What the reader will learn:
• That
cloud computing has a number of adoption models
• What
is meant by public cloud, and why businesses may choose to adopt this
• What
is meant by private cloud, and why businesses may choose to adopt this
• What
is meant by hybrid cloud and community cloud, and why businesses may choose to
adopt this
• That
these new ways of doing business bring with them legal issues that need to be
considered as part of any plan to adopt cloud computing
 |
2.1 What Services Are Available?
There are
alternative ways a business might adopt cloud computing, and we will be
reviewing those approaches in this chapter. As we saw earlier, there are many
something-as-a-service options available, and many providers provide all of
them, whilst some concentrate on specialist areas like data storage or
application platforms.
In
a 2011 paper, Li et al. ( 2010 ) indicated four
general types of service that are currently available from leading cloud
providers:
1. Elastic
compute clusters which include a set of virtual instances that run a customer’s
application code.
2. Persistent
storage services in which application or other data can be stored in a cluster.
3. Intracloud
networks, which connect an application’s components.
4. W ide-area
networks (WANs) connect the cloud data centres, where the application is
hosted, with end hosts on the Internet.
T his is a useful categorisation
of service types. The other things we will need to consider are metrics. We
will need to have some understanding of measures such as performance, cost and
availability if we are to have any hope of assessing which
R. Hill et
al., Guide to Cloud Computing: Principles and Practice, Computer 21
Communications and Networks, DOI 10.1007/978-1-4471-4603-2_2,
© Springer-Verlag London 2013
Table 2.1 A summary of the key differences between public and
private cloud models
|
|
Public
|
Private
|
|
Network
|
Internet
|
Private network
|
|
Server and data centre location
|
Global
|
In company
|
|
Costing
|
By usage or free
|
Internal mechanism, often by capacity and
processor
|
|
Tenancy
|
Multiple
|
Single
|
|
Scale orientation
|
Vertical (i.e. user focused)
|
Horizontal (i.e.
application focused)
|
|
Key selection rationale
|
Cost
|
Security
|
provider offers the best solution for any of these
services. We will examine these in the ‘Which Cloud Model?’ section (Sect. 2.6 ) at the
end of this chapter.
As
we saw in the last chapter, there are many de fi nitions of cloud. Vaquero et
al. (2009)
attempted to collate these and come up with a single, all-encompassing defi n
ition:
Clouds are a large pool of easily usable and
accessible virtualized resources (such as hardware, development platforms
and/or services). These resources can be dynamically recon fi gured to adjust
to a variable load (scale), allowing also for an optimum resource utilisation.
This pool of resources is typically exploited by a pay-per-use model in which
guarantees are offered by the infrastructure provider by means of customised
SLAs.
We must also not forget that to businesses, it
matters not how we de fi ne cloud computing but rather it matters whether this
form of IT supports their business by reducing costs or adding revenue and
profi t . You will see more of this discussion in Chap. 8 . These elements too are reviewed
by cloud type.
T he three types of cloud adoption
we shall review are public, private and hybrid. As the latter is a combination
of the other two, it may be worth starting by examining the key differences
between typical public and private clouds (Table 2.1 ).
2.2 What Is Meant by Public Cloud?
The US National
Institute of Standards and Technology (NIST) suggests in a recent draft that
the de fi nition of a public cloud is as follows:
The cloud infrastructure is made available to
the general public or a large industry group and is owned by an organisation
selling cloud services (Mell and Grance 2011 ).
T he authors of this book believe
the general public or a large industry group should be replaced with the
general public or organisations as there is no evidence that industry groups
need to be of any particular size to adopt cloud computing. The key element
here is that services are offered by the resource owner (usually referred to as
the service provider) to anyone who wants to make use of that service. The
service can be any of IaaS, PaaS, SaaS and DaaS (see the previous chapter for
de fi nitions). The service provider may charge, usually on a utility basis,
but sometimes on a termly basis, or may give the service for free and earn
revenue from other income streams, such as advertising.
2.2 What
Is Meant by Public Cloud?
|
Provider
|
Estimated users
(millions, as of 2010)
|
|
Hotmail
|
330
|
|
Yahoo
|
302
|
|
Gmail
|
193
|
|
Others
|
200
|
Table 2.2 Services
and estimated number of users of public clouds
2.2.1 Who Is Using Public Cloud?
The short answer is
millions of people!
Mail providers can be evasive about the size
of their user-base. Specialist email marketing site http://www.email-marketing-reports.com/ gathered some statistics that give us a feel for the
scale of the browser-based email usage. These fi g ures are for the ‘big 3’,
and we can safely assume the other providers (such as Excite, AOL, Rediffmail)
will amount to >200 million. The dates for these fi g ures are different but
all in or after 2010 as illustrated in Table
2.2 .
R emember that our defi n ition of
cloud services is that a provider owns the resources required to provide a
service (such as email) and rents this service to users on a pay-for-use basis.
This means there are already at least a billion users of cloud email services
worldwide.
We talk about the phenomenon of social
networks in the Social, Economic and Political Aspects chapter. Again, the
numbers using these services are over a billion. Many will also use email, but
nonetheless, when added to other free, privately focused services like image
storage and editing, drop boxes for fi
le sharing and presentation tools like Prezi, there is little doubt that public
cloud-based services are here to stay. From the business perspective, however,
the view is different. As reported in Computerworld (Mearian 2011 ), some
research by ThelnfoPro, a market research
fi rm, which approached 247 Fortune 1000 corporations showed that
87% of the respondents indicated that they had no
plans to use the public cloud for storageas-a-service. Only 10% said that they
would use it.
W e should also bear in mind that
this sort of large corporation will have been in business for many years and
will have invested heavily in IT infrastructure before the cloud existed. They
will already have in place their own processes based on internal systems. Heavy
investment in enterprise systems like ERP systems such as SAP or PeopleSoft,
and RDBMS like Oracle or DB2, not to mention the investment they will have had
to make in the specialist people needed to run these business processes, means
there is really very little need for them to look elsewhere for solutions.
