CIO Focus Executive guides for strategic decision making

Forecast: Cloud Computing Looms Big on the Horizon

Table of Contents Introduction Overview 3 | QuickStudy: Cloud Computing 4 | What Cloud Computing Really Means PUTTING IT TO WORK 6 | Cloud Computing: Tales from the Front 8 | Capex vs. Opex 9 | Cloud Computing: Don’t Get Caught Without An Exit Strategy 12 | Early Experiments in Cloud Computing 14 | Cloud Computing: What UC Berkeley Can Teach You RISK/REWARD 17 | The Dangers of Cloud Computing 18 | Cloud Computing Survey

Sponsored by

http://vmware.com Introduction

Forecast: Cloud Computing Looms Big on the Horizon

“Cloud computing” is basically the latest incarnation of grid computing, util- ity computing, virtualization and clustering. It differs in that it provides the ability to connect to software and data living on the Internet (the cloud) instead of on a hard drive or local network. Since IT is always on the lookout for new and better ways to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software, cloud computing holds much promise. It is, however, still in a nascent stage, and it behooves IT management to look closely and carefully at what’s involved and whether or not the concept is a workable one for the company. What follows is a compendium of articles about cloud computing in which we explore the current state of the art, early adopters, the economics, the potential pitfalls and what you can do to avoid them, and what IT leaders are saying about the concept. This is one time when it makes good, practical business sense to have your head in the clouds.

All content copyright CXO Media Inc., 2009. All rights are reserved. No material may be reproduced electronically or in print without written permission from CXO Media Inc., 492 Old Connecticut Path, Framingham, MA 01701.

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 2 locations was transmitted. Overview Also, grid or cloud computing means users and busi- nesses must migrate their applications and data to a third party or different platform. For enterprises with huge invest- Quick Study: Cloud ments in existing software and operational procedures, this has been a real barrier to adoption of these shared technolo- Computing gies. Other significant concerns include data security and confidentiality. Users can hook into the Why it works power of “out there” Critical to the success of cloud computing has been the growth of virtualization, allowing one computer to act as if sk any five IT specialists what cloud computing it were another—or many others. Server virtualization lets is, and you’re likely to get five different answers. clouds support more applications than traditional comput- AThat’s partly because cloud computing is merely ing grids, hosting various kinds of middleware on virtual the latest, broadest development in a trend that’s been grow- machines throughout the cloud. ing for years. Cloud computing is the most recent successor to grid Where it’s going computing, utility computing, virtualization and cluster- If cloud computing succeeds on a wide scale, it may well ing. Cloud computing overlaps those concepts but has its be because of recent initiatives from Amazon, IBM and own meaning: the ability to connect to software and data Google. on the Internet (the cloud) instead of on your hard drive or In 2007, IBM and Google Inc. teamed up to provide local network. the hardware, software and services needed to teach com- To do anything with a PC 10 years ago, you needed to buy puter science students large-scale distributed computing. and install software. Now, cloud computing allows users to Their Academic Cluster Computing Initiative began when access programs and resources across the Internet as if they a Google software engineer, Christophe Bisciglia, wanted were on their own machines. to improve computer science curricula by teaching college students how to solve problems involving massive computer Definition clusters and terabytes of data. Cloud computing describes a system where users can con- nect to a vast network of computing resources, data and Why a cloud? servers that reside somewhere “out there,” usually on the For years, in flow diagrams and PowerPoint presentations, Internet, rather than on a local machine or a LAN or in a people have represented the Internet as a fuzzy cloud with data center. Cloud computing can give on- demand access communications lines going in and out of it. Now that they’re to supercomputer-level power, even from a thin client or actually talking about using a remote, black-box approach mobile device such as a smart phone or laptop. to computing, the old familiar cloud seems an appropriate metaphor. In the beginning Google’s CEO recruited his counterpart at IBM to join First, there were mainframe computers, then minicom- the initiative. The two companies say they will dedicate puters, PCs and servers. As computers became physically hundreds of computers to it. Located in data centers at smaller and resources more distributed, problems some- Google, IBM’s Almaden Research Center and the University times arose when users needed more computing power. of Washington, these resources are expected to eventually IT pros tried clustering computers, allowing them to talk include more than 1,600 processors. with one another and balance computing loads. Users didn’t Initially, six universities—the University of Washington, care which CPU ran their program, and cluster software Stanford University, Carnegie Mellon University, MIT, the managed everything. But clustering proved to be difficult University of Maryland and the University of California, and expensive. Berkeley—are participating in the Google-IBM program. In the early 1990s, the grid concept emerged: Users could There are lots of discussions going on right now about connect to a network, much as they plugged into the electri- cloud computing is, but I feel there isn’t enough definition cal power grid, and use service on a metered-utility basis. of what it isn’t. Thus, people began speaking of utility computing. Meanwhile, Amazon.com Inc. offers a couple of cloud One problem was where data was stored. Grid nodes services. Web service developers can use its Simple Storage could be located anywhere in the world, but there could Service (S3) to store any amount of data. And developers be significant processing delays while data stored at other can use Amazon’s Elastic Compute Cloud (EC2) to set up a

