There has been a lot of discussion regarding the readiness of cloud computing for enterprise applications, and concerns that users may buy into services that don't meet their needs. In "Enterprise Adoption of Cloud Computing - Or Not?", Ed Reynolds observed that cloud computing is entering the "trough of disillusionment" of the Gartner hype cycle. Many of the discussions focus on technical limitations and challenges. Some recent articles have raised business issues, for example, the series on The Case Against Cloud Computing and Above the Clouds: A Berkeley View of Cloud Computing. Here, I want to outline, as briefly as possible, what business clients should expect from cloud computing-the opportunities and the challenges-particularly for larger enterprises.
I have separated these expectations into "basic outsourcing issues" that are characteristic of conventional information technology outsourcing, and "cloud-specific issues." Cloud-specific issues reflect concerns arising from the use of a shared, distributed, computing and communications infrastructure that is accessed over the public Internet-a "public cloud." The envisioned cloud computing infrastructure, potentially a network of providers like the international telephone network, would be globally ubiquitous and capable of supporting a wide range of applications and clients.
Basic Outsourcing Issues
These basic issues are associated with conventional outsourcing of data processing services, but cloud computing alters many of these expectations to create new opportunities and challenges.
Vendor viability and trustworthiness. Clients must be confident in an outsourcing provider's viability and integrity as well as the ability to sustain an expected quality of service. Individual applications could be deployed to cloud computing as an expedient, without much attention to provider viability and trustworthiness. Since there is no capital investment for cloud computing, top management of client enterprises should anticipate that individual departments may deploy applications to different cloud providers. Thus, the existence of cloud computing may create new challenges for risk management.
Economies of scale. Outsourcing achieves economies of scale beyond what an enterprise could achieve on its own. Cloud computing is expected to greatly expand economies of scale as a result of more effective utilization of shared resources, both facilities and personnel, across multiple, client enterprises.
Secure environment for assets. Clients must rely on outsourcing providers to protect the business data and application assets that are placed in the hands of the provider. There are additional risks associated with cloud computing as a result of the expanded scope of distributed computing, sharing of resources and exposure to the public Internet.
Authorization and access control. Outsourcing providers typically provide administrative and technical services to support security authorization and access control for clients. In cloud computing, a client will likely have a greater administrative responsibility since the cloud provider will have many more clients and users to support. In addition, access controls must reflect greater exposure to the public Internet. Communications that would otherwise occur in secure environments will be performed over the Internet.
Business continuity. Outsourcing can improve backup capacity for business continuity through economies of scale and distributed computing. Cloud computing will provide dynamic failover so server failures may not even be noticeable. However, competition for resources with other clients may create different risks to availability in the event of a major infrastructure outage.
Data management services. Clients rely on outsourcing providers to manage the physical storage, redundant storage, recoverability, remote backup and archiving of data sufficient to survive operational errors and physical disasters. Similar services should be provided in cloud computing, but the changing physical location of data and backups may add complexity to coordination of updates and assurance that consistent and complete business records are always identifiable and accessible.
Problem resolution. Outsourcing providers are expected to provide technical support for resolving problems with client applications, and applications tend to run in "silos". In cloud computing, the distribution and mobility of applications, the interdependence of distributed applications and services as well as the number and diversity of clients and applications will increase technical complexity and prevent technicians from developing an understanding of individual client applications. In addition, due to application mobility, multiple applications could be affected before an infrastructure defect is recognized and isolated.
Performance assurance and accountability. In conventional computing environments, applications are associated with specific servers and typically interact with other applications and supporting services within the responsibility of one IT organization. Assurance of performance and accountability for poor service or failures is more complex when multiple vendors are involved. In cloud computing, the resources engaged may be continually changing and related applications and services may involve multiple infrastructure providers. Performance monitoring and accountability are both more challenging and more critical for rapid resolution of problems and re-allocation of resources.
Applications and services integration. In cloud computing, application integration of loosely coupled applications should be fundamentally the same as in conventional computing environments. However, in cloud computing, messages must be directed to dynamically relocated applications. Tight coupling of applications will require observation of additional constraints on application distribution to prevent performance degradation due to latency.
Reduced burden of IT infrastructure management. An outsourcing client transfers the burden of managing and maintaining technical infrastructure and support staff, but the client typically determines the reserve capacity provided to accommodate changes in demand. In cloud computing, the client no longer owns the reserve capacity, so the provider has the burden of anticipating and accommodating bursts in demand and outages.
Application development capabilities. Outsourcing providers typically support application technologies selected by the client. This enables clients to exploit the latest technologies for applications, but it also results in a proliferation of technologies and thus the need to maintain diverse technical expertise. In cloud computing, clients will be required to accept the technology of the cloud in order for the provider to optimize utilization and performance. This will limit technology proliferation enabling greater proficiency and leveraging of personnel, but application developers still will need to develop new skills to make effective use of cloud resources and anticipate the consequences of application mobility.
Change control. Outsourcing providers accept responsibility for orderly transitions and coordination of application and software versions. In cloud computing, clients may be required to take a more active role in change control, particularly for coordination of related applications. Integration across multiple cloud computing providers may increase change control complexity. In addition, back-out of a defective application to restore a previous version may become a client responsibility.
Political boundaries. Outsourcing providers must locate applications and data storage to accommodate legal restrictions on movement of data across political boundaries. Differences in government regulations could restrict where certain applications are executed. In cloud computing, these become constraints on the cloud provider's ability to optimize utilization of resources as well as options for disaster recovery facilities.
