The Case Against Cloud Computing: Conclusion

CIO.com's Bernard Golden has picked apart the arguments against cloud computing. Cloud's not perfect yet, but make no mistake, he says: When security and productivity come into conflict, productivity always prevails.

Quick, what is the biggest knock against cloud computing? Is it the difficulty of migrating existing applications? Is it the legal, regulatory, and business risk posed by using external computing power outside of a company's own data center? Is it the lack of SLAs available from cloud providers? Is it the fact that cloud TCO is purported to be higher than running systems internally? Or is the lack of traditional system management tools for cloud applications?

Read the Whole Case Against Cloud Computing Series

Part One: Migrating Apps

Part Two: Managing Risk

Part Three: Meeting SLAs

Part Four: TCO

Part Five: Managing The Cloud

Conclusion

In previous posts, I discussed each of these barriers to enterprise adoption of cloud computing. For each of them, I noted that the situation is not nearly as bleak as portrayed by people who bring these issues up. For example, with respect to the lack of SLAs, I noted that some cloud providers are providing SLAs. I also discussed the fact that many SLAs offered by non-cloud service providers (e.g., outsourcers) aren't really very effective—they don't guarantee uptime; rather, they provide for penalties if (when?) the provider fails to deliver the agreed-upon uptime. Moreover, the penalties are typically quite constrained, usually limited to a refund of the service provider's fee for the period of time for which service is unavailable. In other words, the SLA penalty doesn't cover the user's business losses, it just covers the cost of provider's service. So denying the potential of cloud computing by asserting its SLA shortcomings is a rationalization, not a reason.

Each of the items I covered can be looked at from the same perspective. Examined with a non-judgmental eye, each has ways it can be mitigated. Certainly none is an insurmountable barrier.

Interestingly, it seems many readers interpreted my pieces as truly negative about cloud computing—that is, that I agreed that each of the barriers was a complete roadblock to cloud use. I received a number of comments that showed that the reader had not fully read (or perhaps comprehended) my posts. On the other hand, there were a number of comments that reinforced the perspective that cloud computing is not "ready for prime-time."

That's not really surprising. Any time there is a sea change in technology, many people criticize the new technology as lacking certain key features. I remember hearing similar statements as the Internet wave crashed down upon IT. "You're going to let outsiders access your systems? That's crazy." "The bandwidth is insufficient for any real applications to run." "It isn't secure enough." "You can't find people with the right skills." And by the standards of the prevous generation of technology, these observations had some truth to them. In the early days, Internet security practices were inconsistent and incomplete. However, in many respects the existing solutions weren't really demonstrably better in the areas being criticized, and definitely had shortcomings of their own.

This process goes on today. I just read a posting that someone put up yesterday on a cloud computing forum, criticizing virtualization:

"Operating systems have security policy and enforcements. The hypervisor is invisible to the operating system, let alone client applications. A modern operating system, properly administrated, can prevent intrusions. No operating system running under an hypervisor can prevent or detect a breach of hypervisor security, particularly if the breach is on the part of a duly authorized employee of the data center."

That statement is true; however, it posits an alternative (a properly administered operating system) that is often, if not typically, non-existent. Many data centers fail to follow best practices with respect to administration, patch management, application update, and so on. And the experience of a number of users with attacks against their properly administered operating system is that vulnerabilities exist nonetheless. From my perspective, I'd rather live with the vulnerabilities potentially present in a small footprint hypervisor than those present in an operating system comprising millions of lines of code and containing hundreds of applications that are poorly maintained and rarely updated.

Therefore, it's understandable that reservations are voiced about cloud computing. It's even understandable that some of the criticisms are stated as absolute and unacceptable. These kind of criticisms are typical of those leveled against nascent technologies like cloud computing. New technologies are often not fully built out. They lack functionality. Key corner use cases are not thought through until encountered in real-world situations, posing operational shortcomings in the immediate present and hurry-up refresh releases to be distributed. By definition, a new technology is not as complete as the existing incumbent alternative.

Over time, however, the innovative technology is improved to address the issues that are present. With respect to hypervisor security, for example, I heard at this week's Xen Summit (the gathering of interested developers and users of the open source Xen hypervisor) that introspection APIs are being introduced to provide just the kind of security monitoring that enables enforcement of a security policy.

What these kind of criticisms fail to understand, though, is there are reasons that people are willing to endure the shortcomings of the technology—and the reasons have to do with the manifest benefits delivered by the new offering. With respect to virtualization, turning back to our example, there has been enormous uptake—despite issues like that outlined in the quote above. And that's because the technology offers undeniable financial payback—higher utilization, lower energy use, and better application availability. The benefits are so large that IT organizations have been willing—eager, even—to tolerate the challenges that accompany the technology.

So the bigger issue is whether the benefits of cloud computing are significant enough to outweigh the current shortcomings—and remember, the evaluation must take into account the shortcomings of the current solution as well. The enthusiasm shown for cloud computing indicates that people are tired of what's in place today. Storage requirements are exploding. Despite the march of Moore's Law, it seems just as much is spent on hardware as ever—because more and more compute power is required as processing needs and application sprawl increases. The scale and density of networks constantly grows. And managing all the complexity is ever more challenging. As one friend of mine puts it: every year you need 35 percent more servers to meet processing requirements, but the population of people interested in working as sys admins stays pretty much flat. This is not a recipe for long-term data center success. That explains why cloud computing has so quickly fired people's imaginations.

Certainly it appears that many players in the IT industry are convinced of cloud computing's benefits. Major vendors like IBM, HP, and Microsoft are poised to invest billions of dollars in it. That says that they've made their assessments and concluded this represents—if not the future—at the very least a significant portion of the future.

Does that mean the issues people bring up with regard to cloud computing don't exist or are irrelevant? Not at all. Every one of them is valid to some degree—but none of them is absolute. And measured against the positive outcomes of the technology, each of them will be addressed or tolerated. To offer one example of how this will look going forward, when queried about the security of cloud computing at the recent IBM/Juniper announcement, Juniper Infrastructure Products Senior VP Manoj Leelanivas responded "Throughout my career, I've seen that when security and productivity come into conflict, productivity always prevails." In other words, the industry will embrace cloud computing despite its drawbacks.

The prudent course of action, therefore, is to acknowledge the issues present in cloud computing and still press ahead, identifying scenarios where it can be applied to achieve maximum payoff with minimum risk. Noting problems and using them as a reason for inaction is not a winning program in today's world. Standing pat means being left behind.

Copyright © 2009 IDG Communications, Inc.

Security vs. innovation: IT's trickiest balancing act