Home > Cloud computing > The top 3 showstoppers of cloud computing – and an unexpected one

The top 3 showstoppers of cloud computing – and an unexpected one

private mess

Photo by jworth

Cloud computing is the hot buzzword of the day and is currently at the very the top of the hype cycle. I do believe that there is more to the cloud than that hype, meaning that some companies could benefit greatly from cloud computing. In spite of the hype and those real opportunities that the cloud brings, some things may stop companies from actually adopting cloud computing.

Below I will briefly describe what I believe to be the three most common showstoppers, plus one that I stumbled upon and – quite frankly – was a little surprised to learn about.

Trusting the cloud provider

We (that is humans) have a tendency to trust ourselves more than we trust others. We like to hold the steering wheel by ourselves. We can be intimidated and scared when we are not in control. Consider flying in a commercial aeroplane: The flight captain makes a living out of flying. She has great education and training. Statistics tells us that flying is way safer than driving a car. We have a tencendy to feel that doing something by ourselves is safer, but in reality we can create a tremendous mess. When we think about how somebody else performs a task we also have a tendency to compare that to how we would be able to do it given an abundance of time, money and other resources – and that is unrealistic most of the time.

The fact that cloud provider is a relatively new service is bound to reduce the trust further. Many cloud platforms are immature, despite the fact that they are built upon more mature technologies and products. At most the cloud providers have been running their cloud based services for a few years. This will definitely be a warning sign for companies that shy away from adopting new technology.

One way to increase the trust is to have the provider sign a contract that would give you as a consumer a very large economic compensation should something go amiss. It may seem to be a good idea, but would make contracts with cloud providers much more difficult to agree upon. Also, with the prescence of such a contract and in the event of an incident, the provider may have to pay up large sums of money – maybe so large sums of money that they will be bancrupt. And then you will be without a cloud provider, even if the provider didn’t let you down. If you are able to negotiate this kind of agreement you can be sure that others have too.

Legal issues

If you live (like I do) outside of US where most of the big cloud vendors work, legal issues may be more difficult to handle when comparing cloud computing to regular hosting. This has to do with the fact that regular hosting can be confined within one country, whilst cloud computing is often international. Some kind of information comes with legal demands that it must be saved and stored say within the borders of EU, or even within the borders of one specific country. Even if you do not have to take such regulations in mind you may want to think about legal issues anyway.
Some laws in the hosting companys country may apply for the information that we store in their servers, even if the actual servers are located in our own country. One example is the Patriot act. The Patriot act demands US government access to information upon suspicion of terrorism, and may affect data that is stored in Europe by a European customer if the cloud provider is a US company. It is important to notice the word may here. To know for sure somebody needs to

  1. Store data in the cloud using a cloud provider from another country or continent.
  2. A law, e.g. the patriot act, must be waived.
  3. There must be a dispute that is not resolved through negotiations.
  4. The courts will decide what laws apply.

Until something like this happens we simply do not know. To make matters worse laws change. To keep up with how laws change in one country may be difficult. To keep track of and adapt to complex international law is not to be underestimated. Some initiatives, like the safe harbor framework, aim to reduce these insecurities.

Convoluted enterprise architecture

Companies that have little or no enterprise architecture (that is they do not have a fair amount of control over their information, processes and existing services and applications) will find the adoption of cloud computing to be very troublesome. In order to do that they need to literally rip out parts of their existing system landscape and / or open up parts of their existing landscape and then do complex integration efforts. Integration is no easy task, and with a convoluted enterprise archtecture the task is extremely difficult, time consuming and costly. Sometimes you may get away without complex integration, but security will stop you. A lot of companies have invested time and money in creating a Single-Sign-On solution. It may be a very big challenge to extend that Single-Sign-On into the cloud. Not extending it to the cloud would lead to extra efforts in managing access rights, with the added risk of making mistakes and thereby compromising security. Sadly, too few companies have a Federated Identity solution in place today and that will be a great showstopper. SOA may help companies be better prepared for the cloud, but most companies that I have heard about are very far away from the taget state of SOA.

The unexpected showstopper is OPEX

Elasticity can be described as the ability to rapidly scale out to unprecedented demand without big up-front investments, plus the ability to save money when scaling in. Elasticity and pay-per-use are the most important selling points for cloud computing. A consequence of elasticity is that expenses are moved from CAPEX (Capital Expenditure) to OPEX (Operational Expenditure). It should come as no surprise that some companies would prefer to spend some capital up front, (that is investing in hardware and software, to be able to save money in the long run) while others prefer to pay as they go and thereby reduce risks as well as the need for capital up front.

A conversation that I had revealed another way to think about this that I hadn’t thought of before. A CIO claimed that he didn’t want to be in a situation where his superiors could tell him to cut his operational costs by reducing the amount of cloud resources he consumed. To him the fact that his services and applications were hosted in the cloud actually meant that the risk of loosing those resources was much higher than if he had invested capital to buy his own servers and software. I guess he is right. OPEX isn’t automatically better or safer than CAPEX. It all depends on how you see things and where you come from.

I guess it is true then: The CFO, not the CIO, will drive cloud adoption…

What do you consider to be the biggest showstopper? Please let me know!

