support for its products in AWS. the recommendation that infrastructure software needs to have billing built in glosses over real challenges IT organizations will face as they attempt to incorporate cloud infrastructures. Likewise. These capabilities map extremely well to the cloud characteristics they identify. citing these risks. not logically.” the bestselling book on virtualization to date. refers to commercial software obtained from third parties. i. databases. trotted out as rationales for sticking with the current mode of operation. The key challenge this poses to IT organizations is that most applications today are not architected this way. In other words. most vendor licensing assumes that individual software packages will be tied to a specific piece of hardware.puTTInG IT To worK manual intervention. For this reason. and the report recommends some ways to address it. and poses an enormous barrier to change. and a desire to minimize component duplication. Probably the nearest most mainstream IT shops come to this kind of application is web-based systems. In my experience. Being reluctant to endanger current licensing means that vendors will probably take a long time to actually deliver the pricing structure RAD recommends. One of those challenges emanates from outside IT: it is located within the vendor community. lack of concurrency contention for key resources. it fails to recognize that this battle is fought emotionally. However. and is licensed on a perpetual basis. Consequently. but these represent only a fraction of the overall application portfolio. since it can be more easily implemented in a horizontal scaling environment. i. cloud computing and related issues. However. most assume a relatively stable load and a fixed topology.” In that statement a whole range of issues resides.. most of the skills in today’s IT shops are not oriented toward the architecture RAD recommends as the basis for cloud-based apps. If you’re advocating cloud computing.e. the report identifies “Data Confidentiality and Auditability. While RAD has identified logical ways to address the issues. Most IT organizations would tend to look toward current vendors for infrastructure software. I have often heard these kinds of issues voiced reflexively. operated as they are with assumptions of capacity scarcity. They will want to craft pricing supportive of their current licensing schemes and revenue streams. and so on. in this formulation. We can expect that support of the type of pricing RAD recommends will present significant issues for software vendors. That probably won’t be much of a problem for applications designed consistently with traditional architectural assumptions.. culture always triumphs logic. There is definitely no pricing model that incorporates the likelihood of the number of operating instances of the package ballooning up and down with charges based upon duration of execution. along with the suggested architecture. Moreover. and so on. most software vendors are likely to take a long time to deliver this billing requirement. In particular. given pre-existing relationships. merely to note that to fully leverage the unique characteristics of clouds a different architecture is required. In its list of adoption impediments. n Bernard Golden is CEo of consulting firm Hyperstratus. but really preferring to avoid embracing something new that seems challenging. This is not to say that traditionally-architected applications cannot be run in cloud environments. but will present real challenges for IT organizations that seek to design applications consistent with RAD’s recommendations. application servers. I expect that open source will get a boost from the move to cloud software. prepare to confront a concern with risk that will be steady and stubborn. RAD advises that “Infrastructure Software of the future needs to have billing built in from the beginning. which specializes in virtualization. There are two aspects of the report that minimize issues that will challenges mainstream IT organizations will confront when moving to cloud computing. He is also the author of “virtualization for dummies. The work RAD did for its report is excellent and valuable and should be required reading for anyone considering the potential of cloud computing. RAD has indicated that academic institutions are paying attention to technology trends. Many IT organizations will hang back from cloud computing. With its report. The second challenge that is glossed-over in the report resides within IT itself. Infrastructure software. CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 16 . too often this issue is raised as a stalking horse for a whole range of objections relating to risk that are brought up as reasons to avoid cloud computing. but pricing (and the pricing basis) is not yet available. In its second recommendation. The second resides within IT itself and relates to internal cultural issues. IBM has announced AWS support. but I believe its pricing is consistent with current assumptions and traditional application architecture.

