Security

Ninety percent still don't trust the cloud

Amazon Chief Technology Officer Werner Vogels broadly outlines the benefits of a cloud-based infrastructure. Are you ready to jump on the cloud bandwagon?

At the Supernova Conference in San Francisco, Amazon Chief Technology Officer Werner Vogels broadly outlines the benefits of a cloud-based infrastructure. In video clip, he says Web services offer businesses four distinct advantages:

  1. Lower costs (both capital and operational)
  2. Reducing time to market (as the provisioning of IT resources cease to be a barrier)
  3. Increased security (using cloud services that are more secure than those you could build on your own)
  4. Better scalability

I agree with all of Vogels' assertions about the cloud, except Number 3. Yes, some businesses with limited IT resources, will find cloud solutions to be more secure than those they could build in-house. However, the cloud has yet to prove it can meet the security requirements of many organizations. Take HP for example.

In a previous post, I wrote about HP CEO Mark Hurd's cloud comments during the 2009 Gartner Symposium/ITxpo in Orlando, FL.  He talked about how the company plans to layer cloud services on its infrastructure in the future. However, with more than 1,000 hacks a day, security creates an important need on differentiating what they put in public versus private clouds. "We wouldn't put anything material in nature outside the firewall," Hurd said. (Note: HP markets its own Cloud Assure solution.)

At the time I asked TechRepublic members, if they trusted current security measures enough to place "material information" in a cloud outside their firewall? As the following chart shows, over 90 percent of those who responded said "No".

Ninety percent don't trust the cloud

Although the number of respondents to the poll was relative small (162), it seems Amazon, HP, and other cloud service providers still have a long way to go before a majority of IT professionals are convinced that the cloud is as secure, if not more so, than their in-house systems. What do you think?

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

75 comments
ScarF
ScarF

Mr. Vogels looks to be a nice person, but he can take his cloud and shove it.

jck
jck

Hm. You assume: - I can't/don't know how to virtualize. - That I need to change careers because of it. - That 100% data security is not achievable. So, here's answers for you. - I setup virutalizations on both Windows and Unix/Linux boxes when needed. With the advent of Windows 7, it is now a requirement for applications testing to my XP user base (rather than keeping 2 machines in my office and making it an oven in here), as well as setting up multiple VMs on servers for server-side testing. - My career is not server-type dependent. I write applications for my regular work, and do PC building/maintenance/training on the side. I don't need to worry about "the cloud" for my job. - There are systems in really dark, unfrequented places in various installations that have never had a data leak in 30 years of operations. 100% security is achievable, as long as you aren't sending anything outside your site that can be scooped up at the right point with a server-side listening daemon or doing promiscuous mode on a broadcase network. The cloud will never provide you the same security as keeping all your data networks, servers, and applications in-house where you can control all access to them. BTW, I know a major software corporation who a while back had an off-shoot cloud center they own lose data for 10,000s of smartphone customers and crippled them for weeks. So, what should I trust again about cloud computing? Why is it so great? What advantage does it offer in secure computing to any potential client with sensitive data? I don't see the big deal about it. It seems to me like just another hair-brained scheme by corporates to "streamline" only to find out later it was not as cost-effective and had poorer system maintenance results. Save a penny now. Pay a dollar later. Real smart business. Sounds like 1998 all over again.