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 3 Overview

virtual server in minutes, with none of the maintenance of emerging. buying and installing server hardware and software. Both InfoWorld talked to dozens of vendors, analysts, and IT services are offered on a pay-per-use basis. n customers to tease out the various components of cloud computing. Based on those discussions, here’s a rough Russel Kay is a Computerworld contributing writer in Worcester, breakdown of what cloud computing is all about: Mass. You can contact him at [email protected]. 1. SaaS This type of cloud computing delivers a single application through the browser to thousands of customers using a multitenant architecture. On the customer side, it means What Cloud Computing no up-front investment in servers or software licensing; on Really Means the provider side, with just one app to maintain, costs are low compared to conventional hosting. Salesforce.com is by far the best-known example among enterprise applica- The next big trend sounds tions, but SaaS is also common for HR apps and has even nebulous, but it’s not so worked its way up the food chain to ERP, with players such fuzzy when you view the as Workday. And who could have predicted the sudden rise of SaaS “desktop” applications, such as Google Apps and value proposition from the Zoho Office? perspective of IT professionals 2. Utility computing loud computing is all the rage. “It’s become the The idea is not new, but this form of cloud computing is phrase du jour,” says Gartner senior analyst Ben getting new life from Amazon.com, Sun, IBM, and oth- CPring, echoing many of his peers. The problem is ers who now offer storage and virtual servers that IT can that (as with Web 2.0) everyone seems to have a different access on demand. Early enterprise adopters mainly use definition. utility computing for supplemental, non-mission-critical As a metaphor for the Internet, “the cloud” is a familiar needs, but one day, they may replace parts of the datacenter. cliché, but when combined with “computing,” the meaning Other providers offer solutions that help IT create virtual gets bigger and fuzzier. Some analysts and vendors define datacenters from commodity servers, such as 3Tera’s App- cloud computing narrowly as an updated version of utility Logic and Cohesive Flexible Technologies’ Elastic Server on computing: basically virtual servers available over the Inter- Demand. Liquid Computing’s LiquidQ offers similar capa- net. Others go very broad, arguing anything you consume bilities, enabling IT to stitch together memory, I/O, storage, outside the firewall is “in the cloud,” including conventional and computational capacity as a virtualized resource pool outsourcing. available over the network. Cloud computing comes into The Cloud: Your View focus only when you think about Cloud computing will cause a radical 58% 3. Web services in the cloud what IT always needs: a way to shift in information technology driving Closely related to SaaS, Web increase capacity or add capabili- the next wave of innovation service providers offer APIs ties on the fly without investing in Cloud computing is an evolving concept 54% that enable developers to exploit that will take years to mature new infrastructure, training new functionality over the Internet, personnel, or licensing new soft- Current on-demand offerings are not 36% rather than delivering full-blown appropriate for my business ware. Cloud computing encom- applications. They range from passes any subscription-based or Cloud computing is a passing fad 18% providers offering discrete busi- pay-per-use service that, in real ness services—such as Strike Iron SOURCE: CIO Research time over the Internet, extends and Xignite—to the full range of IT’s existing capabilities. APIs offered by Google Maps, ADP payroll processing, the Cloud computing is at an early stage, with a motley crew U.S. Postal Service, Bloomberg, and even conventional credit of providers large and small delivering a slew of cloud-based card processing services. services, from full-blown applications to storage services to spam filtering. Yes, utility-style infrastructure providers 4. Platform as a service are part of the mix, but so are SaaS (software as a service) Another SaaS variation, this form of cloud computing deliv- providers such as Salesforce.com. Today, for the most part, ers development environments as a service. You build your IT must plug into cloud-based services individually, but own applications that run on the provider’s infrastructure cloud computing aggregators and integrators are already and are delivered to your users via the Internet from the pro-

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 4 Overview

vider’s servers. Like Legos, these services are constrained by known examples include Rearden Commerce and Ariba. the vendor’s design and capabilities, so you don’t get com- plete freedom, but you do get predictability and pre-integra- 7. Internet integration tion. Prime examples include Salesforce.com’s Force.com, The integration of cloud-based services is in its early days. Coghead and the new Google App Engine. For extremely OpSource, which mainly concerns itself with serving SaaS lightweight development, cloud-based mashup platforms providers, recently introduced the OpSource Services Bus, abound, such as Yahoo Pipes or Dapper.net. which employs in-the-cloud integration technology from a little startup called Boomi. SaaS provider Workday recently 5. MSP (managed service providers) acquired another player in this space, CapeClear, an ESB One of the oldest forms of cloud computing, a managed ser- (enterprise service bus) provider that was edging toward vice is basically an application exposed to IT rather than to b-to-b integration. Way ahead of its time, Grand Central— end-users, such as a virus scanning service for e-mail or which wanted to be a universal “bus in the cloud” to con- an application monitoring service (which Mercury, among nect SaaS providers and provide integrated solutions to others, provides). Managed security services delivered by customers—flamed out in 2005. SecureWorks, IBM, and Verizon fall into this category, as Today, with such cloud-based interconnection seldom do such cloud-based anti-spam services as Postini, recently in evidence, cloud computing might be more accurately acquired by Google. Other offerings include desktop man- described as “sky computing,” with many isolated clouds agement services, such as those offered by CenterBeam or of services which IT customers must plug into individually. Everdream. On the other hand, as virtualization and SOA permeate the enterprise, the idea of loosely coupled services running on 6. Service commerce platforms an agile, scalable infrastructure should eventually make A hybrid of SaaS and MSP, this cloud computing service every enterprise a node in the cloud. It’s a long-running offers a service hub that users interact with. They’re most trend with a far-out horizon. But among big metatrends, common in trading environments, such as expense manage- cloud computing is the hardest one to argue with in the long ment systems that allow users to order travel or secretarial term. n services from a common platform that then coordinates the service delivery and pricing within the specifications set by Galen Gruman is executive editor of InfoWorld. Eric Knorr is editor the user. Think of it as an automated service bureau. Well- in chief at InfoWorld.

Describe Your Plans/Usage of the Following Cloud Offerings On the radar/ Currently Planning to Planning to actively using or Planning to use one to use three to No plans researching implementing use next year three years five years to use Application platforms & 27% 34% 4% 3% 2% 30% development software (web servers, design tools) Collaboration tools (wikis, 17% 50% 8% 4% 4% 17% web conferencing) Enterprise application 19% 35% 4% 5% 3% 34% software (CRM, ERP, Supply Chain, BI) Personal productivity 22% 23% 4% 4% 4% 43% software (word processing, e-mail, spreadsheet) Utilities/management 21% 33% 5% 7% 2% 32% software (anti-virus, spam filters, desktop management) Networks 16% 27% 4% 5% 2% 45% Servers 18% 32% 4% 5% 2% 39% Storage 22% 31% 6% 4% 7% 30%