There are, however, two exceptions to this general rule:
• The
eternal search for ef fi ciency and cost reduction
• When
an innovative solution is only, or primarily, available from a service provider
We have also seen that security and ownership
of the data storage are big issues for all potential cloud users. Even if the
search for value leads a corporation to begin to use virtualisation to maximise
resource usage, they will often prefer to keep that transformation in-house to
keep a tight control of security. Set in this context, the indications that
large corporates are not racing to take up public cloud offerings are not
surprising. For such organisations, private or hybrid clouds may be more appealing
(see sections below).
For small-to-medium businesses (SMEs), the
argument for adopting public cloud appears a little easier to win. Especially
at the micro end, with less than ten employees, businesses are very unlikely to
be able to attain the sorts of economies of scale that the megacorporations can
achieve with their large-scale IT systems. However, if they, in effect, ‘club
together and share’, they can achieve signifi c ant economies of scale. The
fact that this collaboration is enabled by a for-profi t -making service
provider is not consequential.
W hen you add to this the ease of
access to on-demand services which are paid for on a utility basis, the
argument is even stronger. If some service providers are to be believed SMEs
need never employ an IT specialist again since all their business needs can be
made available after signing up and simply completing a series of online
questions which act as setup wizards for this application or the other.
Of course life is not always that simple. Apart
from the ever-present concern about security (see below) being just as relevant
to SMEs as to large corporations, there is the age-old debate between whether
you should adapt your business processes to allow the use of off-the-shelf
software or keep your processes but have to build, or at least tailor, the
software. In terms of IT spent, the former is usually seen as the cheaper, but
if your processes are part of what gives you competitive advantage, you may be
willing to pay for the privilege of using unique software.
M ost of these IT strategy-type
questions are not new. The control and specialisation which comes from in-house
IT solutions has always been balanced against the savings that can come from
off-the-shelf solutions. What is new to cloud, however, is that the cash- fl ow
improvement, at least in the short term, can be very signi fi cant as costs
become revenue rather than capital, spreading the load over years rather than
needing high-cost up-front payments.
T he other advantage of the move to
pay-for-use is the fl e xibility that it gives a small fi rm. Should your business suddenly begin to
take off and you need more in the way of IT infrastructure and services, you
just pay more to your service provider. Conversely, if part of your business
fails, you can stop the IT costs immediately, as opposed to being left with
expensive servers doing nothing. Both ways seem to signifi c antly reduce the
risks involved in an SME opting to use an IT service.
As usual with business decisions, the preferred
solution will be a balance of risks and expected bene fi ts. For SMEs, the
balance may seem slightly more biased towards the benefi t s outweighing the
risks. However, every company will be different, and contextual issues like
company culture, national norms, sector best practice and government and legal
guidelines will all play important parts in the decision-making process.
2.2.2 Another Easy Win for SMEs
One area
traditionally less well attended to by smaller organisations is disaster
recovery (DR). Even backup and recovery strategies may be relatively
unsophisticated. An occasional take backup stored in a fi reproof safe may well keep a company’s
2.2 What
Is Meant by Public Cloud?
vital data safe, but recovering the data after, for
example, a catastrophic server failure, can take days as a new server is
purchased, commissioned and brought back to the state of its predecessor.
M ajor corporations have business
continuity plans that look to keep their core operations active with as little as
a few minutes between disaster and response. But they have to
pay—considerably—for this sort of service. For a multinational bank, for
example, this expense is almost a no-brain decision. They can’t afford to lose
the business that would occur whilst their systems were down.
F or an SME, however, a DR plan
revolving around a multisite fully mirrored server solution can be seen as a
nice-to-have extra as the expense is high and what it buys may never be needed.
Cloud provides a small business with an easier, less costly way to run at least
two live data centres with automatic failover. This dramatically reduces mean
time to recovery (MTTR)—the time between system failures and recovery.
With the cloud, backup need never be to slow
tapes. It can be easily automated to happen without human intervention by
uploading backup data to a cloud data centre. A centre which will itself have
built-in redundancy, meaning you automatically get multiple copies of your
valuable data.
2.2.3 Who Is Providing Public Cloud Services?
Those who have
seen Larry Ellison’s 2009 tirade lampooning cloud computing as nothing other
than a hyperbole (see YouTube) may be surprised to see that Oracle now provide
pay-for-use services in the cloud ( http://cloud.oracle.com ).
Other corporates with long track records in
the IT arena also now have public cloud offerings and are joined by some newer
names. Just as examples, these wellknown brands all offer some sort of cloud
service now: IBM, AT&T, Fujitsu, Microsoft, HP and Rackspace. And there are
many smaller, new market entrants too. Competition is already hot, which is a
good indicator that the cloud is well on its way to being accepted by the
market.
When we see that these different providers are
moving in the same immature market, we should perhaps be a little cautious
about predicting the future. Many examples exist of one brand of technology
winning out over others and not necessarily because of its excellence. Perhaps
the most famous marketing war like this was that between Sony’s Betamax and
JVC’s VHS video formats. The public chose VHS and Betamax died. But there were
many people who lost money by investing in Betamax before it declined.
T he same thing could happen with
cloud. These providers of services do not currently abide by any universally
accepted standards. Getting tied into one provider is indeed a risk that needs
to be considered. There is a fuller review of interoperability issues in the
hybrid section.
2.2.4 Security: The Dreaded ‘S’ Word
As we will see in
the Cloud Security and Governance chapter, privacy and security are big
concerns for all potential users of cloud. All the anxieties that may be
expressed are most acute with public cloud, where the pro fi tability of the
service provider is the key driver to all technology decisions. As Kaufman (2010) puts
it,
To achieve the gains afforded
through virtualisation, such providers are colocating virtual machines (VMs)
from disparate organisations on the same physical server. From a profi t /loss
perspective, this matching seems to provide a win-win scenario for both the
user and service provider. However, this operational profi l e introduces a new
era of security concerns.