Osiyo53
Osiyo53

Chuckle, the truth is that the so-called "cloud" can probably find a market with some sorts of businesses for some sorts of services. How much of a market? I wouldn't even hazard a guess. What I do know is that more than a few customers we do business with, and the company for whom I work, wold be very unlikely to trust "cloud services" with information that they consider critical and confidential, no matter how many assurances they got from such a service provider as to the tightness of their security, reliability and redundancy of the systems, etc. Heck, I have customers I service who've demanded that I undergo numerous background checks, get security clearances, etc. Who STILL, when I go onto their sites watch me like a hawk, prohibit me from entering certain areas or doing certain things without specific authorization and permission at each such occurrence. Some provide an escort (watchdog) who is with me every moment I'm there. And I must record and report on everything I touch or do, in detail. Others aren't quite so tight. But do the background checks and specifically state that we can only send specific people, previously cleared and approved, to their sites. Then there is the question of system failure events and prompt response to take corrective actions. With several of our customers, they not only maintain in-house staff, spare parts, backups, etc. They have specific service contracts with us that entail performance guarantees. i.e. That within 2 hours of a call, 24/7/365, we'll have someone ... qualified and familiar with their systems ... ENROUTE to their site. And that we maintain certain spare parts, loaner equipment, system backups, and so forth. Those service contracts are quite specific. And there is no waffling about it or the making of excuses. In fact, when the call comes in, dispatch goes to the first name on the list of authorized and qualified responders. And if that person does not respond in the affirmative within 15 minutes, the next on the list is pulled up and contact attempted. Etc. Before the 2 hours is up, the senior execs and our CEO are getting calls. Chuckle, in short, before that 2 hours is up, even if its 2 a.m. on a holiday, its likely half the company is awake and on the road to find out WTF. It has happened before. I can remember just such an incident. Dispatch had gone through the list of the "on call" people. Then stepped things up so that senior managers were woke up. One such gave dispatch my name. I was not on call, nor familiar with that specific customer or his site, but the manager figured I was capable of handling whatever. Would just need to get hold of our records and files, etc so I'd have something to work with when I got to the customer site. So he told dispatch to instruct me to stop by our office first to download all that, plus toss whatever parts and tools into my vehicle I thought I might need. When I got to the office, at oh-dark-thirty, the place was lite up like a Christmas tree. People falling all over themselves to brief me on this customer, their site and installation, etc. Department head, vice presidents, even the CEO was there. Plus a couple engineers. And even the warehouse manager who'd unlocked everything and told me to grab whatever and GO ... we'd take care of the paperwork later. LOL ... by the time I got to the customer site the CEO and that customer's account manager/salesman were there playing damage control, assuring customer's rep that a qualified person was on the way and would be there in minutes. Things worked out fine. Took me a bit to get oriented as to exactly what they had, then to take a look and estimate the most likely problem. Then had to have a guy show me where a darn piece of equipment was (I had no clue, had never been in that building). I replaced the failed equipment from a spare I'd tossed in my vehicle. Reprogramming and configuration wasn't a problem since I had all our "as-builts" which included digital copies of the relevant software and settings. My point is, if you're just another customer, among thousands, or 10's of thousands, or whatever the number might be that is being serviced by one of these cloud services providers, who use as one of their lures to get your business that they can do things cheaper than you could get by with doing it in-house or by using a local service provider. Just what are the odds that they're going to have on hand at any particular moment enough staff and the other resources needed to provide prompt attention to YOUR specific problems when the inevitable SH*T HITS THE FAN situation arises? After all, you're gonna be just one of many, and maybe not even that important in the overall big picture. Picture your cable TV service going on the blitz, and you call your cable service provider and get that stupid computer generated voice which tells you that your call is noted and that they know your name and account from the phone number via caller ID. "Be assured, we'll have someone checking on your problem as soon as possible. But you'll have to wait your turn." Maybe that's not good enough for you so you listen further waiting for the darn thing to tell you which number to press to talk to a live person. Once you get that info and punch in the number, you get yet another computer voice saying, "Sorry, all our service reps are currently busy, please hold and someone will take your call as soon as possible. Beep ... currently your estimated waiting time to talk to a live representative is 45 minutes. We appreciate your business, please continue to hold." ROFLMAO. BTDT, more than a few times. I HATE IVR systems, with a passion. The problem with those mega-sized services is that for the most part any one customer is treated much like just another ant amidst an ant-hill full of ants. Now, having issues with my cable service provider at home, is simply a nuisance. Annoying, but not any big deal. But if I am a business, and some "glitch" occurs with my cloud service provider that essentially brings my business to a dead halt until they get whatever squared away. That's a whole different matter. And if I then make a phone call, or try to log in onto their "complaint desk" web site just to find out they're overwhelmed because 10,000 other ants are calling them at the same time ... I'm not gonna be a happy camper. Add that such mega cloud services ... sure look like fat, tempting targets to me if I were someone who might like to raise havoc by whatever means.

AV .
AV .

Virus protection and spam filtering are better than doing it in-house, but I wouldn't deploy any critical applications in the cloud. I'm sure the data would be available, but it's stored offsite. Many businesses aren't comfortable with that idea. If you store your data in the cloud, you have to allow for depending on your vendor for access. AV

santeewelding
santeewelding

In a place far, far away -- an Indian railway station -- in which I saw the clerk see me coming. He continued with his busywork while I, the only person in the place, stood waiting. After he ostentatiously finished stamping several pieces of paperwork with his official stamp, he looked up at me. "Your appearance, you know," in his lilting Indian English, "is objectionable." Face it: I was a traveling hippy, and railroads, railway travel, and railroad functionaries were a big thing in India. Still are, far as I nowadays gather. He stood between me and a ticket. He was a functionary of their cloud.

AV .
AV .

Similar, yes, but in your example you get to deal with the ticket man in person, on demand. With the cloud, lots of time goes by before a problem is resolved. Time is money. If my Exchange server crashes, I can fix the problem before I will even receive a response from my cloud vendor. Thats the benefit of having in-house staff and equipment. AV

jck
jck

I have to disagree, herlizness. When a business finds no benefit from a provider, vendor or supplier, it is not required because of "market acceptance" or "trends" or anything else to belittle its bottom-line to appease the masses. Hence when technology can be kept in-house at a reduced cost, business will tend to fall to the side of cost-effectiveness rather than social acceptance. Cloud is a trend at this point, because it is not a defacto standard of operation in the computing world. At this point (especially with Intel's recent announcement of 48-core processing on a wafer), I see no benefit short- or long-term for most businesses to pursue off-site computing. The average commercial broadband account for small-business needs is currently somewhere between $800 and $1400 per year. Add this to the cost of setup, monthly billing (more accounts payable work to do, especially if you will bill internal customers for their split of the cloud), etc., you are looking at more overhead added to process internally, as well as the cost of setup and use of the cloud, plus bandwidth to facilitate access to the cloud. In addition, your likelihood of communications conduit breakdown to a cloud service provider is far more likely than that of it breaking down in-house. I don't see it as a good option for most business. If anything, it will become a niche business suited to either being off-shored/outsourced massive datacenters for people like Verizon, Microsoft, etc., or it will be a facility used by the very small business who doesn't know about things like Linux and OpenOffice and will pay for computing service from the cloud for online-based instances of things such as MS Office, etc. Remember, the cloud is being pushed mostly by Microsoft and the father of "software as a service"/.NET (formerly known as Hailstorm), Steve Ballmer. And if he gets his way and the profits he wants, he'll bash, coerce, bribe, and strong-arm everyone he can into adopting cloud...just to propagate his business model even further.