for example.) *RESPONd ENTS S E l ECTE d UP TO Th RE E CRITE RIa .” Greenbaum says. “The Salesforce. such as HR services and exchange cost economies. availability. says placing Geoffrey Moore’s consideration of Measuring ROI 11% limits on the use of cloud technol“context versus core. notes Lovejoy. notes Josh Greenbaum. “If a nonsays that everything will eventually be available as a cloud mission-critical application goes offline. can be effective. including services like SAS Interaction Management.rISK/rewArd the dangers of cloud computing on-demand apps and services have several security risks that IT should address up front “In a shared pool outside the enterprise. the business must notes. principal at Enterprise maintaining the confidentiality. must decide if that trade-off is worthwhile.” Lovejoy says. having proper failover technology A best practice guideline for cloud computing in place is a component of securing the cloud that is often Ultimately.314 simply require that a Performance issues 24% great to rely on the cloud.coms and NetSuites of the world don’t offer the kind of governance. Instead. dissatisfaction with vendor offerings/pricing 12% ask how that risk should be manAs far as placing limitations on ability to bring systems back in-house 11% aged. have to be translated to the cloud. partner of TCG Advisors.” (Moore is a Not sure 7% ogy is a subtle issue that combusiness strategist and managing Other 6% panies have to examine closely. along with other C-level execupayroll. over time. For example. most of the risk and blame if something goes wrong will fall directly on the shoulders of IT—and not on the cloud computing service providers. And company get assurance from any where the decision is made to put third parties handling its data that IT governance issues 19% some services and applications the data will be safeguarded. a vice president advises that companies adhere to and fellow at Gartner. the consumer of the services is responsible for overlooked. the risk is too and 164. no specific statements regardIntegration with existing systems 26% He argues that cloud computing ing outsourcing or offshoring. But in the meantime. like elecgovernance. “If you look around. that apply for IT security and compliance. including perils related to compliance. risk. T he idea of cloud computing—designed around an architecture whose natural state is a shared pool outside the enterprise—has gained momentum in recent months as a way to reduce cost and improve IT flexibility. CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 17 . Lovejoy lack of customization opportunities 11% David Cearley. governing most business interactions that will. when to deploy the cloud. Yet these same companies make of data. and availability Applications Consulting. integrity. what is sitting ple the fact that the HIPAA Cloud Adoption at Your Company in a box outside is an alternative (Health Insurance Portability Security 45% power supply.308 availability concerns 25% In some cases. Both core and context can be divided into missiontives. They don’t rely on and Accountability Act) makes just the grid. Yet many companies don’t think through those risks upfront.” says Greenbaum. the company can service—but at any individual business. But the use of cloud computing also carries with it security risks. companies get in activities that are typically internal. notes consultant Greenbaum. sure they have failover for established services. as an example. go to Lovejoy cites by way of examGreatest Concerns Surrounding any major facility. agrees Kristin Lovejoy. not everything will survive. director of IBM’s security. loss of control over data 26% should be no different. measuring the risk against when Core business practices proSOU RCE: CIO RES E a RCh and where cloud computing vide competitive differentiation.” Cearley says. tricity. be accessed from the cloud. by Context practices deliver business giving up some control over the data. The rule of thumb Moore comes up with. she Regulatory/compliance concerns 19% in the cloud. So if you have a concern over data location. Security standardization has not come to the cloud There is a huge body of standards. that may be a reason for not using it. For example. you don’t have any knowledge or control of where the resources run. IT. the act’s sections 164. and compliance [mechanisms] mandated by regulatory regimes. Cearley critical applications and non-mission-critical ones. and risk management division. and data integrity. until security models and standards emerge for cloud computing architecture.