A s we have said elsewhere, there
isn’t much new, in terms of technology, with cloud. There is no real reason why
cloud platforms should not be as secure as a traditional platform. Indeed, in
some cases, it may be more secure. For example, a server in a locked room may
not be as well protected as the Google data centres, as described in this
YouTube clip:
I n these places, biometrics,
multi-checkin and log-in make access to hardware from outsiders virtually
impossible—probably far more secure than an average SME’s premises.
Of course, one of the aspects about public
cloud is that services are accessed through the Internet: an Internet that is
available worldwide to both friend and foe. This shared remote access model can
potentially allow cyberattacks. All this means that security can be an issue
with cloud, but there are issues with current IT infrastructures too.
T he perception of insecurity is,
however, probably the biggest barrier to cloud adoption. For the
non-technically minded amongst business decision-makers, it is not diffi c ult
to understand why they may be wary about parcelling up their valuable data and
giving it to another company to look after, instead of having it sit on a
server behind a locked door on their site. These doubts are compounded when you
explain that their data will be multi-tenanting, sharing the same physical
resources, perhaps, as their biggest competitor. How could that be seen as a
sensible move?
Nor is it just data that can be worrisome.
Even IT-literate decision-makers are likely to have grown up in an era when
modems went down, when Internet connections broke and when speed of
transmission plummeted. How can it be sensible to replace your reliably
performing single-purpose system connected to a few clients in a small LAN, all
under the control of your network team, with a barely understood worldwide web
of entangled connections? Why move ERP from in-house to in-Indonesia or some
other foreign domain?
I t is not this book’s place to counter these concerns. The
major service providers will fi ght that
battle, but we do need to be aware that security can be a human problem, rather
than a technical one.
2.3 What Is Meant by Private Cloud?
T he technology stack need be no different to that used
by service providers in public cloud solutions. The US National Institute of
Standards and Technology (NIST) suggests in a recent draft that the de fi
nition of private cloud is as follows:
T he cloud infrastructure is operated solely for an
organisation. It may be managed by the organisation or a third party and may
exist on premise or off premise.
2.3 What
Is Meant by Private Cloud?
The key element here is that the resource
owner (known as the service provider in public cloud) is the organisation that
is using the services. The service can be any of IaaS, PaaS, SaaS and DaaS (see
earlier chapters for de fi nitions), and there may be internal charging
mechanisms for these services, but they are not normally made available to
anyone outside of the organisation and hidden behind a fi rewall.
2.3.1 Who Is Using Private Cloud?
Because of the
expense involved in creating multi-server operations, early adopters tend to be
large organisations with existing infrastructures that lend themselves to the
adoption of a cloud platform to increase server effi c iency (and thus reduce
costs) and allow broader availability to systems within the organisation. We
must also remember that organisations have been using some of the building
blocks, such as virtualisation and SaaS, for years without calling it cloud.
T here is an argument that private
cloud is not really that different to the ways large organisations typically
manage their infrastructures. Stand far enough away and the technology of a
large server farm making good use of virtualisation looks very similar to a
cloud. To make matters worse, the organisation doesn’t even get the advantages
of fl exibility, which come from sharing
resources, nor do they benefi t from the
move to revenue costing that is also one of cloud’s oft-trumpeted advantages.
W hether or not a move to a private
cloud will be benefi c ial to an organisation depends upon many things, but
their existing infrastructure is one of the key ones. A recent big spend in
modernising the company data centre can be an indicator that investing in cloud
is not an immediate need. If it is time to upgrade anyway, then perhaps
internal cloud is a solution worth reviewing.
Especially in the current economic conditions,
companies are looking at all their costs to see if they can run more effi c
iently. IT is no different to any other part of the business in this. Most big
organisations depend upon a set of core IT processes. The question being asked
is ‘are we paying too much for this service?’ and that question plays into the
hands of those arguing the bene fi ts of cloud computing.
Gartner (2010) suggests that
… cloud computing has become more
material, because the challenges inherent in managing technology based on the
principles of previous eras — complex, custom, expensive solutions managed by
large in-house IT teams — have become greater, and the benefi t s of cloud
computing in addressing these challenges have matured to become more
appropriate and attractive to all types of enterprises.
The question on the lips of many larger
organisations’ CIOs will not be private versus public but rather legacy versus
private. The ability of a cloud infrastructure to fl e xibly move computing
resources to deal with spikes in workload means that cloud-based data centres
can run much more effi c iently than existing ones, and that may be the biggest
single factor in the decision.
F or organisations who have taken
the decision that cloud will be their preferred technology solution, the
question of public versus private is likely to force them to think about the
value of security to their business. Private allows, or at least seems to
allow, organisations to have greater control over their data. There are,
however, many more barriers to private since in-house expertise in
virtualisation and operations automation may not currently exist and will be
expensive to acquire. Moreover, a move to public cloud can happen much more
quickly and allows for maximum fl
exibility in resource management. The ultimate question, therefore, is likely
to be how much are we willing to spend to maintain control over our data?
A whole later chapter is reserved for further
investigation into enterprise cloud, and many of the issues which surround the
process of adopting a private cloud in a large organisation are covered there.
2.3.2 Who Is Supplying Private Cloud?
Most of the big
players are now fully committed to selling products or services badged as
cloud. Even Oracle, once more famous for laughing at cloud, sells cloudrelated
services and products, mostly private cloud solutions. They say
Cloud computing promises to speed
application deployment, increase innovation, and lower costs, all while
increasing business agility. It also can transform the way we design, build,
and deliver applications....
IBM has been in cloud from very early days.
Lotus Notes has now become iNotes, and one prong of the IBM cloud marketing
campaigns is clearly aimed at public, with the catchy strapline of
Install nothing. Access everything.
B ut IBM clearly recognises the need for
private cloud too. They have a suite of underpinning technologies they call
SmartCloud Foundations which they describe as
an
integrated set of technologies for enabling private and hybrid clouds, and the
virtualisation, automation and management of service delivery. SmartCloud
Foundation capabilities allow organisations to easily build and rapidly scale
private cloud environments. ( http://www.ibm.com/cloud-computing/us/en/ )
HP is a big player too, playing heavily on the
reputation for cloud to be rapid and fl
exible; they can deliver private cloud computing services within 30 days ( http:// www.hp.com/hpinfo/newsroom/press/2010/100830a.html
).