SOURCE: CIO Research

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 5 A new level of scalability PUTTING Unlike many “next big things” cloud computing didn’t just spring fully-formed from the brain of a Silicon Valley whiz IT TO WORK kid. “It’s the logical corollary of what happened in comput- ing over the last 30 years. In a sense, it’s a return to the past; time-sharing on steroids,” says Mendes. Cloud Computing True enough, but it’s easier to get analysts and IT insiders to talk about the features and goals of a cloud than it is to pin down an exact definition. Keep in mind, too, that different Tales from the Front vendors will spin cloud computing differently. Salesforce. com’s vision of the cloud looks much like the SaaS you know riter Nicholas Carr will earn the enmity of even today; IBM’s vision includes mashups of massive customer more tech veterans with his newest prediction: data sets on the fly. WCloud computing will put most IT departments “The cloud is basically a combination of grid computing, out of business. “IT departments will have little left to do which was mostly about raw processing power, and soft- once the bulk of business computing shifts out of private ware as a service,” says analyst Dennis Byron of Research data centers and into the cloud,” Carr writes in his new 2.0. “In effect the cloud is network virtualization.” book, “The Big Switch: Rewiring the World, from Edison Dennis Quan, CTO of IBM’s High Performance On to Google.” Demand Solutions, says “We’ve designed the cloud around An exaggeration? Of course. But there’s a kernel of truth virtualization. You have a data center with many servers beneath the hyperbole. Cloud computing, once a concept and they are all turned into virtual machines.” as murky as its name suggests, is becoming a legitimate One difference from the now familiar, multi-tenant emerging technology and piquing the interest of forward- SaaS model, in which numerous clients access a provider’s looking CIOs. Out-of-control costs for power, personnel application: Cloud computing environments also allow the and hardware, limited space in data centers, and above all, customer to run his own applications on the provider’s a desire to simplify, have encouraged significant numbers of infrastructure. startups—and a still small number of enterprises—to move At the provider level, the goal is to dynamically assign more infrastructure into a third-party provided cloud. computing workloads as customer jobs come in, notes Wil- “The concept of cloud computing makes enormous sense, liam Fellows, an analyst with The 451 Group. That approach says André Mendes, the CIO of Special Olympics. “It helps helps the vendor maximize its resources and lets the cus- the CIO abstract another layer of complexity from the orga- tomer ask for more computing power on the fly. That’s a nization and concentrate on providing the higher levels of key point. A big goal of cloud computing, whether IBM’s value.” Mendes, who’s now moving much of his data center Blue Cloud or Amazon’s EC2 (Elastic Cloud Computing), outside his enterprise via conventional hosting services, is rapid scalability. says he expects to move toward the cloud in the next few But elasticity is probably a better term, says Barney Pell, years. founder and CTO of Powerset, a San Francisco-based startup Why now? Enabling technologies, including nearly ubiq- company building a natural language search engine. By uitous bandwidth and widespread server virtualization, elastic, Pell means the ability to stretch out when needed— plus the lessons learned from the rapid ascent of software and then snap back. His company is attempting to index an as a service (SaaS), are encouraging CIOs to think further enormous chunk of the Web, and that compute-intensive outside of the data center. task goes on most of the time. The work involves major To be sure, it’s still the early days of cloud computing. spikes by users that would exceed the company’s normal Concerns around security and application latency, to name computing capacity. two of the issues most commonly raised by the IT commu- Rather than buy enough servers and other infrastructure nity, are real. Also, providers have not fully formulated their to meet peak needs, Powerset became an early customer business and pricing models, which is one reason that some of Amazon’s EC2 and S3, Amazon’s related storage service. CIOs who did not reap the desired ROI from SaaS now look Powerset pays for the resources as it uses them, freeing up at cloud computing skeptically. Yet another issue: trans- significant amounts of cash, Pell says. parency. Entrusting mission critical applications and data Pell suggests that IT executives considering cloud services to a third party means the customer has to know exactly start by closely examining which resources their data center how cloud providers handle key security and architectural uses all the time—and which are only needed during periods issues. How transparent providers will be about those of peak demand. What’s more, the use of an elastic service details remains an open question. gives IT time to establish a baseline, that is, the minimum level of resources needed to run the business at all times.

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 6 PUTTING IT TO WORK

Similarly, groups or departments within enterprises often Security, of course, poses an issue. “Single sign-on service have the need to prototype or handle a specific project, but and password management were the biggest pain points,” don’t have the budget or desire to buy the needed infrastruc- says the CIO. ture. Indeed, IBM itself is using its internal cloud to supply While very upbeat about his experience in the cloud, the resources needed for prototyping new applications or Menefee says his data center isn’t going away anytime soon. services, says Quan. Not every project uses that internal The company deals with very large image files and charts cloud, but more than 100 have, he adds. scanned into the system, which means that latency becomes The New York Times, for example, used Amazon Web an issue. So for now, that type of work stays in house. There’s Services (EC2 and S3) to generate PDFs of 11 million arti- also “a beast” of a legacy billing system to deal with that cles in the paper’s archives in less than 24 hours using 100 wouldn’t fit well into a hosted environment, he says. instances of EC2, instead of buying hardware for the proj- Is Schumacher utilizing cloud technology, or is it really ect, Derek Gottfrid senior software architect for the Times, SaaS? “There’s a lot of gray area around that term [cloud wrote in his blog. computing],” Menefee says. “But for me, the idea of us using an infrastructure that isn’t our own, that is managed outside Flexibility up, costs down makes it a cloud. But I’m not looking to be part of a trend. I For some enterprises, cloud computing can help a CIO tackle find a problem and look for a solution.” several problems at once, as was the case for Schumacher Group CIO Doug Menefee. Upon joining the Lafayette, Control fears Louisiana-based company three years ago, Menefee had to Security, latency, service levels and availability are issues tackle a disaster-planning gap and find new ways for IT to that rightly concern IT executives when the talk turns to keep up with rapid business growth. cloud computing. Vendors will have plenty of work to do in Headquartered two hours west of New Orleans and 35 the next few years to resolve them to IT’s satisfaction. But miles north of the Gulf of Mexico, Schumacher staffs emer- there’s also a less concrete, but important, issue on the cloud gency rooms for 150 hospitals across the U.S. It only takes computing table: culture. a glance at the map to see how close it came to being hit by “Some people still view this as a loss of control,” says hurricanes Katrina and Rita. “It was an eye-opener,” says Adam Selipsky, Amazon’s vice president for product man- Menefee. “We didn’t have disaster agement and developer relations. recovery and business continuity Is Cloud Computing On Your “They’re starting to come to terms capabilities. Had our headquar- Organization’s Tech Roadmap? with the idea of data leaving their ters gone down, it would have Yes, currently using or implementing 30% four walls, but we’re not there taken all of the regional offices No, not on our technology roadmap 29% yet.” down with it.” Indeed, when asked what advice Yes, on the radar or actively researching 17% At the same time, Schumacher’s he has for other CIOs considering Yes, plan to use within one year IT group was struggling to keep 10% cloud computing, Schumacher’s with the demands of a company Yes, plan to use within one to three years 5% Menefee says, “Your traditional whose revenue was growing 20 Not sure 5% IT staffer is going to be resistant. percent to 30 percent a year—even Yes, plan to use within three to five years 2% Enlist the guys who have experi- faster when measured by the num- ence developing for the Web.” ber of complex contracts it needed SOURCE: CIO Research More caveats: Although it’s not to manage. “We can go out and a common issue, some applica- turn on five or six hospitals tomorrow. We need the flexibil- tions call for specific hardware. If that’s the case, says For- ity to move data quickly,” Menefee says. But setting up and rester principal analyst James Staten, forget about running provisioning new regional offices was taking months. the application in the cloud. And database performance in As Menefee settled into his new job, he realized that run- the cloud can still be problematic, says John Engates, CTO ning at least some of his applications outside Schumacher’s of Rackspace, an IT hosting company based in San Antonio, data center would solve a number of problems. Menefee Texas. decided to combine a custom application built by Apptus, On the other side of the ledger, though, CIOs will find an ISV, with a Salesforce.com CRM application to handle benefits from cloud services, including more scalability, thousands of contracts among his company, the hospitals faster deployment times, and a simpler data center. There’s and the doctors. Those moves, which involved about half no rush, but while you keep your feet firmly on the ground, of the company’s IT infrastructure, avoided the expense of it’s time to take a peek into the cloud. n his hiring an additional three to five full-time IT staffers, at a cost of $40,000 to $80,000 a year, plus a large outlay for Bill Snyder is a freelance writer specializing in technology and additional hardware, he says. business.