strong security will be pushed down a layer.” he says. Good security takes time The cloud approach doesn’t map naturally to how good security is typically designed. says Pescatore. possibly nullifying any security that was built into the old application or assumed through integration at the customer site. then definitely keep it behind the firewall. cloud computing Survey IT leaders see big promise. “But a few years from now. and there will be enough security baked in for all but perhaps the DoD. He cites Microsoft’s painstaking development of the SDLC (Software Development Life Cycle) initiative that assumes missioncritical software will have a three. If it is context and mission-critical.” Pescatore says. Today.” n Ephraim schwartz is editor at large at five-year period in which it will not substantially change. Further out is the ability to physically separate your data from other customers’ data in the cloud’s multitenant architecture. segregation. But the secure SDLC is not built to do that. and nobody has a security cycle that moves that fast. she says. says Pescatore. as different privacy and data management laws apply in different countries. the experts fundamentally offer the same advice. “In the cloud you have to accept the next version. trusting no one but ourselves. where security is core and mission-critical—the upper end of the enterprise. What makes matters even worse is that the business user can’t say he wants to stay on the old version. Gartner’s chief security analyst and a man whose résumé reads like it came from a James Bond movie. one an old Russian proverb that President Reagan liked to use—“trust but verify”—and the other by Intel’s famous former CEO. Consultant Greenbaum says we all have a bit of the “control freak” in us. smaller companies may actually get better security from the cloud. he says. you never know where your data is stored in the cloud. But he foresees such separation being enabled from the still nascent but increasingly powerful virtualization technology. every two weeks we add a new feature. the European Union places strict limits on what data can be stored on its citizens and for how long. He also writes the reality Check blog. that do business across national boundaries. all its customers are protected immediately. thanks to its acquisition of Postini.rISK/reward is this: If the business practice is context and non-missioncritical. Winners and wannabes in cloud-based security In the near term. Trust your “control freak” impulse The security experts agree that no matter how stringent a vendor’s SLA (service-level agreement) or how strong its security technology. and security. We are going back to the old Netscape days of pushing out new features real quick. then always put it in the cloud. When it comes to cloud computing. For example. the National Security Agency. you may want to think about keeping it behind the firewall. But this indeterminate location is beginning to change. it is likely you should make it cloud-enabled. unlike the case for downloadable patches that IT must apply itself. wanted its customer data files stored in Switzerland. and the government—IT will have to add its own security layer. The area that worries Pescatore most is how quickly cloud-based services are updated and changed. says Pescatore. reducing risk in any environment rests with the individual company’s willingness to audit what is and what is not working. including a stint with the FBI. an e-mail security company. says John Pescatore. That means cloud computing won’t be any cheaper than running the application in-house. financial institutions. so many tech marketers are using the term “cloud computing” in so many contexts that it can almost Gaining control over data location Another issue that can affect customers large and small—the location of their data—will see a shift in the next few years. The Swiss Bank for example. Andy Grove—“only the paranoid survive. As Oracle chief Larry Ellison pointed out recently. if it is core and mission-critical. Pescatore says. However. such as on shared servers or databases. if it is core and non-mission-critical. which Google can now do. Another is that as soon as a cloud provider patches a security vulnerability. Google lets customers specify where their Google Apps data is stored. One reason is that a cloud provider can invest more in security than any individual small business could. Many banking regulators also require customers’ financial data to stay in their home country. Perhaps that is a good thing. That’s especially important for companies C CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 18 . Many compliance regulations require that data not be intermixed with other data. which can be summarized by two very famous quotations. because the cost is applied across hundreds of customers. and the Secret Service. But if larger enterprises can’t yet rely on security in the cloud-provided security. have big security questions loud computing has become too popular a term for its own good. “In the cloud. For example. And that fact raises all sorts of compliance issues around data privacy. changing the app all the time.