On
their website, their senior vice president and general manager, Technology
Services, HP, uses the concept of an ‘internal provider’:
To better serve the needs of their
enterprises, clients are asking us to help them become internal service
providers with the ability to deliver applications through a highly fl e xible
private cloud environment.
2.4 What
Is Meant by Hybrid Cloud?
C itrix too has been in the market
since it really started. Their solutions also play on the speed of change
possible from cloud:
With CloudStack, customers can
quickly and easily build cloud services within their existing infrastructure
and start realizing the bene fi ts of this transformative service delivery
model within minutes—without the overhead of integration, professional services
and complex deployment schedules.
A n interesting development with
Citrix is their CloudBridge technology which tackles the perceived security
issues in public cloud head-on and seeks to help create secure hybrid
solutions:
Citrix CloudBridge lowers the risk
and reduces the effort and cost for enterprises to move production workloads to
the cloud by …. making the cloud provider network look like a natural extension
of the enterprise datacenter network.
As well as suppliers of hardware and software,
consultancies too are very much in the market for helping customers migrate to
a cloud solution. And it isn’t just Western companies who are pushing cloud.
TCS and Infosys in India, for example, are major global players.
S imply type private cloud
supplier in a Google search, and (at the time of writing) 95 million hits are
reported. There can be no doubt that the cloud market is well and truly active!
2.4 What Is Meant by Hybrid Cloud?
NIST de fi nition:
Hybrid cloud. The cloud
infrastructure is a composition of two or more clouds (private, community, or
public) that remain unique entities but are bound together by standardized or
proprietary technology that enables data and application portability (e.g., cloud
bursting for load balancing between clouds).
The key aspect is that hybrid includes some
mix of public and private cloud in a non-speci fi ed ratio.
2.4.1 Who Is Using Hybrid Cloud?
If an
organisation has a steady and quanti fi able use of IT resources, they are able
to adopt private cloud, gaining the benefi
ts of effi c iency and availability, without missing the other strength
of cloud— fl exible scalability.
If, on the other hand, like many
organisations, they have spikes of activity, planned or not, then public
cloud’s ability to offer unlimited and immediate scalability on an occasional
basis may well appeal. Building your systems to cope with standard workloads
in-house and extend outwards when required should allow for the best of both worlds.
Sensitive systems can be kept entirely in-house if required.
S ome e-commerce organisations can
adopt a hybrid approach to help with the activity associated with the front-end
during peak shopping periods whilst maintaining secure back-end services in
their own private cloud. This prevents them having to invest in many servers
which may be idle for long periods just to cope with occasional high loads.
The other likely driver towards a hybrid
approach is the organisation’s existing infrastructure and their IT strategy.
Hybrid may well be an interim approach which means that wholesale in-house
architectural changes do not need to happen immediately as some changes are
contracted out to service providers and some existing systems continue to
function. Interoperability between these different systems here is a key issue
(see below).
Another way that hybrid is likely to happen is
by accident. An organisation with its own private cloud platform for its main
systems may, for example, decide that Google’s Gmail email solution is the
right one for their organisation. The security risks with noncritical systems
like email will seem relatively minor, and the costeffectiveness of such a
solution may attract many organisations. Part of their IT stack then becomes
private, part public—de facto a hybrid cloud solution.
2.4.2 What Are the Issues with Hybrid Cloud?
W hilst suppliers, such as Citrix and their
CloudBridge, will be keen to suggest that hybrid offers the best of both
private and public worlds, it is also arguable that it is the worst of both.
After all, as we saw in the private section above, one of the biggest drivers
for private solutions is the ability to control your own, independent data
centre for security reasons. Claybrook (2011) suggests
The challenges of building a bridge between private
and public clouds are real.
(h
ttp://www.computerworld.com/s/article/9217158/Cloud_interoperability_Problems_ and_best_practices )
T
he report goes on to quote Joe Skorupa, a Gartner vice president, as saying
that
… users and cloud vendors are in
very different places on this issue [interoperability], and true cloud
interoperability will likely not occur for some time -- if ever. Standards are
nascent and will take years to fully develop.
The lack of standards is indeed likely to be a
major stumbling block when it comes to trying to pass data, which will usually
be encrypted, between different systems in a hybrid cloud solution. It is not
unusual in IT for technology to get so far ahead of standards. And in the
absence of standards, there is little reason for the various providers to
ensure ease of communications between themselves and other providers. Indeed,
the cynical amongst us may even think that these different approaches can help
tie in the customer to a provider.
2.5 What
Is Meant by Community Cloud?
The two key proprietary virtualisation
technologies (VMWare and Hyper-V) will be trying to keep their own customers
whilst also fi g hting off open-source alternatives in the PaaS area. As trust
is one of the likely decision factors for cloud platform providers’ customers,
some form of industry-wide standard is being actively sought. Unfortunately,
however, there are several agencies keen to seek to take the lead in this area.
At the time of writing, these included:
• IEEE,
self styled as ‘the world’s largest professional association advancing
technology for humanity’
• Open
Grid Forum
• Cloud
Security Alliance
• NIST
A ll these agencies are themselves
liable to lobbying from the industry. This lobbying is generally for fi n ancial
reasons, but it is also true that individual providers naturally believe their
particular solutions are the best! It is unlikely that a truly global and
agreed standard will happen for a few years yet, so interoperability is likely
to remain one of the biggest barriers to hybrid adoption.
2.5 What Is Meant by Community Cloud?
NIST de fi nition:
The cloud infrastructure is shared
by several organisations and supports a speci fi c community that has shared
concerns (e.g., mission, security requirements, policy, and compliance
considerations). It may be managed by the organisations or a third party and
may exist on premise or off premise.
The key aspect here is that of
inter-organisational collaboration. Community cloud is just like a private
cloud except that several organisations share the responsibility for resourcing
the cloud, instead of just one.