Osiyo53
Osiyo53

ROFLMAO !!! Very good, counselor. I see you've been practicing your skills. Quoting a single part of what I wrote and basing some of your argument upon that without using the entire context of what I was saying and trying to communicate. Let's back up and try again. I started out by stating: "the truth is that the so-called "cloud" can probably find a market with some sorts of businesses for some sorts of services." Then went on to say that I wouldn't even hazard a guess as to how much of a market there is for cloud services. I made that particular point because in fact I would not claim to be omniscient about the needs, demands, and unique requirements of every sort of business that MIGHT, or MIGHT NOT realize benefits from utilizing cloud services in part or in whole. And I broke my crystal ball a couple months ago. So I can't refer to that. Then I went on to address that FACT, not supposition nor assumption, that I have more than a few business customers who're unlikely to trust "cloud services" with information they consider critical and confidential. I suppose I should have added the qualifier, "as of this time." It is fact, because we've discussed this very issue between us. And they've engaged in researching and evaluating such services offered by certain providers and have, so far, as of this time, found them lacking as concerns being able to adequately address all of THESE customers' concerns. In the areas of data they consider CRITICAL and CONFIDENTIAL. Now, I suppose it is possible that a lawyer, presumably a member of the Bar, by virtue of his or her past laudable accomplishments and publicly recognized achievements, is more knowledgeable about the subject of the particular needs and special requirements of these businesses, successful and quite profitable businesses BTW, than their own professional staff members and hired consultants. Or, maybe not. Who knows? I surely don't. Just how much systems and network engineering does a legal student get in law school these days? Advanced math of the kind useful in the modeling and prediction of the real world performance of a particular, complex, network architecture and the various demands that might be made upon it by Business A? Now as concerns that bit of historical perspective, as you call it. FWIW, I started out many years ago studying engineering. As part of the required curriculum at the college I was attending, was this subject called "The History of Engineering and Technology". Among other topics studied and reviewed in that course was, of course, the subject of the development and spread of electrical power plants, distribution grids, etc. As of 100 years ago the major "road block" to the wide spread utilization and acceptance of centralized large electrical power production plants and their distribution grids as we have them now, was NOT what you assert. It was the very pragmatic, studied and considered, realization that the technology of the time was not up to the task and demands. Something you'd undoubtedly know on almost an instinctive level without having to have it pointed out to you if you actually understood the science and technology required to implement such power plants and how they really work. In that time frame, the ONLY significantly large electrical power plants (mega-watt range) were hydro-electric. And there are only a relatively few places where those were feasible given the terribly inefficient water turbines of the time. Internal combustion engine power (gasoline and diesel) were laughably small and underpowered by today's standards for such usage. And not terribly efficient or reliable. Steam power plants were also quite limited, tho available in much higher horse-power ratings than was the case for internal combustion engines. But not nearly up to the power requirements for modern generating stations. This is not to mention such things as infrastructure items. The efficient means to to get coal or oil out of the ground in truly massive quantities, refine it, then transport it to the locations it was needed did not exist. The needs for such a large distribution grid for copper would've exceeded the entire copper production, at the time, of the world. The technology and techniques of dealing with the high voltages needed to somewhat efficiently transmit electrical energy over many, many miles of transmission lines did not exist. So on and so forth. I could go on for some time on the subject. The very real answer is that it took many years before large, centralized electrical generating plants became a more efficient and affordable option than smaller, local ones. In some cases, smaller local plants are still the better answer. There is no ONE SOLUTION fits all needs and situations. The right answer is only achieved by breaking out pencil and paper, or your calculator, and doing the math after first subjecting the issue to fact finding and scientific analysis. And in order to do that properly, one must be able to do more than quote something one has read, you really need to UNDERSTAND all the factors and science involved. There is a difference. In my daily work I frequently and routinely have to deal with folks who have a superficial knowledge of scientific, engineering, and technical subjects, but who come to erroneous conclusions because they don't have a true understanding of those subjects. This is NOT a criticism of you. I have only a cursory knowledge of law. A couple of courses in Business Law, and a few in criminal law (at one point in my life I became a police officer for a while). Plus a course in International Law, just basic familiarization, because that was a required subject during my career in the Navy. What I DON'T know about law, would fill a good sized library. What you evidently don't know about engineering, science, and technology ... might also well fill a library. You're a lawyer, I'm an engineer. So it is only to be expected. In any event, as concerns the subject of cloud computing. I am under no impression that it does not have its valid applications and usefulness. But does it fit all needs and requirements of all businesses? Certainly not. Might it at some future point? Maybe. I am not "new technology adverse" by any means. I make a living by designing, installing, and implementing new technology that is beyond the knowledge and skill level of the customers I serve. And ... I'm an old fart. Being an old fart, BTW, also means that over the years I've seen a great many things that were lauded and proclaimed to be the "Next new wave of technology that EVERYONE will want and have to have." Which turned out to be no such thing. Or which had its brief moment of fame and usage. Just to be made irrelevant within a very few years by some change in events, technology, or whatever. Sometimes, the newest, latest, and greatest simply went by the wayside because it solved a problem that most folks discovered they didn't really have in the first place. Or they had the problem but it was not such a nuisance and burden that the offered solution was worth what it cost. On more than a few occasions in history, solutions to some problem have been offered before their time, and fell into that black hole of obscurity. Until such later time that both the perceived NEED for that solution increased adequately to support the business of providing it, and the technology matured to the point that the cost of the solution and its reliability was considered reasonable by those who might need it. As of right now, given the current state of the art technology, the in place infrastructure, and so forth I have numerous customers that are NOT satisfied that "cloud computing" fits all THEIR needs and requirements. Maybe in the future. Who knows? But not right now.

santeewelding
santeewelding

And lawyers are committed in norm to status quo. You ain't. Thank you. Now, about that commensurate staff...

herlizness
herlizness

> a bit of historical perspective: 100 years ago companies said all the same things about third-party, centrally-provisioned ELECTRICITY ... so they kept generating their own, essentially for all of the same reasons you advance as a compelling rationale for in-house provisioning of IT services ... until they realized that it was FAR more economically efficient to contract with the likes of Con Edison and other early players in the power business. As it did back then, it may take anywhere between 10 and 30 years ... BUT, you will see computational power, storage, etc delivered and billed as a utility. As is the case now with electric power, here and there you'll find a business with highly specialized needs still "growing their own" or augmenting their capacity with bespoke systems for backup, emergency, and so on .. but it will be less than 1% of businesses. Think about the process and forget THAT WORD ... "cloud" ... it's not a fad, it's not going away .. and the earth is not flat.