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 7 PUTTING IT TO WORK

Capex vs. Opex significantly raise the monthly overall cost to host a server. In the recent UC Berkeley Cloud Computing Paper (see page 14), the RAD Lab estimates that cloud providers have lower Most people miss the point costs by 75 to 80 percent vis a vis internal data centers. Some about cloud economics of this advantage is due to purchasing power through vol- ume, some through more efficient management practices, ou don’t have to spend much time around cloud and, dare one say it, because these businesses are managed computing before you run into arguments regard- as profitable enterprises with a strong attention to cost. Ying cloud economics and you will undoubtedly Therefore, the typical cost discussion regarding internal encounter the phrase “Capex vs. Opex.” This refers to the data center versus cloud provider costs is typically over- fact that stocking your own data center requires capital simplified and fails to assign a true cost structure to the expenditure, while using an external cloud service that internal data center side of the comparison. This isn’t really offers pay-as-you-go service falls into ongoing operating surprising, given that most IT organizations really don’t expenditures: thus the contrast of “Capex vs. Opex.” The have a clear understanding of their true costs to begin with, next go-round of the argument then devolves into a tussle as my discussion about Activity-based Costing pointed out about which alternative is cheaper. (see the section headed “Do the Math Correctly.” Another There have been many discussions comparing the cost perspective about why this comparison falls down comes of a 7X24 use of an Amazon EC2 instance against the cost from a blog posting by Steven Oberlin, Chief Scientist at Cas- of hosting a server within a company’s data center. Usually satt, commenting on a recent post of mine discussing cloud people take the average selling price of a 1U server, divide it TCO. He noted that these kinds of cost comparison ignore by 36 (the number of months in the typical expected service the utilization of the internal server: if it’s running at 20% life of a piece of equipment) and show that it totals less per utilization, the effective cost of a given level of computing is month than renting from Amazon. Therefore, they conclude, actually five times higher than typically assumed in these cloud computing is bound to be more expensive than self- cost comparisons. owned, which means it’s inappropriate for typical corporate However, even this does not fully explore the reasons apps that require round-the-clock availability. A further IT organizations and, more crucially, senior general cor- nuance often thrown in is the faintly ad hominen attack that, porate management, are interested in cloud computing. since cloud providers seek to make a profit, they are ipso This is where we move into capex vs. opex territory—and facto more expensive than internal data centers. even most cloud advocates, who pontificate about the opex In my opinion, much of this discussion is wrong, mis- advantages of cloud computing, fail to limn the full range understands the real key issues for most companies, and of reasons cloud computing is attractive in this respect. On misdirects the conversation away from where it should be the other hand, I have heard people describe the difference directed, which is what proportion of the total portfolio of between the two types of expenditure as regards cloud com- corporate applications are appropriate for external cloud puting as unimportant—after all, they point out, it’s all cash hosting, and what decision criteria should be used to make flow, and whether the expenditure is for a capital good or that assessment—and for sure, economics is not the sole an EC2 payment, it’s still the same amount of money. (This criterion. I just completed a series on “The Case Against naturally does not address the topic just discussed, which Cloud Computing” and TCO was only one of the five issues is that they probably aren’t the same amount of money, but discussed. you get the point—the assertion is that, given a set amount To turn to the most apprehensible part of the discussion, of payment, the type of “bucket” it comes from is irrelevant). the actual cost of internal data centers vs. external cloud. This is enormously wrong, and fails to comprehend why Comparing the monthly cost of an EC2 server against a puta- cloud computing will be so popular among senior corporate tively similar piece of hardware in a data center is simple- management. minded, because it overlooks: For starters, even if the cash outflow was roughly the 1. The direct costs that accompany running a server: same, the cloud alternative would be more attractive. This power, floor space, storage, and IT operations to manage is because a payment on a capital good like a server is one those resources. of a series—each of which the enterprise is committed to, 2. The indirect costs of running a server: network and no matter if the server is being used or not. Once you pur- storage infrastructure and IT operations to manage the chase a capital good, you’re stuck with it, as anyone who general infrastructure. has purchased a car understands. Even if you’re no longer 3. The overhead costs of owning a server: procurement excited about owning it, the finance company still expects and accounting personnel, not to mention a critical resource its monthly payment. in short supply: IT management and its attention. By contrast, if you rent a car, you are committed to it only When added to the cost of a internal server, these factors as long as you want to use it—and once you’ve paid for that