2.5.1 Who Is Using Community Cloud?
T rust between companies operating in a competitive
marketplace is not a usual phenomenon, and so community is not a realistic
option for them. However, organisations which are about care and support have
naturally tended to help each other in the past. Charitable organisations, for
example, have been coming together to share all sorts of resources, including
IT.
One example is the International HIV/AIDS
Alliance which is a partnership for ‘… everyone who works with and for NGOs and
CBOs and is involved in community and health system strengthening worldwide’.
Whilst the political advantages which come
from small charities coming together as a single pressure group are their
reason d’être, the support provided by IT across the partnership can also be
important. Working with Cisco, the alliance has implemented online
collaboration and SaaS platform:
Fig. 2.1 AIDS Alliance website home page (last accessed 22 May
2012)
The vision expressed by Sam McPherson,
associate director, International HIV/ AIDS Alliance, is
We want to exploit the technology
available to us and truly become a collaborative organisation. By using the
full complement of WebEx solutions, we hope to move closer toward our vision of
a world in which people do not die of AIDS.
O ne major problem is that not all
third sector organisations are as forward thinking as the International
HIV/AIDS Alliance (Fig. 2.1) . Many charitable organisations are small and
not cash rich and are therefore afraid of the costs associated with IT systems
(Maison 2011
). In a recent survey of nearly 160 charities,
the Guardian found
Eight of 10 people said that
technology could help build the ‘big society’. Yet only one in three have the
time or con fi dence to try out new tools like cloud computing.
2.6 Which
Cloud Model?
Other
fi rst movers in the area of community cloud are governmental
organisations. Sometimes the key driver here is the need, traditionally diffi c
ult to address with different organisations with disparate IT systems, to share
information. In the UK, for example, the police service is separated into
constabularies, and they have their own budgets and have met their information
system needs with different solutions. This can make sharing information about
a suspect dif fi cult when they cross boundaries between constabularies. The
matter gets yet more complicated should the suspect be apprehended and taken to
court, as the court systems will also be different, not to mention prison
systems should they be found guilty.
I n the USA, fi r ms like IBM have
been quick to spot how they can offer a service to governmental organisations.
In a recent press release, they say
IBM has launched a new Federal
Community Cloud specifi c ally designed to help federal government
organisations respond to technology requirements more quickly. The secure,
private cloud environment is part of IBM’s established and dedicated Federal
Data Centers (FDC) that provide secure and comprehensive certi fi ed computing
capabilities to federal government clients.
I n the UK there is G-Cloud. This
is a government-funded initiative to gain the benefi t s that cloud can give
whilst attempting to save the public purse £200m/annum by 2014/2015: http://gcloud.civilservice.gov.uk/ The G-Cloud program is a crossgovernment initiative;
collaboration across departments, and throughout the public sector, being
encouraged and enabled by cloud.
R
eported in the Guardian in January 2012 (Best
2012) , Liam Maxwell, the UK
Cabinet Of fi ce’s director of ICT futures, foresees
“In two or three years’ time what
we now call IT, the delivery of those disaggregated services like hosting,
networking, end user devices, support, all of those, will become core commodity
services and will be bought ‘like stationery’”.
2.6 Which Cloud Model?
Of course, the answer
to the question ‘which type of cloud’ may well be none. Richard Stallman,
founder of GNU, argued that cloud was a trap in an article in the
Guardian (Johnson 2008) . He
argued
‘One reason you should not use web
applications to do your computing is that you lose control’, he said. ‘It’s just
as bad as using a proprietary program. Do your own computing on your own
computer with your copy of a freedom-respecting program. If you use a
proprietary program or somebody else’s web server, you’re defenceless. You’re
putty in the hands of whoever developed that software.’
B efore 2010, there were many such
warning sirens. Larry Ellison, Oracle’s CEO and co-founder, is also famously
quoted as saying that cloud is ‘nonsense’. And yet, now, Oracle is a leading
player in cloud services to corporates.
I f we examine the sales statistics
from the cloud service providers, there can be little doubt that many CIOs, IT
Managers and IT Consultants are now seriously
Fig. 2.2 Jericho Cloud Cube Model (2010)
considering cloud platforms as one of their options when
looking at how to deliver their IT strategies. So, how do they decide which
cloud adoption model to use?
We have identi fi ed already that cloud
security is seen as a major concern by many organisations. At least whilst the
platform is still quite new, many will adopt a ‘wait and see’
approach—especially if their existing infrastructure is adequate. Some, seeking
to gain some advantage from early adoption, may see the advantages of cloud but
still want to be cautious about how they look after their data and internal
systems. For them, probably starting with pilot projects to test the water,
private cloud may well seem more attractive.
The Jericho Forum proposed a framework
Fig. 2.2 (Opengroup 2010 ) which
is intended to help organisations fi n d the most appropriate cloud
‘formations’ for their own particular business need. ‘Formations’ is a nice way
of describing the many alternative solutions available in a mix-and-match
environment. Every organisation is likely to be different.
T he Forum describes itself as ‘…an
international IT security thought-leadership association dedicated to advancing
secure business in a global open-network environment’, so it is not surprising
to see that security fi g ures highly in their proposed decision-making
process.
The cube usefully expresses the considerations
that need to be made when deciding which approach to take. The dimensions are
described below.
• Internal/external
here is the same as private/public clouds.
• Proprietary/open
is, as with other software, whether or not the software or platform is open
source or not. Also important in the cloud is how open the data standards
adopted by a supplier are. Really we are talking about how much tie-in the
supplier has over the customer, and whether that is an issue of concern or not.
2.6 Which
Cloud Model?
• Perimeterised/de-perimeterised
is about where the IT services exist. If a company keeps all its data behind
a fi rewall within its own private
network, for example, we would call that perimeterised. The Jericho paper
interestingly refers to this as a mindset. This is very import as an
organisation’s culture will impact heavily upon their willingness to expose, or
not, their systems to external access.
• Insourced/outsourced
is about who does the work in the cloud. Entirely insourced means that the
organisation employs the people directly. The use of contractor or specialist
consultants allows for a control to be maintained within the organisation
whilst certain specialist skills are outsourced, often temporarily whilst
in-house staff gain the skills themselves.
This cube is an excellent start, but other
important factors in the decision about which cloud adoption model to select
are not covered but need reviewing.
2.6.1 Internal Factors
1. Existing infrastructure and IT portfolio
. ‘If it ain’t broke, don’t fi x it.’
Cloud has some potential benefi t s, but as with all new technologies, it has
risks too. If the organisation’s IT is delivering what it should, as well as it
should, then there is probably nothing for a CIO to do other than keep their
eye on the cloud space.
2. Capability . Rightly or wrongly, CIOs in
organisations with a long history of managing their own IT systems with their
own employees may feel that some of the marketing hype about the cloud’s
approachability and ease of use does not apply to them. Their CEOs and CFOs may
actually disagree if there is board level dissatisfaction with existing
internally supplied services.
Start-ups, on the other hand, will have none of these
prejudices. The ability to implement sophisticated enterprise-style systems
with no in-house expertise may well be seen as the single biggest reason for
opting into public cloud services.
3. Emphasis on costs . It may seem obvious
that companies will always look to run as effi c iently as possible, but in a
time of economic hardship such as most of the world is enduring as we write, it
is the case that effi c iencies are more aggressively sought. Being new, we
have no real evidence as to whether cloud is truly a cheaper alternative long
term, but we do know that moving away from big capital expenditure IT projects
towards pay-for-use will move costs away from a company’s fi xed assets and into revenue costs,
spreading the cash fl ow over many years
as it does so. This drive to effi c iency can point towards public cloud where
the nature of the shared capacity leads to signifi c antly more savings than
would private cloud.
4. Performance and scalability. Again, there are not enough studies carried
out to suggest how cloud performs in comparison to in-house client/server
technology. The most obvious point is that a reputable cloud provider will
always be running on high-performance equipment in order to enable them to
support many users.
However, how big a ‘slice’ of that platform a customer gets
is variable.
The other
aspect of this comparison is that a recently upgraded internal infrastructure
will perform better than an ageing one and will therefore be less likely to be
outshone by cloud. If performance is paramount to a business, the likelihood is
that they would adopt private cloud, where they can manage the performance
themselves and ensure that nothing can cause degradation.
It is probably true that a need for
scalability is a signi fi cant driver towards adopting cloud. If an
organisation understands its business well and it is relatively stable, it can
plan what capacity is required and purchase as and when required. Many
organisations, however, go through unexpected sharp up- and downturns in their
OLTP traffi c in step with the business
performance. Not having to purchase extra capacity ‘just in case’ in such
circumstances can make public cloud more appealing.
2.6.2 External Factors
1. Publicly available bandwidth . Cloud
computing requires reliable, high-performance access to the Internet to work
effectively. In some luckier Western countries, this is not a problem with
almost country-wide broadband coverage. In other nations, however, the Internet
is only available through mobile telephones or private networks. Organisations
which have their own private networks in these countries will be able to decide
on a cloud adoption model as described elsewhere, but those with limited or
poorly performing access may be constrained to only using public cloud SaaS
options, such as email and document sharing.
2. The competition. It is the nature of a competitive market that
organisations will monitor what each other is doing. They need to ensure that
no-one steals a march in adopting some new technology that may give competitive
advantage. Sustainable competitive advantage in the IT arena is an impossible
dream as every advance can be replicated by the competition given time.
However, to not seek at least temporary advantage is, in actual fact, to allow
oneself to go backwards, as everyone else in the market will be looking for the
next new advance. Of course, caution is needed. Just blindly adopting an
approach because a competitor has it is a recipe for disaster. However, if your
major competitor suddenly starts using public cloud for some of their IT needs,
it may well be the case that you should at least review the potential
advantages to your organisation.
3. Suppliers’ and purchasers’ expectations. The balance of power between your
organisation and its customers on the one hand and its suppliers on the other
will impact your decision-making. When electronic data interchange (EDI) came
to the fore in the 1980s, it was seen by adopters as a cost-reducing technology
which would speed the order-to-delivery process. Typically the early adopters
were large companies in particular markets. The motor trade was one such
market, and early adopters were the big automobile manufacturers. In order to
ensure that their suppliers would adopt this new technology, some manufacturers
began to dictate that all their orders for parts would be delivered
electronically. In a market where the customer was king, this meant that part
manufacturers had to adopt EDI practices or else face bankruptcy.
2.7 Legal Aspects of Cloud Computing
Similar
pressures will begin to bear on companies dealing with organisations which are
using the public cloud to manage all or part of their own supply chain. In
those circumstances, the decision to use public cloud might be made for you by
default.
T here are many other business reasons
for and against which model to adopt, and we investigate some more detailed
investment appraisal approaches in
Chap. 8 .
2.7 Legal Aspects of Cloud Computing
The law about
cloud computing, because of the relative newness of the concept, is largely
uncertain, and, as is often the case in a rapidly moving fi e ld like IT, the
lawyers and legislators are having dif fi culty keeping up with the changes.
However, there are some elements that are clear.
2.7.1 A Worldwide Issue
I n March 2010, in the USA, the ITIF president Robert D.
Atkinson said, ‘There is no way a law enacted at the dawn of the digital age
can guide law enforcement offi c ials and protect privacy rights in an age of
cloud computing and the wireless Internet, and as billions of electronic
exchanges occur every hour’ (ITIF Press Release
2010) .
One reason that cloud is going to be
problematic to law makers is borne of its very essence—global, shared,
distributed and replicated data which may reside anywhere in the world. Several
of the leading players in the spread of cloud have formed a pressure group in
the USA to try and push legislators to recognise that current legal frameworks
are not cloud friendly. They are called the Digital Due Process
(DDP) group and their aim is to
…simplify, clarify, and unify the
ECPA [Electronic Communications Privacy Act] standards, providing stronger
privacy protections for communications and associated data in response to
changes in technology and new services and usage patterns, while preserving the
legal tools necessary for government agencies to enforce the laws, respond to
emergency circumstances and protect the public. (DDP Website 2011 )
Naturally, when organisations like Amazon,
Facebook, Google and IBM (all fi erce
competitors in the cloud market) can agree to come together to lobby
government, we can see that there is a lot of commercial interest in getting
the legislation changed. We are, however, still at the stage where we will have
to wait and see what the law makers do in response. This all sounds very
American, but we should acknowledge that in terms of cloud, where the USA goes,
so, often, follows Europe and the rest of the world. China is a noticeable
exception, having a massive internal market for cloud technology, but with its
own particular legal frameworks which do include fi ltering out certain cloud content before
it crosses into China.