AV .
AV .

I've been a Net Admin at several mid-sized law firms for 20 years. Most law firms of our size and smaller still have typewriters, secretaries and cotton content letterhead. They depend on in-house IT staff or trusted consultants that are supervised when they visit. Law firms maintain some old-fashioned technology because the courts demand it. You must believe everything you read about the cloud, but I've used it for two years. It has some serious drawbacks/issues. It isn't necessarily related to the competence of the techs, its the cloud environment itself. When Google does a system upgrade or maintenance, which is fairly often, we're affected. We experience mail problems such as too much spam getting through, mail being quarantined erroneously, mail outages, deleted attachments by aggressive filtering, etc. We didn't have that when we handled spam in-house. The only thing I can do when I experience these problems is to log a support call and try to make use of the very basic troubleshooting tools they give you. You can't touch your data. Thats a problem. The support you get is spotty and problems take too long to resolve. This is just our spam filter. What if it was our firm billing system? If you think that just because techs work for a cloud vendor they are the most competent, you are naive or have never worked in tech support. I'm not impressed with the cloud, but I'm a tech and not a lawyer. AV

santeewelding
santeewelding

In what capacities and in what numbers? If this held for all clients of the vendor, would the vendor withdraw commensurate numbers of its own staff? A zoo?

jck
jck

if the judge presiding is at all technically savvy is just say... "Why don't you have an onsite tape backup??" In near- and long-term, 1 1.6TB tape backup system has a lower TCO even in the short term, and has enough space to hold more the amount of documentation you could put on it, unless you're going to insist on 2400 dpi imaging. And, swapping a tape at 7pm before leaving the office is cheaper than paying the cloud provider for their service and the commercial high speed dataline you have to keep in your office to keep access to your "cloud". Cloud services has limited, realistic use. It is not the cure-all for all sectors as someone has led you to believe. Besides, the minute that any encryption is to have a known hack and someone like Chase-Manhattan, BoA, et. al., don't patch it and lose SSNs and people get identities stolen, you will see a LOT of class action suits. I bet BoA and Chase won't make the wager that computing off-site is worth $10Ms in risk of compensatory damages as well as litigation expense. It's cheaper for them long-term to keep their own server farms employ a dozen server people or so for a decade, and pay to have exclusive data conduits...than have to pay out one major class action suit. Of course, most courts let businesses slide. Especially DE courts, which is all the credit card banks are there. Either way, we all get it in the pooch.

NickNielsen
NickNielsen

Your provider has ceased operating completely. Now what? Do you have an alternate plan or source? The problem is that cloud computing is the current hot topic and buzz-word, just like thin computing was several years ago. This will induce the profit-takers who don't worry about ethics to jump in and get theirs while the getting is good. Those are the cloud providers I worry about. They will not have reasonable security, they will not have good document management, and they sure as h3ll won't care about their customers as long as they get the money. There has already been one high-profile cloud failure. All it will take is one or two more and the cloud will disperse, allowing us to once again see clearly.

NickNielsen
NickNielsen

"I'm sorry, Your Honor, but I can't comply with your order because my cloud provider has declared bankruptcy and I can't access my files."

herlizness
herlizness

> yes, they will, when your competitors start eating your lunch because they can offer the same services or products at better prices with better margins ... if your company is one of those rare birds with no real competition I guess you can do whatever you want for so long as you want ... but that's not the norm if you haven't done so yet, you really need to read Nick Carr's "The Big Switch: Rewiring the World, From Edison to Google" I'm a lawyer and I've been watching the technology progression for well over 20 years now in a technology-backwards profession/business ... all the old guard over the years have said: they'd never give give up their secretaries/typewiters and Crane's high-cotton letterhead, they'd never use email for client communications, they'd never put documents on a laptop, they'd never outsource their professional work product .... it's a long list and they've been wrong on every "never" they've uttered and they'll be wrong on the ones they continue to issue; when the economic realities hit home, behavior changes if your real message is that companies should be careful about new technologies, I could not agree more; I counsel it every day of the week to intellectual property clients, who are **very** sensitive about the security of their documents ... but I think before long we will all be telling authors, composers and inventors that they are running too much of a risk if they DON'T put the management of notes, logs, sketches, licensing agreements and related documents into the hands of the most competent people in the field and that they're not going to get the assistance of those people by running ads for IT personnel on Dice and Monster and having resumes screened by fresh-faced recruiters right out of college who think keyword matches are what hiring is all about.

herlizness
herlizness

I was referring to the vendor site ...

AV .
AV .