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 8 PUTTING IT TO WORK

use, you have no further financial obligation. And guess who offer fixed costs, more transparency, and more flex- what, pretty much everyone understands that you pay a ibility. n premium for that flexibility, i.e., a rental car costs more per day than the same car would, if purchased. In MBA-speak, Bernard Golden is CEO of consulting firm HyperStratus, which there is an option value in that flexibility, for which a pre- specializes in virtualization, cloud computing and related issues. mium is paid. He is also the author of “Virtualization for Dummies,” the best- Consequently, even if the cloud alternative were more selling book on virtualization to date. expensive over a given duration, it’s understandable, since there is no implied commitment beyond the duration. Fur- thermore, there is an imputed value to the scalability offered by the cloud alternative—the fact that I can easily grow my consumption in a short period is itself valuable, and, natu- Cloud Computing: Don’t rally, carries an option value. Therefore, one can conclude Get Caught Without that, given the option values associated with cloud comput- ing, companies might be willing to pay more than the cost of An Exit Strategy an equivalent amount of internal server capability. The really crucial aspect about the opex character of cloud Before you trust your business computing should be based on a better understanding of the role of capital expenditure within companies. Companies to the cloud, be sure you are limited by the public markets in the amount of capital know how to get out expenditure they are able to make (in the case of privately held companies, the limitation is not imposed by public mar- hen the IT world looks back at 2008, it will cer- kets, but by lenders who benchmark against public company tainly remember the global financial crisis. But ratios). Because capital investment is limited, companies Wit will also likely link that time frame with the usually want to direct their investment toward revenue- takeoff of cloud computing, the engine behind more confer- generating activities. This is why many companies prefer ences, conversations and marketing collateral than seem- to lease real estate rather than purchase—they don’t want ingly any other technology in development today. to tie up precious capital in dead assets. And amid all the hubbub about whether and how to get Rightly or wrongly, many companies view IT as the latter into the cloud, there’s growing concern about how to get type of investment, and manage it with an eye to minimize out. its cost. This is why IT reports to the CFO in many compa- Vendor lock-in is one of the primary fears expressed by nies. As one colleague who consults on financial strategy IT leaders considering a move to this setup. And the recent with many large companies said “You know what we think announcement that Coghead Inc., maker of a cloud-based of IT? We think it always shows up, spouts unintelligible enterprise application development system, is shutting its jargon, and asks for huge lumps of cash.” With a perspec- doors has exacerbated that fear. tive like that, it’s easy to understand why any initiative that Cloud computing is an architecture in which compa- promises to reduce lumpy capital investment and trans- nies consume technology resources as an Internet service form it into smoother operational expenditure would be rather than as an owned system. Much of the fear of lock-in extremely attractive to bean counters. is caused by misconceptions, says John Willis, a systems Given all these factors, trying to fight cloud computing by management consultant and author of an IT management making comparisons between the cost of running an inter- and cloud blog. When people talk about lock-in, they often nal server versus the cost of a cloud-based on is off-target. don’t distinguish among the several cloud types that exist, Unless the cloud numbers are significantly higher, there are each of which requires varying degrees of commitment. many attractive aspects to cloud economics that would cause Moreover, he says, the degree of lock-in needs to be general senior management to view it as very desirable. A weighed against the advantages of using the system. “People much better strategy would be to identify decision crite- wind up saying things like, “’The cloud is dead because of ria for determining whether a given application should be lock-in,’” he says. “Well, what cloud are you talking about? hosted internally or could be moved to a cloud environment. I can give you five scenarios where lock-in is an issue and With defined criteria, a portfolio analysis can be undertaken five others where it isn’t.” to make a set of recommendations and create an action plan. But while some vendors debate whether lock-in exists, But providing “proof” that internal servers are cheaper is most agree there are technical reasons for concern. a losing strategy, and reminds me of arguments I’ve heard made by HR, legal, and other administrative groups—just The debate rages before their responsibilities were outsourced to providers Last October, Tim Bray, director of Web technologies at Sun

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 9 PUTTING IT TO WORK

Microsystems Inc., began a robust debate about lock-in on which provides a cloud-based application life-cycle manage- his Cloudy-Times blog. ment system and runs most of its own business on the cloud. He argued that lock-in exists if you can’t pull an applica- He argues that data housed in traditional systems such as tion off one system and move it fairly easily to another. those of SAP, Oracle or is just as locked in as any “If cloud computing is going to take off,” he said in his cloud system, but people are more concerned because the blog post, “it absolutely, totally, must be lock-in-free. What systems are not on their own premises. that means if that I’m deploying my app on Vendor X’s plat- “The common misperception is that because data is within form, there have to be other vendors Y and Z such that I can reach, it’s somehow more accessible than when it’s remote,” pull my app and its data off X, and it’ll all run with minimal he says. “But the reality is that it’s like money: If it’s in a tweaks on either Y or Z. At the moment, I don’t think either vault, it doesn’t matter whether the vault is. It’s locked up, the Amazon or Google offerings qualify.” regardless.” “Are we so deranged,” he continued, “that we’re going to Exacerbating this fear is the immaturity of the cloud re-enact, wide-eyed, the twin tragedies of the great desktop market, Staten says, adding that IT leaders can’t help but suite lock-in and the great proprietary SQL lock-in? You ask, “When the shake out comes, is this vendor going to know, the ones where you give a platform vendor control make it?” over your IT budget? Gimme a break.” That’s the case for Christopher Barron, CIO at CPS Energy. This inspired DeWitt Clinton, head of developer pro- “We are very concerned about being locked into a specific grams at Google, and others to respond, and a lively debate vendor for a multiyear time period without knowing if they ensued. have the capability to serve us properly,” he says. In general, a lack of standards For that reason, Barron is mov- hampers the portability of data Primary Reasons You’re Using ing into cloud computing slowly, and applications between systems, or Plan to Use Cloud choosing certain business pro- says James Staten, an analyst at Scalability on demand/flexibility to the business 50% cesses that fit into this architec- Forrester Research Inc. While the Reduced hardware infrastructure costs 38% ture without having to commit the popular hype implies that mov- entire enterprise to the cloud. Reduced IT staffing/administration costs 35% ing to the cloud doesn’t require “By taking it in pieces, we can Access to skills/capabilities we have 28% any heavy lifting, that’s not true in no interest in developing in-house experiment, tune and adjust while some forms of cloud computing. mitigating a large financial com- Not using or planning to use 19% Particularly with software and cloud computing offerings mitment risk,” he says. platform as a service, vendors use “Vendor viability is less of a con- Capacity - data center 16% unique and proprietary interfaces, cern if you’re using it for a short- application programming inter- Capacity - storage 11% term project like a promotional faces (API) and databases. To take Frequent software updates 10% service or an application you want full advantage of the system, users Other 5% to test,” Staten says. or third parties need to program to those specifications to varying *Respondents selected up to three criteria Staying out of the vault SOURCE: CIO Research degrees. If they grow dissatisfied Another way to approach the lock- with the service, or if the vendor in conundrum is to use Willis’s goes under, data and/or applications would need to be refor- rule of thumb: The higher you go in the cloud taxonomy, matted in order to switch providers or move it back in-house, the higher the risk of lock-in. which could be complex and costly. With cloud storage, for instance, data is easily transport- “If you deploy to any cloud out there, some degree of your able because it’s stored in servers, he says, but with deployment is tied to the vendor, through the unique virtual cloud software and platforms come nonstandard APIs, sys- machine or unique APIs you write to, or the unique configu- tem calls and other proprietary technologies. ration or composition of the application,” Staten says. A case in point is Microsoft Corp.’s Azure Services Plat- “You’ve made a choice to be involved in a certain ecosys- form, which provides an operating system and a set of devel- tem,” notes Michael Crandell, CEO of RightScale Inc., a oper services to build cloud-based applications. cloud infrastructure provider. “There are APIs and plat- As Staten points out, with Azure, users write to a set of forms in the cloud world that create a walled garden. You get cloud services in a way that’s different from writing to the the benefits of that garden, but you’re also restricted.” same services deployed in their own environment. The calls to the SQL database, he explains, are different from the calls Then, there’s fear itself in Azure. To move to a different provider, users would have Technicalities aside, lock-in is also an emotional issue, says to understand how to translate those API calls into SQL Rene Bonvanie, senior vice president at Serena Software Inc., Server calls, he says.