Because of the inherently
international nature of cloud computing, commentators are suggesting that the
world needs international treaties to allow for the free movement of
information across borders, in the same way agreements protecting commercial
bank transfers between organisations in different nations allows the
globalisation of trade in goods.
Policing, too, is dif fi cult when the
cybercrime is so international in nature. There are international agreements
already in place. The Budapest Convention, for example, allows police to access
servers in other countries. However, cybercriminals can move data and
applications from one server to another, across national boundaries, very
easily and quickly, which makes the work of the police extremely dif fi cult.
This uncertainty is doubtless adding to the
perceived level of risk for organisations thinking of using the cloud. Compared
to current service-focused IT provision, they see cloud as less transparent and
may legitimately feel less protected by the law. Particularly when
organisations are talking about handing over vital or sensitive information to
service providers, their concerns are understandable. Moreover, even if the
service providers themselves do act as their customers wish, there have been
cases where governments and their legal systems have forced service providers
to hand over data stored in the cloud.
W hen this happens, there may
well be no impetus for the service provider to fi g ht any subpoena as the
information is not theirs and they can blame the state for them having to pass
the data over. The legal position is made even trickier by the fact that the
law that exists, created in a different era, states that data handed over to a
third party in the normal course of business can be subpoenaed without notice.
What customers are doing with cloud service providers is passing data on to
third parties but for storage, not for sharing, as was the norm when the laws
were fi rst couched (Gruenspecht 2010) .
2.7.2 The Current Legal Framework for Cloud
The uncertainties
outlined in the above section may be one reason for an organisation being wary
of investing in the cloud. However, elsewhere in this book, we have seen its
many advantages, and as with all business decisions, organisations will just weigh
bene fi ts against risk. Other players, such as governmental institutions, will
also provide input to the decision-making. In the EU, for example, the
Commission President indicated that he foresaw that digital commerce would be a
signifi c ant area of growth for Europe:
Half of European productivity growth over the
last 15 years was driven by information and communication technologies. This
trend is set to intensify. Our European Digital Agenda will deliver a single
digital market worth 4% of EU GDP by 2020 (Barroso 2010) .
Many companies have already
committed to cloud. They will therefore need to work within the existing legal
framework. Uncertainty is not an excuse to ignore the laws that do exist.
R emember that one of the building
blocks of cloud, particularly the public aspects thereof, is the idea of
pooling resources and charging them out on a pay-for-use basis. The service
provider will typically offer certain guaranteed services, and the service
contract will usually include service-level agreements (SLAs). The guarantees
are usually expressed in measurable terms, some examples of which include:
2.7 Legal
Aspects of Cloud Computing
• Availability
of the service
• Minimum
performance benchmarks
• Minimum
help-desk response time
T hese SLAs are part of normal
contract law. The jurisdiction in which any legal disputes will be settled is
often stipulated within the SLA itself but if it isn’t determining the
appropriate jurisdiction can be a lengthy (and expensive) precursor to any
actual legal action. The question, in short, is the following: Which national,
or subnational, laws apply? Those of the providing company’s head of fi ce?
Those of the customer? Those of the location of the data centre? The safest
advice to give, therefore, is to ensure that jurisdiction is explicitly agreed
in the SLA.
2.7.3 Privacy and Security
As we cover in
the Security and Governance chapter of this book (Chap. 10 ), there is much for potential
cloud adopters to worry about in terms of privacy and security.
This section only covers the legal aspect of these concerns.
Until legislation speci fi c to cloud
computing is forthcoming, both service providers and their customers need to
rely heavily on their SLAs to effectively deal with security risks, a process
that requires an element of trust from the customer perspective. Further to the
comments above about the EU putting cloud high on their economic policy agenda,
the EU has created a body called the European Network and Information Security
Agency (ENISA) to review and respond to cybersecurity issues within the
European Union. Its website says it is
… the ‘pace-setter’ for Information
Security in Europe, and a centre of expertise. The objective is to make ENISA’s
web site the European ‘hub’ for exchange of information, best practices and
knowledge in the fi eld of Information
Security.
ENISA’s cloud computing risk assessment report
(
http://www.enisa.europa.eu/ activities/risk-management/fi
les/deliverables/cloud-computing-risk-assessment ) states ‘loss of
governance’ as one of the biggest single risks for cloud adopters. The customer
passes responsibility for security to the service provider, who may not provide
adequate guarantees in their SLAs. Any adopter therefore needs to carry out a
risk assessment, perhaps as discussed in the ENISA report, and must ensure that
their privacy protection is built into the SLA.
S uppliers of cloud infrastructure
and services are not going to allow a perceived lack of security to prevent
them from maximising profi t s. If you Google ‘cloud security IBM’ and then
repeat for the major cloud players, you will see many pages on each site
dedicated to explaining the supplier’s security. And current security
specialists, too, have noticed how cloud is becoming important. McAfee recently
released its Cloud Security Platform, for example, and Symantec’s have their Symantec.Cloud.
B ut these are still all sales
pitches, and some caution needs to be taken. With the best will in the world
businesses do not, and should not, blindly believe suppliers’ claims. Again,
until legislation catches up, it is the customers’ task to ensure that they
have contracts which ensure their data is secure and that services are
delivered as promised.
2.8 Summary
In this chapter,
we explored the different methods by which cloud computing can be adopted by
organisations and by individuals. The adoption types we examined were public,
private, hybrid and community. These terms will be used throughout this book
and are in wide usage in the computing arena and have become the de facto way
of describing the differing approaches. The ways that these are implemented
technically are explored in the next part of the book, whilst the business
aspects are explored in Part III.