My spam/virus filtering is handled by Google. It works generally well for that application, but some spam problems take several days for them to resolve. The quality of their support depends on the tech you happen to get. Some are good, some not so much. Where I work, the data and equipment are local, not remote. My company would never allow their documents to be housed in the cloud. We have third-party vendors that come in to work on our servers in a supervised environment, but the data and equipment remain on site. Security concerns about who has access to your data is a major concern. Also, everytime your cloud vendor does an upgrade to their system there could be problems for you. That has been my experience with Google. AV

herlizness
herlizness

> and suppose the "cloud vendor" has better tech staff than you do? I have no idea what the predicate is for all of these assumptions and am beginning to wonder how many people base their assessments on experiences they may have had with $5.95/month web hosting companies. Data is distributed and local/remote for everyone these days, from home users to the largest enterprise on earth .. the question is not whether you're going to rely on third parties in the chain; you are now and you will continue to do so ... the question is who you choose to rely on, for what services, and the conditions of contract you elect to create. In any case, I don't see why I have to "fly blind" in a vendor relationship ... there's no reason why you can't arrange to have your own payrolled employee on site if that makes you more comfortable.

boxfiddler
boxfiddler

likely means rain, or snow if it's cold enough.

jck
jck

Intel ran a prototype 48-core processor. When you can implement your own infrastructure and server farm in a room directly under your control in a single box, why pay to have increased downtime and less direct control?

Sparticus_123
Sparticus_123

My surprise is that 10% do trust the Cloud.

rumbletumym
rumbletumym

It's early days - 10% seems about right to me. I think it could be higher as time goes on. nearly 100% of people trust their electricity supply to be within certain tolerances and reliability, those that need more assurance enhance it with extra technology. The same idea can apply to a 'cloud' provider. The client can use legal tools and technical controls to decrease the chance of betrayal.

Webbywarehouse
Webbywarehouse

That is my point. Now the cost of licensing is what kills me. We have looked at migrating to MySQL from MS SQL, but because I depend on the really smart people to tell me the best technology solutions, I just have to go with their suggestion that MS SQL is simply the gold standard - they tell me that data integrity is a certainty with MS but is less so with MYSQL for the types of transactions and numbers we are doing. That and replication services they tell me are far better with MS SQL. So it comes down to cost, licensing for all my desktops, SQL, and other assets costs me a bundle. If I were to transfer all my data and processing outside what would that cost? It would not reduce the number of desktops I have. It would not reduce the number of printing, scanning, and faxing stations I have. It would not reduce the numbers of emails I send and receive. It would not reduce the speed at which I need to create and store and retrieve data (sometimes files several megs in size). But it would increase the risk of my employees not being able to do their jobs due to ANY dissruption in the connection to my data. That scares the hell out of me. What an employee is updating a record, there could be corruption or data loss if there is any problem with our connection to the Internet. What about the dozens of switches my data goes through, the fact it is routed god knows where and that each route could present a potential for data loss due to a communication problem - a problem on the net. I understand that there are probably smarter people than I with fast answers but look at it from my point of view - two minutes of no productivity times 300 workers two or three times a week with the risk of data loss and data corruption on documents of a legal nature (law suits, court filings, background checks, etc). I cannot imagine taking a risk. My data center costs me a lot. My staff costs me a lot. but I trust what I can see as you said, just down stairs in the data center.

jck
jck

Anyone who knows anything about servers knows: a) you can setup a server to be fully automated if you know your stuff...that means backups, system error alerts to email/pager/etc. b) if your operation is data bandwidth dependent, then you are going to have increased cost there to expand that. constantly going to the cloud to retrieve data takes bandwidth. the more who use it...the more traffic...the more lag...means more cost on your communications buy as a service rather than solid assets you own and can recoup some later by selling after upgrading. Plus, cloud is just not dependable enough or secure enough for me yet. I'd never suggest it for any enterprise with critical need for more than 99.99% uptime or 100% guarantee that no one can intercept their data and determine its content.

mikifinaz1
mikifinaz1

While large companies have hordes of IT staff to protect their systems, users don't. I wouldn't worry about B of A losing "stuff." It is the end user machine that is the problem. End users don't have vast legions of tech people to protect their systems.

Tony Hopkinson
Tony Hopkinson

Did MS build a multi-million pound data centre so Fred could build a photo album, I don't think so.... If we as software makers want our stuff to run in the cloud with a reasonable level of performance, generally that's a substantial change in the architecture, Aside from security and control concerns which we'd have to convince our customers so they'd pay MS and us. Or we use the datacentre to host our services instead of our own kit, in which case you are not talking about Fred's worksheet.

Webbywarehouse
Webbywarehouse

How does the cloud address the bandwidth issue? How does a business location with 200 desktops all connected to live database driven applications handle the bottleneck know as their internet connection? What happens when there is a brief issue at any point in the pipe as dozens of records are being sent to update the database, poof, data is corrupted or incorrect. I just don't see how e can remove the data center from the business when thousands of transactions are accruing every minute, indeed sometimes even more than that. What about transferring files, large files. In my business files as big as 2 or 3 megs are constantly being created and saved. These legal copies are linked in the database. How can I upload (and download) these documents so that they can be emailed, printed, faxed? I just cannot get beyond the bandwidth issue, among others, but with such a fixed bottleneck I don't see how the cloud is going to lower cost and improve my situation.

Tony Hopkinson
Tony Hopkinson

A lot of money. However in an existing code base, it requires a considerable investment. That could be far better spent on yet another badly implemented feature, or better yet showing passion by shading everything purple....

rumbletumym
rumbletumym

I do agree with you. But I see long-term, should off-premises computation become popular, a push for better behaved apps because of the potential to save money.