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 10 PUTTING IT TO WORK

To minimize the complexity and cost of doing that, he late what happens to its cloud software vendors’ source code says, cloud users should try to touch proprietary and non- if the vendors cease operations. Bonvanie says he has found standard elements as lightly as possible. That’s what Right- that cloud vendors are more forthcoming about doing this Scale claims to pull off with its management tools, which than most traditional vendors. work with a variety of cloud infrastructure providers, such It’s also essential to set policies early on as to how your as FlexiScale, GoGrid and Amazon.com. company is going to use the cloud and under what circum- As Crandell explains, its tools create an abstraction layer stances, Staten says. This is especially important when it on top of these services, which effectively minimizes user comes to securing data in the cloud, which often requires reliance on proprietary technology and makes its tools por- customization by the user. “You have to do things above table across providers. “We shield companies from having and beyond what the cloud vendor provides to be secure to write a specific solution for, say, Amazon and then have or compliant,” he says. to rewrite again for each cloud,” he says. So if you want to use five different cloud vendors, for What’s more, Crandell says, RightScale’s source code instance, you need to be sure beforehand that you can apply is available to users, so if they wanted to move away from those customizations to all five platforms. RightScale, they could. Creating these types of policies is not something many This approach makes Christian Taylor, CEO of MeDeploy, companies are doing yet, “because use of the cloud right feel that his company’s infrastructure product offers free- now is a bit like the Wild West,” Staten says. dom of choice. MeDeploy offers a system—based on Amazon EC2 and managed with RightScale tools—that allows film Contract confusion distributors to build online ecosystems for distributing and There’s more than one way to get locked into a cloud vendor’s selling films. system. An often-overlooked method is through a contract. “If anything, [moving away from EC2] would be easier As Gartner analyst Richard Ni points out, because cloud than [exiting] an on-premise system,” he says. “It uses stan- computing is seen as a utility that you can turn on and off dard hardware, so if a competitor made us think of switch- at will, some people don’t look at the terms of the contract, ing to a different cloud, we could just set up a whole other which might specify a commitment of several years. “People cloud system, load it up and then switch over.” don’t even realize they’ve been locked in if they have weak contracting knowledge or expertise,” he says. Ensure that The risk/benefit dance your team has a full understanding of the contract terms Avoiding the proprietary aspects of a vendor’s system really and conditions, Ni warns. comes down to a risk/benefit tradeoff, Staten says. You need However, Staten points out that security customization to weigh the advantages of using provider-specific technol- is yet another way to get locked into a particular vendor, ogy against the vendor’s vulnerability. because if you wanted to move to a different provider, you Take Salesforce.com Inc., which uses a proprietary pro- would need to unwind and then redo all that work. gramming language and APIs, he says. “Years ago, no one was writing custom applications in Salesforce or leveraging Maturity takes time their APIs, because they didn’t know if they’d be around,” he Over time, standards will develop, Staten says, most likely says. “Now that they’ve been around 10 years and are well driven by customer demand. This won’t happen without capitalized, those things are in high use.” tension, he says, because customer demand will be offset To determine a vendor’s viability, Staten proposes doing by the advantages that vendors see in lock-in. For that rea- in-depth research, asking the vendor to provide under a son, users need to be adamant about which standards they nondisclosure agreement information such as its cash posi- desire and where they’re most important. One crucial area tion. He also talks to the venture capitalists backing the is in using open Web services in application-to-application company about their commitment to it. In addition, Staten communication, Staten says. recommends asking references whether they’re just dipping Gartner Inc. analyst Richard Ni contends that IT lead- their toes in the water with a vendor or making a bigger ers can encourage standards development by ensuring that commitment. their teams consider a wide range of vendors and technolo- Serena Software’s Bonvanie also advises companies to gies beyond the obvious leaders. “We will encourage lock-in specify an exit strategy in their contracts. “The imperative if we close our eyes to other vendors in the industry,” he is that you agree with your vendor on what the procedures says. “The CIO has a role to play in ensuring several vendors are for abandoning their application, if needed,” he says. For are involved in the assessment, selection and due diligence instance, how does data come out, and what is the vendor’s process.” involvement in making that happen? How much time do you As the hype about cloud computing begins to settle down, have to get the data out after service nonrenewal? the hope is that lock-in concerns will grow more rational In many of its contracts, Serena inserts escrows to regu- and less emotional. That will be a welcome development to

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 11 PUTTING IT TO WORK

Bonvanie, who sees just as much risk with traditional com- historical stock and mutual fund information, rather than puting systems. In fact, his use of NetSuite Inc.’s Web-based add the load to its own database and computing infrastruc- business software and IntAcct Corp.’s Web-based ERP soft- ture. Likewise, Infosolve Technologies uses Sun’s Network. ware has convinced him that they have easier interfaces and com grid-in-the-cloud utility to scrub customer addresses procedures to retrieve and unload data than SAP AG does. rather than stand up that infrastructure internally. “What gets me nuts is that the same people who are con- In another realm of cloud computing, companies such cerned about lock-in in the cloud are not concerned about as medical robotics firm Intuitive Surgical and recruitment it behind the firewall or on-premise systems, where people services provider Jobscience use in-the-cloud development normally run mixtures of three or four different breeds of environments to create a provision their own applications. Unix,” Willis agrees. “It’s much harder to move from AIX to Both companies use Salesforce.com’s Force.com platform as Sun than to move from Amazon to FlexiScale,” he says. a service, the ungainly name for this online IDE service, but Willis looks forward to the day when people stop asking other firms such as Coghead offer their own platforms. whether the cloud causes lock-in. “It’s the wrong question,” These two forms of cloud computing—utility comput- he says. “The cloud is just the furniture.” Instead, Willis says, ing and platform as a-service—are exciting developments. remove the word cloud altogether and ask, “Is there lock-in Unlike SaaS (software as a service), they’re aimed squarely in the choices I’m considering?” n at IT users, not at business users looking to bypass IT (or that IT is happy to let someone else take care of). But despite Mary Brandel is a Computerworld contributing writer in Newton, early promise, analysts say there’s a long way to go before Mass. Contact her at [email protected]. they’re a mainstream part of your datacenter. So the ques- tion is: Do you sit back and wait for them to mature, or do you experiment so that you can get early advantage when they’re enterprise-class?