We also analysed the way that these adoption
types may be used by different types of business, from small to enterprise
sized. We have a chapter in Part III which discusses large-scale enterprise
cloud in more detail.
O ne of the major diffi c ulties
for organisations trying to decide whether to adopt cloud computing is which
model to adopt. We began to explore tools to assist in analysis of the major
factors and looked at the Jericho Cloud Cube Model. A more detailed review of
the fi nancial and investment appraisals
issues is to be found in Chap. 8 .
2.9 Review Questions
The answers to these
questions can be found in the text of this chapter.
1. List
the types of service that are available from cloud providers today, being clear
that you understand the differences between them.
2. How
might cloud be an easy solution for smaller businesses looking for business
continuity and disaster recovery?
3. What
is meant by hybrid cloud?
4. Is
a community cloud a public or private cloud solution? Or both? Or is it something
else?
5. Why
is the policing of cloud seen as problematic for many law makers?
2.10 Extended Study Activities
These activities
require you to research beyond the contents of the book and can be tackled
individually or as a discussion group.
2.10.1 Discussion Topic 1
What factors are
suitable for inclusion in an SLA between cloud provider and customer? You
should not only review the factors themselves but also decide on their relative
importance and how they might be measured and monitored. You should also
consider what the likely impact of requiring extremely demanding levels would
be on cost.
References
W e saw that SLAs are key for
organisations in terms of ensuring satisfactory levels of service from
providers. Some of the more obvious factors are around performance and
availability. Five 9 s are industry-speak for as available as possible and mean
that a system is up and running 99.999% of the time. However, availability
levels set so high are extremely expensive to enable, as the provider will need
many layers of redundancy built into their offering.
Measurement too can be a problem. The
organisation may have in mind that performance can be measured in terms of
user-click-to-returned dataset times. But for cloud applications, the timings
can be out of the provider’s hands since much will depend upon local Internet
speeds and connections.
2.10.2 Discussion Topic 2
M any commentators see hybrid as the likely model for
cloud adoption in the long term, allowing companies to use the best of both
public and private platforms. In an era when many applications are built with
data sharing built in, you should explore the signi fi cant challenges that
will be faced by organisations with mixed public– private application
portfolios.
When attempting this question, you should look
to see what standards are in place for cloud computing. If you advise your
organisation to use Salesforce CRM, for example, what pressure does that put on
other organisational systems in terms of preventing needless data duplication?
Is there a threat that cloud could actually result in more siloed data and less
sharing?
References
Barroso,
J.M.D.: State of the Union 2010 Strasbourg, 7 Sept 2010. http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/10/411 (2010). Last
accessed 22 May 2012
Best, J.:
G-Cloud will lead to shorter contracts and IT ‘bought like stationery’.
Guardian Professional, Thursday 26 Jan 2012. http://www.guardian.co.uk/government-computing-network/2012/jan/26/gcloud-contracts-liam-maxwell-procurement (2012)
Claybrook,
W.: Cloud interoperability: problems and best practices. ComputerWorld, June
2011. h ttp://www.computerworld.com/s/article/9217158/Cloud_interoperability_Problems_and_
best_practices (2011)
DDP Website.: http://digitaldueprocess.orgspecifi c page ; http://digitaldueprocess.org/index.cfm? objectid=99629E40-2551-11DF-8E02000C296BA163 (2011)
Gartner,
Inc.: Gartner Says Worldwide Cloud Services Market to Surpass $68 Billion in
2010. Gartner press release, Stamford, 22 June, 2010. http://www.gartner.com/it/page.jsp?id=1389313 (2010)
Gruenspecht,
J.: “Reasonable” grand jury subpoenas: asking for information in the age of big
data. Harv. J. Law Technol. 24( 2), 543–562 (2010). http://jolt.law.harvard.edu/articles/pdf/ v24/24HarvJLTech543.pdf
ITIF Press
Release: ITIF Calls for Updates to Privacy Laws, 30 Mar, 2010. http://www.itif.org/ pressrelease/itif-calls-updates-privacy-laws (2010). Last
accessed 22 May 2012
Johnson, R.:
Cloud computing Is a trap, warns GNU founder Richard Stallman, guardian.co.uk,
Monday 29 Sept 2008. http://www.guardian.co.uk/technology/2008/sep/29/cloud.computing.
Kaufman,
L.M.: Can public-cloud security meet its unique challenges? IEEE J. Security
Priv. 8 (4), 55–57 (2010). ISSN: 1540–7993
Li, A.,
Yang, X., Kandula, S., Zhang, M.: Comparing public cloud providers. IEEE
Internet Comput. 15 (2), 50–53 (2010)
Maison, A.:
How charities could save money by getting on ‘the cloud’. Guardian
Professional, Wednesday 1 June 2011. http://www.guardian.co.uk/voluntary-sector-network/2011/jun/01/
charities-save-money-cloud (2011). Last
accessed 22 May 2012
Mearian, L.:
Fortune 1000 fi r ms shun public cloud storage. ComputerWorld, May 2011. http:// www.computerworld.com/s/article/356680/Survey_Big_Firms_Shunning_Public_Cloud_
Storage (2011). Last
accessed 22 May 2012
Mell, P.,
Grance, T.: The NIST De fi nition of Cloud Computing, NIST Special Publication
800–145 (Draft). Recommendations of the National Institute of Standards and
Technology. http://csrc. nist.gov/publications/nistpubs/800-145/SP800-145.pdf (2011). Last
accessed 22 May 2012
Opengroup:
Cloud Cube Model - Selecting Cloud Formations for Secure Collaboration April
2009, The Jericho Forum, a Forum of The Open Group Available online from: https://collaboration.
Vaquero,
L.M., Rodero-Merino, L., Caceres, J.: A break in the clouds: towards a cloud
defi n ition. ACM Comput. Commun. Rev. 39 (1), 50–55 (2009). doi: 10.1145/1496091.1496100 .
ISSN:0146–4833
0 komentar:
Posting Komentar