Tony Hopkinson
Tony Hopkinson

is overcoming the bandwidth problems you've identified in existing software and applications. The cloud is a different platform, optimising software and processes to run in it, could easily amount to a total redesign, with all the cost and disruption that entails. Sure as anything, there's no way a suite of inhouse business apps is well behaved client seever , it's even less likely that mechanisms for robust distributed transaction control is built in. We are IT for business, we don't do well designed, we do good enough initially if we are fortunate, and then things go down hill at a speed dependant on the rate of change of requirements.

rumbletumym
rumbletumym

A well designed client-server model minimises bandwidth use. It can be reduced to only moving user-interface commands. This assumes the cloud hosts the data, and the work-horse apps. Data backups over the WAN are a significant problem. In some cases it's quicker to use a courier or even carrier pigeon! Moving 2 or3 MB * 200 simultaneous uploads is a significant bandwidth requirement, but the load could be compressed (most data anyway), queued and smeared out through the day - depending on the requirements for timing of course. If a link breaks, a good transaction processing system will recover using rollback. Resumable upload/download has been available for years too. Your concerns are entirely justified when considering poorly designed systems and poor software implementation or choice, but a well designed system should address the bandwidth question from the outset. Of more concern, I think, is to try and create the opportunity to migrate your business from one cloud provider to another. That's a hard one because presently, providers have no interest in allowing competition like that.

Tony Hopkinson
Tony Hopkinson

Go back read what I posted, stop confusing me with some twit from Gartner. Despite our well founded suspicions the cloud is coming, got to start at what we can move, not what we can't. Otherwise we get labelled as being anti-change, unaligned, propeller heads etc. I work in a slioghtly different market (Tax products for accountants), but I can assure you I know exactly where changing platform to teh cloud is going to cause a huge amount of problems and costs. That's not even considering security, privacy, control and availability

Webbywarehouse
Webbywarehouse

You clearly don't see where I am coming from. Let me be more clear. I have on any given day a dozen or so people doing nothing but scanning and linking documents to db records. I work with legal documents, I provide services to hundreds of law firms. I must have access to my data NOW, not in two or three seconds, immediately. I have spend considerable money on staff and infrastructure to ensure that I can produce the level of efficiency that I need. I do not know where you are coming at this with naming a company like big rack, what ever it was. My firm has its own data center, internal. We do not have the luxury of anything greater than 5MB DSL, we are in an area that is older, developed, industrial. There are no other high speed options. In this area the DSL reliability is not great - that is typical for such industrial regions. Our situation is very common, less common are companies (large companies) with very high quality and high speed pipes other than those with expensive fiber service. I have 12 locations linked by T1's, I have a hub and spoke configuration for my locations. I have some replication from the main data center to others where it makes sense. I have talked to my IT guys, I don't see how based on what I have read and what they are telling me that I can use cloud computing / processing. I need to have access to too much data, large files, vastly too large to transfer back and forth through the cloud. That and some of this data must replicate to other locations - therefore I cannot have it in just one location. I guess there is a place for this idea, but I hear nothing more than platitudes and rhetoric, hyperbole and wishful thinking, concepts and great ideas. I don't see a model that I can migrate to that wont create extreme cost and incredible uncertainty. I am not in an unusual position, many small business owners like me worry about availability and integrity of our data - that is our business that is our commodity - it is the blood in our veins.

Tony Hopkinson
Tony Hopkinson

Moving files between where, if it's between nodes in the datacentre, not a problem. Some platforms let you have on premises stuff as well. So you might create the files locally, but allow access to them for others from the cloud. Thousands of transactions for instance, could be cut down to a few in and out of teh datacentre and the rest spawned inside it. Ie you pass a dicument up to it, and then process it ona background thread. A switch to a batch processing environment. Bandwidth is of course an issue, as is processing the traffic. There's not going to be a one size fits all approach, it's likely that substatntial reworking of applications and work processes will be required. Releational databases in a cloud data centre will be much more expensive, than lower level storage mechanisms. I know where you are coming from, the sell all your kit and rent space of big.rack.com, really irritate me. Anybody capable of suggesting that isn't fit to be involved in the decision.

Webbywarehouse
Webbywarehouse

I would worry about the data center losing my company data, or it being unavailable periodically. I would worry about replication not being synced fast enough and I have different data from one "server" to another. I understand the model, the SAN model more or less. I also wonder how the cloud helps when my employees are scanning hundreds of pages of legal copy and then having the transfer to the cloud. This would be a common task in my business, how would that work in the cloud?

Dr_Zinj
Dr_Zinj

Once they have you locked in, the chances of getting free again go way down. And with no where else to go, except maybe another cloud with the same problems, it suddenly doesn't look so attractive. Also, security is a big issue. Anyone who says cloud computing is more secure is lying. If your I.S. people have been given the resources they need, and are doing everything they are supposed to, then you're more secure.

rumbletumym
rumbletumym

I wholeheartedly agree that inability to migrate from one provider to another is a bad one. Security is a different matter. A cloud model has the *potential* to be more secure but the level of responsibility of the provider needs to be publicly enforced through penalties, significant risk to the provider if they do the wrong thing, and an openness. As a client, you have the opportunity to use encryption.

ian.digby
ian.digby

1. Security is a multi-faceted thing. Cloud may be better for some facets and worse for others. Accidental loss (cloud is probably better). Hack/Fraud (cloud is worse but only if cloud operator size/presence is medium as against huge). An average gang of crooks would, (I guess!) target a medium-sized bank, not a huge one (too secure) or a tiny one (not worth the effort). For bank read cloud provider. Another thought: I remember in the 90s trying to convince an employer that confidential data was safer on the LAN than in a floppy locked in a drawer. Was I right?