Early Experiments in Computing in the sky Cloud Computing Nasdaq OMX has lots of stock and fund data, and it wanted to make extra revenue selling historic data for those stocks and funds. But for this offering, called Market Replay, the Cloud computing has many company didn’t want to worry about optimizing its data- faces, some just beginning bases and servers to handle the new load. So it turned to to take shape. But at the Amazon’s S3 service to host the data, and created a light- weight reader app using Adobe’s AIR technology that let New York Times and Nasdaq, users pull in the required data. “If I’m someone like Nasdaq, first steps into on-demand it’s a cheap experiment,” says Nik Simpson, a senior analyst infrastructure show promise at the Burton Group. The traditional approach wouldn’t have gotten off the ground economically, recalls Claude Courbois, an associate ou know there’s substance behind a technology vice president for data products at Nasdaq: “The expenses of buzzword when companies such as the Nasdaq keeping all that data online was too high.” So Nasdaq took YOMX stock exchange and the New York Times its market data and created flat files for every entity, each publishing company use it for real production efforts. holding enough data for a 10-minute replay of the stock’s or Cloud computing is the latest buzzword that vendors are fund’s price changes, on a second-by-second basis. (It adds using to spruce up the usual sales spiel, and the fever pitch 100,000 files per day to the several million it started with, is enough to make you think, “Dot-com boom, here we go Courbois says.) The Adobe AIR app Courbois’ team put again.” While the skepticism is warranted, something very together in just a couple days pulls in the flat files stored at real is happening, and IT needs to pay attention. Amazon.com and then creates the replay animations from So what are Nasdaq and the Times doing? In a phrase, them. The result: “We don’t need a database constantly stag- utility computing. Both have tapped into Amazon.com’s ing data on the server side. And the price is right.” Internet-provisioned computing and storage services— The New York Times also used S3 for a data-intensive Elastic Compute Cloud (EC2) and Simple Storage Service project: converting 11 million articles published from the (S3)—to augment their own IT resources. newspaper’s founding in 1851 through 1989, to make them The Times processed 4TB of data through EC2 and S3, available through its Web site search engine. The Times using a credit card to get the service going in a matter of min- scanned in the stories, cut up into columns to fit in the scan- utes so that it could convert scans of 15 million news stories ners (as TIFF files), then uploaded those to S3 — taking 4TB into PDFs for online distribution. Nasdaq uses S3 to deliver of space — over several WAN head connections from the

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 12 PUTTING IT TO WORK

Times’ datacenter. skills were easily tuned to the style of Sun’s grid apps. That The Times didn’t coordinate the job with Amazon — let Infosolve offer its customers a turn-key data-scrubbing someone in IT just signed up for the service on the Web service it couldn’t afford to stand up itself. “It’s an offsite using a credit card, then began uploading the data. “After datacenter. And we pay only for what we use,” he adds. about 3TB, we got an e-mail [from Amazon.com] to ask The grid’s quick scalability has meant that Infosolve if this would be a perpetual load,” recalls Derek Gottfrid, doesn’t need to worry about balancing customers’ loads. But senior software architect at the Times. another factor also helps Infosolve avoid worrying about Then, using Amazon.com’s EC2 computing platform, the scheduling: The jobs are batched, and customers have no Times ran a PDF conversion app that converted that 4TB of expectation of real-time response. Thus, if resources do run TIFF data into 1.5TB of PDF files. Using 100 Linux comput- out, the customer won’t ever know. Ditto if there’s a failure: ers, the job took about 24 hours. Then a coding error was “We can just restart the job,” Manchiraj says. discovered that required the job be rerun, adding a second day to the effort—and increasing the tab by just $240. “It Testing out online IDEs would have taken a month at our facilities, since we only had Less mature than the cloud infrastructure plays are the a few spare PCs,” Gottfrid says. “It was cheap experimenta- app dev and app hosting platforms provisioned over the tion, and the learning curve isn’t steep. Internet. These are intended for apps that will be delivered Digital Fountain, a digital-media distribution company, over the Internet and through the browser anyhow, such as uses the EC2 service to deliver mobile videos over the Inter- online commerce and services and apps delivered to mobile net. When the company decided to launch this new offering, and remote employees. So it’s no surprise that most early “we didn’t want to buy our own servers and get the people to adopters of these online IDEs are themselves Web-based do that work,” says CTO Mike Luby. So Digital Fountain now service providers. streams them from Amazon.com’s EC2 servers. Because A typical example is Jobscience, a provider of recruiting Amazon.com doesn’t guarantee availability, Digital Fountain services. The company had been using Salesforce.com’s streams the video from several servers, ensuring built-in customization tools, so it had gown comfortable with the backup for its provisioning. And it can throttle the num- underlying service availability. At the same time, the com- ber of servers to match demand as it rises and falls, Luby pany struggled to manage its Adobe ColdFusion-based notes. server environment, so CEO Ted Elliott began looking at Over time, Luby expects to rely on other providers using an outside hosting firm to simplify its ability to provi- in addition to Amazon.com, to sion customers over the Internet. ensure a geographic diversity to How Is Your Organization Currently “But they manage to the stack, not keep streaming times manageable, Using Cloud Offerings to the app,” Elliott says, and he as well as to increase server den- Running applications using a software 51% wanted an environment that was sity without overloading any one as a service (SaaS) model operationally optimal, not just provider. Do not currently use any cloud computing offerings 37% technically correct. So he turned There’s more to utility comput- Storage 24% to Salesforce.com’s Force.com ing than Amazon.com. Sun also Access to extra computing power on demand 19% platform as a service to create and has its own cloud-based comput- host the apps. Other 8% ing platform, Network.com. Unlike Elliott’s biggest challenge was