vendor solutions/pricing to mature and the hype to be replaced by honest to goodness experience. economic woes will only drive more enterprises to consider and adopt cloud offerings. “Software-as-a-Service (SaaS)”. 74 percent work at companies headquartered in the United States. (Among our respondents. according to our survey respondents. to date. Among our survey respondents. IT’s comfort with using cloud options in the near term is split.” Cloud computing: no passing fad As Gartner analyst David Cearley recently commented to attendees at Gartner’s Symposium ITxpo. What you’re already doing in the cloud Cloud computing offerings that fall under what most people CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 19 . Virtualization has helped many IT departments change from “no” people to “yes” people. What you hope to gain from the cloud What’s even more precious to IT than cost savings? Agility. Unsurprisingly.) For the purposes of the survey. a new CIO survey of IT and business leaders shows that Ellison’s dismissal of cloud as a disruptive force in the technology industry is premature.” The lack of case studies and customer references is a real stumbling block now. But a notable 29 percent say you have not placed cloud computing on your technology roadmap yet. explaining why he thinks the cloud will change his IT department—and his company. the number one factor stopping IT leaders from tapping into the cloud right away is security worries. Cloud Computing: Tales from the Front. etc. And breaking down these responses by those people who say they head IT in their company reveals more skepticism among IT chiefs than IT staffers: 38 percent of respondents calling themselves IT heads say cloud computing is not on their technology roadmap. “We view it as another sourcing option. Still. But you have not written off cloud computing. And research firm IDC (a sister company to CXO Media) believes the current U. you named this as your top desire from cloud computing. you already see the ability to deliver more flexibility to the business via cloud offerings: In fact. Read on for the details on what you and your peers say about cloud computing and how you are using it or planning to do so. 54 percent are the head of IT at their company or business unit. followed by reduced hardware and staffing costs. “You can’t swing a dead cat without hitting somebody that’s talking about cloud computing these days. Still.” The hype level has been extreme. which is a key enabling technology for the cloud. 58 percent say cloud computing will cause a radical shift in IT and 47 percent say they’re already using it or actively researching it. the appeal of that cost advantage will be greatly magnified. More than half of you believe cloud computing will radically change the way enterprise IT looks in a few years.” noted Frank Gens. That’s right in line with what CIOs told us earlier this year in our look at early cloud adopters. Many of you say current offerings are still not quite baked or appealing enough to roll out in production environments.” One sentiment came through loud and clear in our survey: IT wants the flexibility and cost savings that cloud computing promises—the same kind of flexibility you’ve won from virtualization. as compared to the old one-app-one-server days. Almost half of you (47 percent) say you’re either currently using or implementing or actively researching cloud options. But you will not rush with regards to implementing use of the cloud. The big win with virtualization. Similarly. per se. Just 18 percent of our survey respondents call cloud computing a “passing fad. 2008 to get first-hand feedback on what enterprises really think about cloud computing.rISK/reward mean anything—and thus often means nothing. IDC predicts that spending on IT cloud services will hit $42 billion by 2012. A whopping 59 percent of our survey respondents say vendors have not adequately addressed security concerns related to on-demand offerings. we used a broad definition of cloud computing from market research firm Gartner: “a style of computing where massively scalable IT-related capabilities are provided ‘as a service’ using Internet technologies to multiple external customers”. “It also allows the business to pursue an opportunity that has unclear ROI without significant capital expenditures on infrastructure. Cloud computing “allows the IT organization to focus on differentiating IT capabilities and not on infrastructure.S. and how. when and why they plan to deploy it in their enterprises. 54 percent of our respondents say that cloud computing is an evolving concept that will take years to mature. “cloud services”. and IT pros know it. “The cloud model offers a much cheaper way for businesses to acquire and use IT—in an economic downturn. some of you refuse to even think of cloud computing as a technology. has been the ability to deliver to the business on IT requests in a lightning fast way.” wrote one respondent to our survey. When you’ll jump into the cloud A big question about cloud computing: When will IT departments stop talking about it and start actually using it? According to our survey results. Cloud computing offerings are often described in terms such as “on-demand services”. senior VP and chief analyst at IDC. Consider this survey respondent’s verbatim comment as to why cloud is not on his roadmap: “We’re waiting for reality to strike.” one respondent to our survey wrote.” CIO surveyed 173 IT and business leaders in August.