Ease of application deployment. Outsourcing providers often provide active support for configuration of equipment and deployment of new applications. Cloud computing providers will avoid any custom infrastructure in order to preserve flexibility, and will expect clients to manage deployment to the defined infrastructure. At the same time, clients should be insulated from concerns about the details of deployment as long as their application conforms to technical requirements of the infrastructure. In addition, clients will have higher expectations for cloud services, and will expect to use well-defined, automated processes to quickly deploy and use new applications.
Vendor independence. Applications and their data should be easily transferred to another service provider. While this is currently a concern for outsourcing, a change in outsourcing provider does not generally require a move to a different infrastructure. In cloud computing, a change in cloud provider will require a change of infrastructure. Ultimately, clients will expect to be able to move their applications to different cloud providers without modification, and cloud providers that require modification will be at a distinct competitive disadvantage. This should drive development of industry standards for virtual machines and user interface facilities.
Compensation for damages. Clients want compensation for lost business incurred as a result of service provider failures or violation of service agreements. This is true for outsourcing, but clients will expect cloud computing providers to take greater responsibility for level of service and continuity of service.
Indemnification. Clients want indemnification from liabilities incurred by the service provider-particularly violation of intellectual property rights. In cloud computing, clients will have little control and probably little awareness of the products and services used by the cloud provider and incorporated in their applications.
The following are additional expectations associated specifically with cloud computing. These issues may not affect all applications, but should be considered as part of the decision to use cloud computing and to select a service provider. Most of these will be relevant to mission-critical applications.
Capacity on demand. This is an expectation that there is no need for a client to maintain a reserve capacity for potential growth or peak demand. This is a major advantage expected from cloud computing, particularly for those applications that have significant peaks and valleys, or for enterprises that need to be able to scale up or down with minimal fixed cost or delay.
Converting capital expense to operating expense. The client should no longer need to be concerned about investments in IT facilities or replacements for infrastructure technology upgrades.
Certification or regulation. A cloud provider may take risks that are not visible to clients and might compete unfairly, putting large numbers of clients at risk. It is impractical for every client to perform due diligence on a globally distributed computing infrastructure, much of which they might never use. There should be independent assurance of reliability through certification or regulation. An example of this expectation is reported in Privacy Group to FTC: Google's Cloud is Unsafe.
Multi-tenant separation. In cloud computing, client applications share physical facilities introducing risks of exposure or competition for resources. Protection is no longer provided by firewalls and dedicated servers.
Identity management. In order to provide authorization and access control for thousands of clients and potentially millions of application users, cloud providers will need to de-proliferate identifiers and federate identity management with other providers. While a person may have different identifiers in different contexts (like different credit card numbers), identifiers may be passed by applications when they interact with other applications and use services of other enterprises, potentially running in different clouds.
Controlled latency. Clients will need assurance that geographic distribution and mobility of applications will not introduce unacceptable levels of latency in access to data or supporting services. Note that some exchanges may be infrequent but yet require limited latency. This requires consideration in application design and integration as well as specification and enforcement of constraints on deployment.
Level of service pricing. Clients will have different needs for levels of service. Providers will need to give clients choices of lesser levels of service at lower prices and higher levels of service at higher prices. Clients with lower levels of service will need to accept degradation of service when there is exceptional demand or a major loss of resources. Providers will need to define capacity limits and pricing for their ability to accommodate significant increases in demand, particularly with the introduction of large, enterprise applications.
Predictable costs. Billing for cloud computing must be based on usage since resources will be shared. Clients should be able to budget costs based on forecast usage requirements. At the same time, clients will need to be able to put limits on consumption where an internal user could exceed authorized levels or an application defect could result in an endless loop.
Application migration. Difficulty or expense in moving applications from conventional environments to cloud computing may be a significant barrier to adoption or a significant differentiator for cloud providers.
Infrastructure technology abstraction. Infrastructure technology should be engaged through an abstraction layer that minimizes coupling of applications to specific technologies. Upgrades to the infrastructure technology should seldom require upgrades to applications. While this is desired in conventional computing environments, it will be much more important for cloud computing. Cloud computing requires consistent technology to enable workload management, so any upgrade that requires modification of applications will likely affect many or all applications over which the cloud provider has no control. At the same time to remain competitive, there likely will be some technology roll-outs occurring all the time. Needs for application upgrades will increase operating cost and complexity as well as client costs, and will inhibit cloud optimization.
Cross-cloud interoperability. A client will likely have applications supported by different cloud providers and may have applications that use services of other companies that run in other cloud environments. Cloud providers should adhere to industry standards that will enable cross-cloud interoperability of applications and services including mashups. Providers should have consistent support for different user devices, and browsers, as well as other aspects of user interfaces.
Self-Service. Generally, automated, self-service can reduce costs and improve timeliness of many services to clients and users. Self-service will become essential for cloud providers who may have thousands of clients and millions of users with a wide range of different needs and expectations. Clients and users will expect automated, self-service interfaces to address most of their needs in a timely manner.
Testing environments. Clients need to test applications in production-like environments yet clearly separated from production. This may include enabling test applications to run in the cloud with selected, real users using their production access devices but isolated from production data and applications. Cloud providers should be able to accommodate testing in the cloud without specialized resources.
Usage-based software license fees. The cloud provider should be able to support multiple clients with access to shared, licensed software without clients being concerned about which or how many servers are executing the software or going through lengthy acquisition procedures. In general, license fees should be based on usage.
Client needs and expectations will vary. Potential cloud computing clients should consider what they need, what a service provider offers, what they are willing to pay, and the business implications of any capability gaps.
Google, Amazon and other early providers are at the forefront in the cloud computing marketplace, but it is important to understand the limitations on their commitments. The "Google Apps Premier Edition Agreement" and "Amazon Web Services (AWS) Customer Agreement" are examples of service offerings. "Amazon Web Services: Overview of Security Processes" provides some insights on security issues.