I find cloud computing conference chatter, concerns and presentations an interesting phenomenon. For the past five years, the No. 1 concern cited about cloud computing at conferences has been security—and it's probably going to continue for the foreseeable future as the No. 1 concern. It is, as I noted to one colleague, like living through Bill Murray's Groundhog Day. Every conference features the same discussions, the same solutions, the same sage nodding about the need to "address this and make users more comfortable."
The recent Cloud Expo was no different. It seemed like every presentation, keynote and conversation paid deference to the issue of security. However, I took a different tack—focusing on the revolution in user (i.e., developer) expectations made possible by cloud computing with a presentation on The Democratization of IT (summarized in this blog post.
I found myself reflecting on this unending focus on security. How is it—despite the intense interest in this topic, the many vendors in the cloud security sector and the endless presentations at conferences on the subject—that we don't seem to have moved beyond people citing concerns on the subject and on to actually establishing mitigation measures and best practices? It's like Waiting for Godot—and, just as in the play, despite all the talk, it never arrives.
Cloud Security Can Improve Enterprise Security
You might be tempted to conclude that potential users have examined security and cloud computing and realized that the security problem is intractable, therefore meaning that adopting cloud computing is unthinkable. Consequently, you might add, the continuing presence of the topic at cloud conferences reflects the inherently insecure nature of cloud computing.
I'm skeptical about that, however. I think it's unlikely that IT organizations have evaluated cloud computing and, after careful consideration, realized it has security flaws that just cannot be addressed. I'm particularly skeptical that security is so important a topic that it would keep IT organizations from adopting cloud computing despite their manifest interest in doing so.
Security, with respect to IT, is often cited, but it never seems to actually guide IT decisions. After all, this is an industry that eagerly embraced Microsoft Windows (and, more troublingly, Windows Server) despite its notorious insecurity.
I doubt that security is such an important topic that figuring it out—or deciding, after thorough examination, that it cannot be solved— accounts for the manifest reluctance of IT organizations to embrace public cloud computing.
For many organizations and users, public cloud computing actually represents a huge step upward in security. I recently talked to the CEO of a small healthcare SaaS provider called Healthonomy, which leverages Amazon Web Services to achieve HIPAA compliance. Using AWS made this possible, because it's unlikely that this tiny company, should it use its own data center or a colocation facility, could afford to implement the infrastructure requirements necessary to achieve HIPAA compliance, the CEO says. Moreover, he adds, Amazon's security was enormously better than the "PC under someone's desk" situation typical of Healthonomy's small-practice physician customers.
Real Cloud Battle Isn't Security, It's Developer Productivity
The Groundhog Day nature of the discussion indicates to me that the security concern is comprised of two elements.
First, there's a reluctance to rely on an outside provider because of a suspicion that, should an external cloud provider suffer some kind of security problem, IT would be blamed, even if it was the provider's responsibility. Unless and until a sign from on high (a document or policy from someone, somewhere) declares that IT is completely off the hook with regard to the provider's security, IT employees will continue to voice security concerns.
I wrote about these cloud adoption concerns three months ago, and all I'll add at this point is that the sign is never going to appear. Relying on an outside provider inevitably exposes one to risk; the key question is whether the benefits outweigh the risk.
Second, there's an instinctive preference for a private cloud solution and a corresponding holding pattern until the private cloud can be implemented. If enough reservations (or FUD, to put it bluntly) can be raised about cloud computing, then enough time can be bought to allow a private cloud to be stood up.
I can understand something as instinctual as the belief that only something implemented by and under the control of IT can be trusted.
Here's the thing, though: The battle about how to do cloud computing is not going to be fought over security. The battle is going to be about how well a given cloud environment helps users—which in this case is developers—to do their job. The most important cloud adoption criterion isn't security; rather, it's how well a given cloud environment supports the following dimensions of developer agility:
- Getting started quickly. How long it takes to get an account established so a developer can get going on a project?
- Ease of use. How easy it is to obtain development resources?
- Automation. How well does the cloud environment implement or encapsulate policy so no manual effort is required during the resource provisioning process?
- Low cost. How inexpensively are resources provided?
- Cost transparency. How comprehensible, and how directly tied to consumption, are the charges for resources?
- Richness of ecosystem. How many, and how convenient to access, are the services that make assembling and developing new applications easy?
Any option provided to developers has to be at parity with the best public cloud offerings with respect to these dimensions. Providing a less-functional alternative is an invitation to developers to bypass the "approved" option.
I don't expect the tenor of cloud conferences to change any time soon. Security will continue to be a bugaboo, and the tone and content of the conversations will, unfortunately, continue to be state-of-the-art for 2009.
The bigger issue for those who continue to focus on this topic is whether the exercise will be rendered moot as those using the cloud ignore the discussion and get on with their jobs. The pace of cloud adoption is, if anything, accelerating, and failing to recognize that fact is, in effect, encouraging shadow IT. This is not a time for protracted deliberation. To quote the late, great football coach, George Allen, "the future is now."
Bernard Golden is the vice president of Enterprise Solutions for enStratus Networks, a cloud management software company. He is the author of three books on virtualization and cloud computing, including Virtualization for Dummies. Follow Bernard Golden on Twitter @bernardgolden.