As is often discussed at GigaOM Pro, beleaguered IT pros are the ones often left to figure out which applications and data should move first and to which type of cloud. But with more and more business leaders now turning to this topic, the questions — and confusion — are multiplying. Should businesses keep workloads in a private, dedicated cloud — where the company itself maintains the infrastructure and security? Should they truck them to a public cloud, à la Amazon Web Services, GoGrid or Rackspace? Or should they keep some in a private cloud but peel off less-sensitive data or applications to a public cloud as needed in a hybrid model?
With so much to consider, we’ve broken down the cloud discussion to help companies decide which strategy is right for their business. Let’s take a look.
Public cloud: Move the simple stuff first
A well-known and compelling reason to move to the public cloud is to cut costs. Recent GigaOM Pro research showed that among 277 companies moving some work to a public cloud, 59 percent cited cost savings as their primary motivation.
The first stuff to go to a public cloud should be unessential data. That lets companies test the waters without feeling too much risk because, as big and efficient as these public clouds are, there have been outages and slowdowns. (Hello, Amazon.)
Many companies start with archival data or look to the public cloud for backup and recovery. But others use the public cloud for incremental storage, which can go to the cloud in order not to choke on-premises storage. To this point, Amazon’s Simple Storage Service (S3) surpassed the 900 billion objects stored in the first quarter of 2012, up from 762 billion for the year-ago quarter. Vendors including Nasuni, StorSimple, and OwnCloud automate the process of moving encrypted data to public clouds and managing it for business customers.
As for applications, things like email and simple collaboration — commodity applications — are good to go next. There’s not much value corporate IT can add to Exchange Server, for example, so why not run it on someone else’s infrastructure? David Nichols, the CIO services leader for Ernst & Young’s Americas Advisory Practice, calls these stand-alone applications. Software test and development is another no-brainer.
There’s a reason Salesforce.com had such great early success in Software-as-a-Service: CRM applications are a natural fit to run outside the firewall, said Bill Hurley, the CIO and CTO for the Westcon Group. CRM, email and basic collaboration tools can all be moved fairly easily to the public cloud to accrue cost savings with little risk.
When to go private
While simple collaboration applications are suited for the public cloud, Rackspace VP Lisa Larson says it sometimes makes more sense to put things like Microsoft SharePoint into a private cloud, depending on what sort of content is being shared. If it’s confidential work product, private cloud may be best, if only to allay the aforementioned concerns about public cloud security.
For applications with a predictable workload and known audience, private cloud is often the way to go.
But before reinventing your existing data center infrastructure, it’s important to know what you want to do. If engineers are working on the design of products — say jet engines — that are the lifeblood of a company, it makes no sense to put that work into a public cloud. These are the types of confidential projects companies want to control. And a big company has more resources to dedicate to data center security than a public cloud.
A private cloud also suits applications that might otherwise run fine in a public cloud but are circumscribed by limited Internet connections. Many companies may have ample network bandwidth inside their facilities but are gated by a one- or two-gig on-ramp to the public Internet.
Furthermore, a private cloud implementation also satisfies compliance regulations that mandate that certain types of data — in health care or financial services industries — be kept off of shared infrastructure (i.e., public clouds).
One word of warning from Nichols: Don’t bother if you’re just going to forklift your existing applications onto a shiny private cloud. But if you want new functionality — like added self-service capabilities to a human resources site that was previously a collection of static documents — go for it. How much better would it be to let employees manage their vacation time and insurance issues on a secure, interactive site?
When hybrid is best
A hybrid cloud suits any application that sees super-spiky demand. Game maker Zynga popularized this notion, as it moved more of its game workloads to its own cloud while still relying on Amazon for heavy demand spikes when a game launched. The use of a hybrid model obviates the need for companies to build their data centers for peak loads, and that means big cost savings.
The notion of hybrid as being the go-to model for many companies was validated last month when Gartner called hybrid cloud usage an “imperative” for most companies.
E-commerce and marketing applications, for example, are a great fit for a hybrid cloud. If you run an online store, you want your customers to see your products and maybe track their own previous purchases, but you don’t want outsiders to have access to credit card information. “Public clouds are really good for Web stuff and not so good at sensitive stuff,” Tier1 analyst Carl Brooks said. But hybrid cloud use will grow, because companies and tech vendors are figuring out how to better separate those two types of workloads so the public need-to-know stuff can run in a public cloud and the secure, sensitive data can be walled off in a private cloud, Brooks said.
Unified communications (UC) applications — which pair VoIP telephony, instant messaging and email — are also well-suited to the hybrid model. “We distribute a lot of UC solutions that require on-premises equipment to monitor and manage the UC environment, but the backup can be enabled on a public cloud,” said Westcon’s Hurley.
But companies need to assess their applications and how forgiving they might be about latency, which can be an issue in hybrid clouds across all industries.
The big question: security
As trite as it sounds, most big companies’ resistance to public cloud use boils down to perceptions of security vulnerability more than real security issues. There is also the notion that the vendors that provide on-premises technology offer better and more comprehensive SLAs to protect the company should there be an outage or breach than the public cloud providers are willing to offer.
People point to last spring’s AWS outage as a cautionary tale, but in reality that is small potatoes compared to internal issues companies have with their own data centers. Look at the high-profile security snafus at companies like TJX, which was hacked for customers’ credit card information. That meltdown had zero to do with the cloud and everything to do with internal data center security practices.
Furthermore, last fall Gabriel Consulting Group surveyed 147 enterprise IT decision makers and found that more than half felt security needed to be considered earlier and integrated more deeply into their own new IT projects. A whopping 60 percent said their organizations “fall short when it comes to ensuring that new IT initiatives take security considerations into account from beginning to end.”
In other words, the perception that a company’s own data center is more bulletproof than, say Amazon’s cloud, is at best mistaken and at worst delusional. “The tricky thing is enterprise IT departments use [cloud] outages as a cover to resist change,” said Scott Bils, a partner with The Everest Group.
“When we go into these accounts [resistance stems more from] organizational and cultural barriers than technology issues. IT management worries about how cloud will change their role and function,” he added.
Perceptions die hard. And until compliance regulations catch up to the reality of cloud providers’ ability to protect their own data centers, many companies will not put their crown jewels into a public or hybrid cloud.
So is the public cloud more secure than on-premises IT? It depends.
In terms of physical security, few corporate data centers are as secure as Amazon. On the other hand, putting applications in any public cloud means the application servers are potentially exposed to the Internet. Good deployment practices mitigate that risk in the cloud, just as they do in an internal data center. So the answer depends on how secure the existing on-premises IT is now and how good deployment practices in the public cloud are.
David Ryan, the CIO of General Dynamics IT, a big integrator, sees many use cases for going to the public cloud: disaster recovery, research and development, software development, batch processing jobs, public-facing content.
But here comes the big “but.” Right now, even in those cases, sensitive data still has to stay in-house, in his view, if only to protect the company from liability. The challenge of indemnity has to be sorted out by the cloud service providers before that super-secret data can move en masse to public clouds, he said.
“At the end of the day, no monetary penalty on an SLA or a data loss incurred on the CSP could equal the damage of the nation’s security or in a commercial sense, the loss of intellectual property and competitive information,” he said. “I don’t think you’ll see the formula for Coke up on Amazon anytime soon.”