wright_is
wright_is

Those are the two biggest points for me. If the data is inside the company firewall, you are responsible for it. You can apply as much or as little security as you need. You can block the use of USB drives and you can frisk people before they leave the building, if you are that paranoid. If the data is in the cloud, you have no control over what security measures are in place and you have no real control over who can see the data - yes, you get your user lists and can restrict which of your users can see the database. But what about a security glicht, which allows other users in other companies (rivals even) to see the data? Or the employees of the cloud company? Do you get a chance to vet them, can you be certain they aren't selling information out the back door? Add in the fact that, by its nature, the cloud will spread your data willy-nilly around the globe, what happens when a foreign law enforcement officals demand access to the data centre? Will they be refused access to data which doesn't belong to people in their country? Will they need to go through the court system where your company is based, before they get access? Or will they just need a local judge to sign off? What if accounting/data protection law in your area strictly prohibits the removal of financial or personal data (employees, customers, suppliers) from your jurisdiction? If you move your Exchange to the cloud and they mirror your contacts and emails to a server in a different country or on a different continent, you might need to get the permission of each contact, before you can put them in the cloud Exchange! Cloud companies need to be able to provide certification, that their security is up to snuff and they need to be able to let customers select which data centres can be used and guarantee that the data will not end up in countries where the customer doesn't want it to go!

rumbletumym
rumbletumym

If your data is encrypted with strong cryptography, and the key is inside the company, then where is the data? Is it effectively inside the company since the key is the only way to access it? Or do you consider a collection of statistically random bits outside the company as data?

NickNielsen
NickNielsen

Why would they not be? Without those bits, there's no point in even having the key.

rumbletumym
rumbletumym

Curious, you stated an objection, and illustrated my point all in one concise sentence. Those that control the key see it as 'data'. Those who do not cannot. Therein lies the security. But you are right from a data-access point of view, whether encrypted or not, loss of plain text or random-bit (as appropriate) amounts to loss of data. But this is not a confidentiality issue - it is an availability issue. I don't see security as the problem with 'cloud' - I see control of those 1s and 0s as the issue. We are probably at agreement but from two different angles.

GregEB
GregEB

Sidekick and Danger point out the dangers of cloud computing. It is my understanding that the users couldn't backup their own data. As a result, a botched system upgrade, that was done without a proper backup, left Sidekick customers in a bind for days.

Webbywarehouse
Webbywarehouse

I don't understand how small to large enterprises will use this to any great advantage. Speed seems to be a bigger issue than space or capital investments. In my own experience when there is a second or two of delay in accessing records, this constitutes too much delay, or lag. Users interact with data hundreds of times an hour, per user, so any lag would reveal a lot of additional cost through lost productivity. Speed and dependability are crucial. If I place all my data on the Internet, in the cloud, then I must wait for that data to travel the same pipe in an encrypted form to an intermediate server locally, or a local application server, or directly to my desktop. Regardless --- it must travel in an encrypted format, being compressed, then later decrypted and inflated again. LANs rarely get choked up with 100 or 1000 base networks, but the net, even with 10Mb connections (which is not common at all common for enterprise), with the fact that so much data is being requested for SQL queries for desktop applications where can I see any performance improvement. Cost is part of the equation, but so is efficiency. I have say 10 or 12 locations spread across several states. Yes, I do have a main database, but this database is replicated constantly to each location. I only replicate the changes, not the entire database. If my SQL database constitutes a total of 100 GB of data, and if I am updating a small fraction of that daily, there are many efficient ways I can keep each SQL server at my various sites in sync. But the big advantage of local data is the speed at which my dozens of hundreds of desktop users can access the data. That and my web services can access the same current data as fast as at any location. If I depend on cloud based computing, that is I am perhaps using thin clients, and looking beyond the complete re-engineering and approach of doing business, of how I operate my business, that alone is frightening, how then do I manage when there is any degree of server interruption to access my data and the cloud computing resources? In my line of business information is my business, it is the only commodity that I deal with. Without data I cannot work, I am dead in the water. Without data and access and processing, saving and storing records, creating records, scanning and uploading documents, I cannot function and I have 100's of users sitting idle. I do not see the value in this model. Data replication and storage, backup services, yes, but not transforming computing to the cloud, that scares me.

NickNielsen
NickNielsen

concerning cloud storage: Is the provider storing data of different sensitivity (HIPAA, Privacy Act, Sarbox, etc.) collocated on the same storage array? If so, is access (both physical and electronic) to that array controlled to the level of the most sensitive information stored?

rumbletumym
rumbletumym

Some are using / proposing virtual servers and storage arrays. These devices use a security kernel which separates data access at a very low level. Inside the virtual environment, routers, switches, IPS/IDS, firewalls are implemented to the same or better standards as a physical network.

NickNielsen
NickNielsen

Now, about physical access... Are cloud provider employees certified to handle/view all stored information? Doesn't matter that they will probably never see it, they still require certification. Are all employees subject to background checks? Are these checks repeated at periodic intervals (much like the military renews security clearances)? I can hear the CEOs now. "According to the statistics, I can't trust my own employees not to perform industrial espionage. What's to keep the people at this cloud company from screwing me over as well?"

NickNielsen
NickNielsen

Hate when that happens. I was trying to come in from the other side as on-site IT and point out that it's me that gets blamed for everything. Must not have had enough coffee yet, so my point wasn't clear. It is a valid point, Liz, that IT will do their best to deflect blame, but so does almost everybody else. I think a good part of the problem in American business is that very few people in large corporations have the guts to stand up and admit to a mistake. Instead, we get the deflective statement "Mistakes were made." My point is that IT are the poster children for high-visibility failures. We have conditioned our customers to call the help desk, so now it's the help desk that gets the call when the fax dies, when the Muzak's over, when the new shredder needs to be installed, when the coffeepot goes out, and even when the water is off. The instinctive response is, as the song goes, "It wasn't me."