[Thanks to Thomas Rischbeck for commenting on a daft of this post]

  1. Jens Roed Andersen
    2010/09/27 at 10:07

    I think that all the discussed areas are very valid when considering moving to the cloud, but my experience from one of the few companies’ in DK with a “proactive” attitude towards cloud computing is, that it is almost like a tsunami and I don’t think there is much point in trying to stop a tsunami. It is much better to go with and try to steer it clear of problems.
    As a security professional for many years I think that standards will be the way forward. Hence, I support the work of CSA and hopefully thay will be able to keep up with the pace of all the new cloud solutions popping up every week. Because this is basically driven by economies of scale and the CFO loves it. Legal implications or not, it will come (and it is already here now). I don’t think that the CAPEX/OPEX problem will be a showstopper, as the CFO does not distinguish very much in his planing and again, cloud is not driven from IT. The pressure comes from the LoB (so far I haven’t seen a single ckloud project originated from our IT organisation).
    I am in line with you when it comes to the main concern: EA. In this company we have invested millions in Identity and Access Management solutions and if we do not keep up a very strong governance on the EA side, these investments will be lost. But the architects need to be very visionary and openminded and most architects I have met are too hooked up with a specific technology or product. So there is defintely room for improvement there as well.

  2. Brad Buck
    2010/09/27 at 17:37

    I’ve heard all of these issues from enterprises looking to adopt cloud solutions. On the second point there are some solutions for extending single-sign on to the cloud. For now it would require some integration/customization, but I’d expect this area to mature quickly. You can find some of the vendors providing solutions at http://cloudtaxonomy.com under SaaS security and cloud software security.

    The point about economic damages is a tough one. With internal applications companies self-insure themselves since they can’t recoup damages from their internal groups. It will be difficult to get hosting providers to agree to such terms unless its a major deal.

  3. 2010/09/27 at 22:49

    @Jens: Interesting analogy comparing cloud adoption to a tsunami. I do think you are right. When the business sees the benefits of the cloud there is little IT can do to stop them. In fact, it IT attempts to stop them it will probably lead to a new wave of shadow IT – the business will use cloud solutions but IT will now nothing about it, until problems arise that IT must handle…

    @Brad: I guess it is true that tools for extending single-sign-on to the cloud will mature, but I’m not sure that will make the problem go away. In my experience there are quite a few homegrown SSO solutions out there. Extending a standardized SSO is very different from extending a home-grown SSO – it is way more troublesome and complex.

  4. Jens Roed Andersen
    2010/09/28 at 08:47

    I concur with your concerns on SSO solutions for the cloud, but my gutfeeling tells me it will be the way forward, although it might be a troublesome one. This morning my wife was logging on to all her cloud solutions (she has her own one woman consulting company) and when she got to Dropbox she couldn’t remember her PW and asked if there was an SSO solution for that underway. I think that also in this case standards should be promoted for the AAA problem, which I currently have seen none of the cloud providers solving in a global scale (local solutions yes).
    Anyone having any thoughts about this and SAML 2.0, openID and the like?

  5. 2010/10/13 at 23:51

    Hi Herbjörn, thanks for your view on showstoppers.

    What is still holding me back is the lack of trust towards Cloud Consultants (cloud cons). I sometimes visit those ‘free’ seminars where you are ‘inspired’ with the latest development on Cloud Bla Di Bla.

    When I hear talks about easily solving ‘silo problems’ and easily externalizing business logic and easily refactor existing monolythic code into loosely coupled components, well I don’t know, I sometimes think: am I getting retarded or are they simply lying.

    Until the marketplace (preferable by legislation like Basel II, Solvency II) will stop those cloud-cons to do their job, investors will get disapointed. You can almost predict a new version of ‘lipstick on a pig’ => ‘lipstick on a flying pig’ (but that is only for music lovers who like ‘pigs’ form Pink Floyd.

    Cheers, Giovanni

  6. 2010/10/14 at 08:08

    Thanks for your comment Giovanni. And you are right, there is no way cloud can possibly solve your architectural problems (e.g. silos). Instead, those problems must be solved for you to be able to adopt cloud computing. Cloud computing is all about making efficient use of IT resources. Although the architecture of cloud adopters will be affected by the cloud, cloud isn’t their architecture. To me this is an important distinction.

    • 2010/10/14 at 09:38

      So true. However, their might be a slight nuance regarding implementing non-functionals. I’m not a strong believer of implementing logging, authentication etc. within the real business logic of the component. A good friend of mine – Duncan Doyle – adviced me to use a framework for this; and I think he is absolutely right (preferable based on dependency injection).

      The same is true for implementing mediation. You would preferable implement this out of your service completely, but then, consumers will be able to by-pass the mediator (for all kinds of reasons; Anne Thomas had a rather funny anecdote on this last week, saving 20 ms…). So it would make sense implementing this also into your component (based on DI).

      But does it make sence then to invest (optimizing, maintaining) in such a framework when you could get those non-functionals ‘for free’ from your cloud-provider?

  7. 2010/10/15 at 08:52

    If you have on-premise solutions you need to solve your non-functional requirements locally. You have no choice but to invest (time and possibly money) and maintain such a solution. If you go cloud you need a solution that is suitable for the cloud. Some cloud providers have ready-made solutions for you, but you will not get them for free! In other cases you may need to fix it by yourself – even in the cloud. To quote Alla Liu: “None of the platforms have the kind of monitoring required to have a reasonable conversation about performance” (from http://www.scivisum.co.uk/blog/stress-testing-the-cloud/)

  1. 2010/09/27 at 09:14
  2. 2010/09/28 at 23:49

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: