CloudCamp: Five key concerns raised about cloud computing

Aug 9, 2010 6:47 AM
Filed under Networking

Do you have the answers?

Some 100 attendees at the Cloud Camp in Sydney on Friday were prompted to pose their biggest concerns about the nascent market for discussion.

Even with the best minds in the local industry in the room, most questions were left unanswered.

So in true 'unconference' style, iTnews invites readers to pose some of their own answers to the industrys most commonly asked questions...

1. How do I know where my data is for regulation purposes?
2. Who is responsible for patching virtual servers rented in the cloud?
3. How do I know my cloud provider can scale?
4. How do I get my data back if my cloud provider goes broke?
5. What are the key due diligence points to look at when signing a contract with a cloud provider?

Feel free to provide your thoughts below...

CloudCamp: Five key concerns raised about cloud computing

7 comments in this discussion

"I think its a bit pathetic after all these years (yes, "cloud" has been around for years) that these questions are so hard to answer that a Cloud Camp session can't address them. They are ..."

By vcirrus

Tags

cloud, security, concerns, sovereignty, scale, latency, due, diligence

HP unveils pricing for Linux-only cloud beta

EU security agency issues cloud SLA checklist

Symantec plugs in second Australian data centre

Microsoft SkyDrive app to take on iCloud

Breaking Stories

Hackett steps down from Internode

ACCC approves Optus NBN deal

Australia shares $2bn Square Kilometre Array

RIM to cut 2000 jobs

NSW retains right to veto data centre co-tenants

Comments: 7

BrettWinterford Aug 9, 2010 10:04 AM	I’ll take first crack at this. 1. While we never think twice about the location of our data when we subscribe to a consumer-grade service (our webmail, for example), I don’t buy the theory that it “shouldn’t matter” where a business’ data is sitting. And neither do regulators. As discussed at Cloud Camp, public cloud providers are attempting to give users some peace of mind with the advent of ‘availability zones’ – rough geographic bounds in which specific data is located. This might work for a regulation that requires specific data to remain within the United States or within the EU, but it doesn’t particularly help in our region. Knowing your data is in ‘Asia Pac’ is hardly comforting from a regulatory perspective. I don’t think we’ll have an answer here in Australia until providers of sufficient scale can offer availability zones that don’t just promise data will be held within our national borders but even within given states and territories. 2. I’m going to cop out on this one and say – depends on the service you’re renting. On Amazon.com, I believe it’s up to you, on Azure, it’s up to Microsoft. I’ll check this question with some of the major providers and update. 3. This is an interesting one. The unfortunate thing about the domestic industry at the moment is that the smartest cloud services are being built by smaller hosting providers and software developers, not the big telcos and systems integrators (although they are fast playing catch-up). Arguably these smaller players are unlikely to offer the necessary scale for enterprise workloads. But do the big guys either? I know for a fact one the biggest systems integrators in Australia can only boast a few boxes in the corner of a data centre when it comes to infrastructure primed for cloud services. Until a big customer signs up on a rental model, that’s as much resource as the company is prepared to throw at it. I should also say that until the Amazon, Salesforce and [Microsoft] Azure are offering tours of their data centres, we can’t assume their Singapore-based compute stacks are that much bigger. I mean, we should assume on the basis of their customer lists, but maybe that’s the trick, eh? “Assumed” scale. There is simply no guarantee. As an enterprise customer I would demand to see the operation for myself. I don’t think it’s a lot to ask. 4. Whichever cloud computing service you subscribe to, it is vitally important that it has a highly automated function to back up data to a source of your choice at routine intervals. Beyond that, look for providers that build their services around such standards as ‘OpenStack’ to ensure some portability should you become unhappy with your current provider. 5. I am not going to pretend to be a lawyer. I’m going to track down somebody that provides this kind of advice for a living and get back to you. In the meantime, the obvious talking points for me would be various metrics around security plus a baseline of expectations around performance and availability. Further, I would want the contract to stipulate that the service provider cannot put up any technical or other barriers to shifting workloads off the service should the service not stack up.
kristofferjon Aug 9, 2010 11:37 AM	1. How do I know where my data is for regulation purposes? At this point of time the answer largely depends upon what type of cloud service you are using. With infrastructure as a service (IaaS) it is relatively easy, as most IaaS providers divide their service up into availability zones, typically by geographic region. In general, most providers guarantee to keep your data within that specific geographic region. 2. Who is responsible for patching virtual servers rented in the cloud? In general, with virtual servers rented in the cloud, or IaaS as its better known in the cloud space, patching of the virtual environment is a customer managed responsibility. Some IaaS providers also offer server management including patching services for an additional management fee. 3. How do I know my cloud provider can scale? This question has two dimensions, including the scalability of the business behind the cloud service, and the technology underpinning the cloud service. From a business perspective the service provider must implement efficient, scalable business processes, including automated collection of accounts owing, and automated customer on-boarding and provisioning. The service provider must also provide the required tools to enable customers to manage their own services, typically via a self service user portal. From a technology perspective the underlying technology must be designed for massive scalability from the outset. These systems must also be designed to be resilient to failure at the network, compute, storage, security and data center layers. A well designed system should exhibit close to linear scalability as the deployment footprint increases. 