NickNielsen
NickNielsen

[i]I've been watching IT managers and their minions successfully deflect blame for a long time ... it's the carrier, it's the root servers, it's our budget, it's a caching problem we have no control over, it's those consultants you brought in, the requirements are too complex for the time we have to implement, it's: Microsoft, Oracle, Cisco, etc and etc[/i] One of the things I learned over 24 years in the USAF was that you had better eliminate all possible local causes of a problem before you escalate. One of the other things I learned is that you get a lot more respect if you aren't afraid to admit to your mistakes. As a contractor responsible for equipment operation, it's always my fault when things don't go right; just ask the help desk. If it is my fault, I've got the integrity (and the 'nads) to step up and admit it. But when the customer's IT tries to blame me and I can show I'm right, it ain't pretty. For example, a few months back the customer rolled out a new system. About 20% of the systems in my area did not work on installation. I dutifully replaced PC after PC, never seeing any results but the failure that was initially reported. After the first round of equipment replacement, I asked "What files are not on the store server that should be there?" Level 1 and level 2 assured me there were no local files and the problem had to be the hardware, my image, my thumbdrive, etc., etc. I called BS, but they stood their ground; even Level 3 told me I was wrong. To prove my point, I took one of the "bad" units to a store where the system was functioning, installed the unit, and used my "bad" thumbdrive and image file to reimage it. It worked. I transmitted my results to my bosses via email and gave a friend in the customer's support network a telephoned "heads up." It didn't hurt that at about the same time, they went through [b]six[/b] PCs trying to get the system working in a new store before they discovered the required server files were missing. Five weeks later, [i]four months[/i] after the system went live, the customer rolled out a massive patch to fix the problems with the system, [u]all[/u] of which were related to missing or corrupted files on the server. etu

herlizness
herlizness

> that's pretty funny; I've been watching IT managers and their minions successfully deflect blame for a long time ... it's the carrier, it's the root servers, it's our budget, it's a caching problem we have no control over, it's those consultants you brought in, the requirements are too complex for the time we have to implement, it's: Microsoft, Oracle, Cisco, etc and etc and it always works because IT is always five steps ahead of ANYONE in management in the war of the words no, I'm not buying your thesis; IT recommends in-house because IT IS in-house and that means job security. Period. but don't get me wrong on any of this discussion ... there are a plethora of miserable third-party vendors spitting out all kinds of BS propaganda and they should be avoided at all costs; and I have never once said that anyone should dive headlong into "cloud computing" because it's cool, it's now, or any other such thing ... there is much to be worked out but I will stick to my guns and say that there is NO question in my mind that what I prefer to think of as "computing as a utility" is what's ahead in the future ... and some of it is in place today.

NickNielsen
NickNielsen

[i]IT *always* recommends that everything be kept in house ... I wonder why ...[/i] ...because they know who will be blamed when the feces contact the rotary air impeller. No matter who is [u]actually[/u] at fault. etu

herlizness
herlizness

> IT *always* recommends that everything be kept in house ... I wonder why ...

NickNielsen
NickNielsen

[i]experience teaches me, however, that what most will do will be governed by internal politics rather than rational thought[/i] You've got that right. My contacts in other companies are telling me that IT is recommending that data storage be kept in-house because of the risks, while all the veeps are asking "What about the cloud?" because they're getting marketing materials from every Tom, Dick, and Harry. [i]...HIPAA is pretty much useless in achieving its nominal objectives...[/i] Yep, it's eye candy. Congress could have achieved much more with much less effort simply by amending the Privacy Act to apply to any request for PII by any organization.

herlizness
herlizness

> sure, by the book; but there were NO penalties levied for HIPAA non-compliance in its first three years; as of August 2009, there were only two instances of significant fines ... and it was egregious, easily-avoided conduct which fully justified the penalty > we'll see what "most companies" do; if they're smart companies they'll do the intelligent thing and source it in the most efficient way possible ... in or out of house experience teaches me, however, that what most will do will be governed by internal politics rather than rational thought as a final note, HIPAA is pretty much useless in achieving its nominal objectives; big business doesn't want people to have privacy and Congress and the agencies make sure they don't get it

rumbletumym
rumbletumym

... and if the provider carries that risk ?

NickNielsen
NickNielsen

The fines for HIPAA violations start at $1,000 per violation, but could be $50,000 [u]for a single offense[/u]. http://preview.tinyurl.com/dxxvdg Most companies with data covered by HIPAA, the Privacy Act, or other such programs will, most likely, decide to maintain their in-house storage simply because they have more control. The potential costs are just too great.

rumbletumym
rumbletumym

These are valid objections. My take on it is 'buyer beware' to a certain extend. In the same way that a responsible company vets their own staff, they should vet their suppliers. Possible savings are available through commonality of security measures from several clients. A client needs to ask what is the provider afraid of. If the answer is 'afraid of losing a good reputation', 'afraid of applicable legislation', 'afraid of losing customers', and so on, if the value of this 'fear' accumulates to an impressive enough level, then the client may conclude that the provider has a lot to lose by doing the wrong thing. By this implication, at some point a client should see the providers' potential losses to be greater than their own, and that's the point where "trust" has a solid basis. Openness, checks and balances and a overt honesty will be the way for a provider to earn business.

Editor's Picks