for example. “Mobile access. The economics demand it may not sum to 100 due to rounding. vendors have a long road to the business. Staten believes large enterprises may inch their way into the cloud for the ability to do quick and cheap experimentation. How will IT leaders get their heads around the security issues with cloud computing? After all. your core understanding of cloud computing is What’s stopping you: security not the Yet such basic issues as movanswered all questions.” wrote one respondent to our survey. “Like every other technology. A full 78 and control concerns percent of you call yourselves very or somewhat knowledgeA whopping 45 percent of you cite security as the top conable about the cloud. as opposed to large enterprises. even industry vets give wishywashy answers right now. ing virtual machines between physical servers with processors from differing vendors (AMD and Intel) have yet Laurianne mcLaughlin is senior news editor of CIo.” trusting it are very different Despite the amount of marketing hype in the marketplace right now. to be resolved by the industry. And when you start talking about making customer data easily portable between differ- CIo FoCuS Fo r ECasT: C Lo u d Co m P u T I n G Lo o m s B I G o n T H E H o r I zo n 20 . As Forrester Research analyst James Staten notes. Not all respondents for cloud vendors to succeed. it’s simpler today for startups or smaller companies to use Amazon’s EC2 and S3 cloud services. non-mission-critical capabilities. resent the most mission-critical and expensive applications Based on our survey results. IT leading you to use or actively Very knowledgeable 27% departments hand reams of paper research cloud offerings? CollaboNot very knowledgeable 13% to an Iron Mountain representaration apps rank as early winners. Show me the security “I believe cloud computing places too many variables out of our control. Staten predicts. ahead before they earn that kind of trust. VMware has another vision. Thus some IT departments are not only comfortable with the cloud but also banking on it for operational savings and flexibility. SaaS offerings are the top way you’re already using the cloud. followed by storage on demand. cloud computing will rely on questions where a respondent could only select one answer virtualization to quite an extent. availability and performance worries still register. Not surprisingly.) are easy targets. ent cloud service providers. and general support funcUnderstanding the cloud and tions (provisioning. according to our survey results. trying to figure out the server and SOU RCE: CIO RES E a RCh Do you see the rep do it? No. A Not sure 2% and destroy it or otherwise deal significant portion of you are also with it according to instructions. a vision heavily dependent on client OS power. Applications that call About Cloud Computing? Consider this. have been around for years now. revolution. trust the vendor. etc. That opinion is not uncommon among IT vets. Microsoft has its own vision for solving the problem. Clearly. the CEO of a out for cloud options Somewhat knowledgeable 51% cloud infrastructure company What specific applications are recently told me: Each day. in the style of Salesforce. cern surrounding cloud computing at your enterprise. the size of your enterprise is a factor with regards to your comfort with cloud offerings. end users could use cloud services to bypass IT for some needs or projects. Cloud vendors. you storage on demand equations now. Only 19 percent of respondents say they’re tapping into extra computing power on demand right now. Percents on As we’ve recently reported. Bottom line: It’s early and the integration questions are real. so it’s not surprising that you’re already worrying about integration issues with existing systems and SURVEY METHODOLOGY NOTE: The margin of error cloud computing. it (cloud computing) has its place. Also. and co-located with many How Knowledgeable Are You other customers’ data.rISK/reward think of as software on demand or SaaS.5%. on a sample size of 173 is plus or minus 7. though that’s perhaps the most exciting flavor of cloud computing for the future.” wrote one respondent in the verbatim comments to our security questions. e-mail. must get to that And a surprising 54 percent of respondents mentioned ERP kind of trust with IT. And It’s just early in the game and your security and integrayou’ve been through blockbuster tech waves like the ERP tion concerns are real. before cloud computing can take off as on the radar or in use—notable since ERP apps often repin a mainstream way. with almost a quarter of you citing them in our survey. he said. many IT leaders just got comfortable with virtual servers: now they’re being asked to work off virtual servers in cloud providers’ physical locations—where their precious data will be further from reach. As has been the case with SaaS offerings from the start. according to our research. Not at all knowledgeable 7% tive and trust that he will shred according to our survey results.