4. How do I get my data back if my cloud provider goes broke? This is a tricky question that is not really being well handled at this point of time by most providers. One way to mitigate this risk is to put in place an escrow system with the cloud service provider. This escrow system will set funds aside to enable a qualified third party organisation to recover data from the providers systems in case of a financial disaster. 5. What are the key due diligence points to look at when signing a contract with a cloud provider? In my mind, the key due diligence points include: 1. How long has the provider been focussed on the cloud computing market? 2. What service level agreement (SLA) does the provider offer? 3. What data security practices does the provider employ? 4. What backup and disaster recovery processes does the provider have in place? 5. Where are the services located and can the provider give a guarantee stating that data will be located within a specific region? 6. Can the provider be flexible enough to suit my specific business requirements? 7. Can I inspect the environment in detail (with non-disclosure agreement in place)? 8. Does the provider support and implement open standards? 9. Can I get my data back from the provider in case the relationship goes sour? 10. Does the provider demonstrate thought leadership in the cloud computing space? Kristoffer Sheather
BrettWinterford Aug 9, 2010 12:46 PM	@Kris thanks for your input - particularly interested in the escrow system. Will look into it further. ta b.
richard.rendell Aug 9, 2010 1:47 PM	Brett, I'd be happy to discuss the concepts and products in cloud insurance and escrow services Kris is referring to. DM on twitter @RichardRendell.
walteradamson Aug 9, 2010 6:31 PM	I'm confused as to whether the attendees and the questions are from the end-user, the IT group of the end user, or a service prover to the end customer. So I'm assuming the end user buyer. In which case I'd say: 1. Ask the provider. 2. If you're buying platform as a service then the provider for sure, otherwise check the terms and conditions. 3. If you're buying from someone with less than $500 million invested in each computing centre then don't, if you are, then the question is answered. Check Youtube to see the 100,000+ servers and the $500m to $1b the global cloud providers have in each of their centres. 4. Good question, but are these guys above likely to go broke before you? 5. SLA, scale-up scale-down flexibility, no-lockin commercials, max bandwidth response time and commercial implications of surge usage, platform roadmap assurance in relation to your business plans, migration options at end of contract or on demand. Walter Adamson @g2m http://xeesm.com/walter
BrettWinterford Aug 9, 2010 6:38 PM	@Walter, you are right, its the end user, and thanks for your input, especially on the due diligence points.
vcirrus Aug 10, 2010 8:44 AM	I think its a bit pathetic after all these years (yes, "cloud" has been around for years) that these questions are so hard to answer that a Cloud Camp session can't address them. They are important questions that are fundamental to the experience. The biggest issue with cloud computing is the name has been hijacked by anyone that needs to refresh their product and the confusion created by this has thrown the audience for a spin that hasn't stopped. The second issue is that cloud has such a vague and extensible definition that every question has at least three answers. It is much healthier to be talking about each of the XaaS services than cloud as a whole. What applies to Infrastructure (IaaS) is often completely irrelevant to what applies to Software (SaaS) and Platform (PaaS). So my 2c worth on the questions ... 1. How do I know where my data is for regulation purposes? Ask your providers, check their agreements, ping the servers and generally pray (if you care). This is where local cloud providers are valuable. The big boys (Google, Microsoft, Amazon, etc) are always going to struggle to find value in Australia. There will always be a niche for Australian providers to service their Australian customers better. Housing their customers data at home is expensive and you should expect to pay a premium for this pleasure but it is a price worth paying. 2. Who is responsible for patching virtual servers rented in the cloud? When it comes to the operating system, with IaaS there is no difference between a cloud server and a virtual server in your data center or office. It is your responsibility to look after your server or pay someone else to do it. This is what you want out of an infrastructure provider - to be left alone to run your servers how you want. The IaaS provider looks after the infrastructure (the hardware and the environment) and you look after your software. If you want a more managed service then you need to move up the chain. The higher up the chain the more managed the service. Platform as a service providers will usually take up the management of the operating system and some underlying technology and you need to manage your own code. Software as a service providers will usually take up the management of all the software and you are somewhat responsible only for your data (and yes, if you can, back up your own data!) 3. How do I know my cloud provider can scale? You can't and don't until they fail. But honestly, think about why you care. Are you worried they will get too big for their own capabilities? That's where the ability to move to another provider (no vendor lock-in) comes in. Are you worried you will outgrow your provider? I don't think so. Focus on the things that are important to you. Location, customer support, stability, services, etc. 4. How do I get my data back if my cloud provider goes broke? That's no different with any data center or software provider and its hard. The trick is to not have too much data! IaaS - keep copies offsite or with another provider PaaS - in the end PaaS is very dangerous as it locks you in to one provider. I prefer to wait for the day PaaS is standardised or use some middleware to allow you to shift providers. SaaS - only use providers that will export your data in a standard usable format 5. What are the key due diligence points to look at when signing a contract with a cloud provider? This is too hard to answer for all cloud providers and all customers. Focus on the things that are important to you. Look for a provider that matches your requirements and profile and make sure the contract reflects that (and the sales pitch). In most cases an SLA is not worth the paper it is written on - a $50 refund is not going to recover the 10 customers that walk away after every outage. Talk to a consultant with experience! Good cloud is great, valuable and refreshing. Bad cloud is hell. My thoughts ... Aron Steg @vcirrus http://www.vcirrus.com.au