EC2, though, it’s a grid, meaning it SOURCE: CIO Research internal: His developers didn’t specializes in parallel processing, want to let go the control over the where a task can be broken into independent steps that a app environment. But now, “they’re starting to see what large array of processors can tackle all at once. That limits they can build that doesn’t exist [in Force.com] while using its use to applications such as rendering, data scrubbing, the basics [in Force.com] such as calendaring and schedul- and image transformation. “Not everything can be thrown ing,” he notes. So the in-house developers get to innovate at the Sun grid,” says Subbu Manchiraj, vice president for differentiating apps, not build the basics that everyone else technology at Infosolve Technologies, a provider of data already has. management services. But where a task can be parallelized, A more in-the-enterprise example is Intuitive Surgical, a the benefit is huge, he said. surgical-robotics maker. It is involved in clinical trials of its Infosolve has used the Sun grid for the past 18 months equipment, and so needs to collect and distribute data across to scrub names and addresses, making sure they are cor- a range of clinical facilities, all of which are separate firms or rect (such as verifying the ZIP code and ensuring that the entities. That data is inconsistent and hard to integrate to get street addresses are properly segmented). “With Sun, we meaningful analysis done. So Intuitive Surgical used Force. can run 2,000 processors and get the data back quickly.” com to create a forms-based app to collect that clinical data Plus, Infosolve is a Java shop, so its application development from all trial participants. “We could build it using just their

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 13 PUTTING IT TO WORK

tools, so in essence, there was no programming,” says Mark Cloud Computing Burns, a clinical data specialist at the company. But while the app is handy to collect data, Intuitive Surgi- cal can’t use it to submit trial results to the FDA. “It doesn’t What UC Berkeley can teach you have the rigor that the FDA would require,” he notes, around auditing of the data and tracking everything’s that done to ast month the UC Berkeley Reliable Adaptive Distrib- ensure the data has not been compromised or altered. uted Systems Laboratory (aka RAD Lab) published LAbove the Clouds: A Berkeley View of Cloud Comput- A long way to the cloud ing.” The report is an excellent overview of the move to cloud Despite the successful examples of the first wave of infra- computing. It identifies some key trends, addresses the top structure-oriented cloud computing, it’s early days for these obstacles to cloud use, and makes some excellent points IT-oriented forms of Internet-based provisioning, and any about cloud economics. It also, in my view, understates a few large-scale shift to them is a good decade away, notes Ben aspects of cloud computing as well, primarily as a result of Pring, a senior analyst at Gartner. But it is coming. addressing the topic with an academic detachment. Overall, Although it can be easy to set up an S3 account using it’s well worth tracking down and giving a read. just a credit card, as the Times did, provider availability is RAD defines cloud computing as having the following a big factor, notes Jon Williams, CIO of Kaplan Test Prep three characteristics: and Admission. For example, Amazon’s S3 had an outage 1. The illusion of infinite computing resources available in February, notes Burton Group’s Simpson. “If half the IT on demand, thereby eliminating the need for Cloud Com- infrastructure is unavailable, that’s a difficult situation,” he puting users to plan far ahead for provisioning. exclaims. (Another outage occurred the day this story was 2. The elimination of an up-front commitment by Cloud published.) users, thereby allowing companies to start small and Some companies can’t rely on Internet-provisioned infra- increase hardware resources only when there is an increase structure services because of regulatory compliance and in their needs. security issues, adds Williams. “Many have scary compli- 3. The ability to pay for use of computing resources on ance issues. How do you demonstrate what you are doing is a short-term basis as needed (e.g., processors by the hour in compliance when it is done outside?” says Burton Group’s and storage by the day) and release them as needed, thereby Simpson. He notes that the early infrastructure services rewarding conservation by letting machines and storage go aren’t audited, or take the liability, for security or compliance when they are no longer useful. requirements. Such issues have kept Merrill Lynch from From RAD’s point of view, an underlying requirement for using cloud-provisioned infrastructure. “We’re very bound these capabilities to be considered as cloud, they have to be by regulators in terms of client data and country-of-origin available publicly, i.e., externally. Therefore, by definition, issues, so it’s very difficult to use the cloud,” says Rupert what is often referred to as “internal clouds” is not part of the Brown, a chief architect at the financial services firm. RAD discussion. This is an interesting perspective on the To the degree that cloud computing raises risk, it will part of RAD. Certainly a significant part of the vendor com- inhibit adoption in equal measure, particularly among munity (e.g., IBM et al) are trumpeting the transformation of enterprises. But every large company has noncritical areas internal data centers into cloud environments, and therefore where low cost of entry and quick deployment trump reli- RAD is standing apart from that trend. From a definition ability, and a significant number of small businesses fall perspective, it would be easy to dismiss internal clouds due in the same category. For them, experimenting with cloud to requirement #1; however, RAD does not identify the lack computing could put them on good footing for an agile, con- of infinite resource illusion as the reason to exclude inter- nected future. That’s exactly what pioneers like Nasdaq and nal clouds from the cloud computing discussion. Instead, the New York Times have found. n it defines external availability as the key condition, thereby excluding internal clouds altogether. I will have more to say Galen Gruman is executive editor of InfoWorld. about internal clouds in the near future, but I believe the key issues involving them relate more to the characteristics listed above, rather than whether or not any Tom, Dick, or Harry can access them. RAD goes on to list ten objections (or impediments) to cloud computing: 1. Availability of Service Use Multiple Cloud Providers 2. Data Lock-In 3. Data Confidentiality and Auditability 4. Data Transfer Bottlenecks

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 14 PUTTING IT TO WORK

5.Performance Unpredictability low power mode the idle portions of the memory, storage, 6. Scalable Storage and networking, which already happens inside a micro- 7. Bugs in Large Distributed Systems processor today. Hardware should also be designed assum- 8. Scaling Quickly ing that the lowest level software will be virtual machines 9. Reputation Fate Sharing rather than a single native operating system, and it will need 10.Software Licensing Pay-for-use licenses to facilitate flash as a new level of the memory hierarchy The report also offers ways to mitigate each of the impedi- between DRAM and disk. Finally, we need improvements ments, some of which make sense, and some of them which in bandwidth and costs for both datacenter switches and don’t. For example, impediment #4: data transfer roadblocks WAN routers.” refers to the fact that if you have large amounts of data to Overall, they strongly recommend use of cloud comput- process, your Internet connection can effectively throttle the ing due to its elasticity and transfer of risk. Elasticity refers speed at which you can upload it and delay starting work on to the first point in their description of cloud computing— the data. Animation rendering is a good poster child for this; the ability to scale up and down rapidly under conditions the average animated movie is an ideal candidate for cloud in which the illusion of unlimited capacity (should it be computing as the task can be spread across many machines contemplated) is present. and the load is transient, since there is a finite amount of Transfer of risk is a really intriguing concept. Essentially, time rendering goes on: at some point the movie must be they are referring to a situation of uncertain or fluctuating released, ending the need for rendering until the next movie demand. For traditional IT shops, this type of situation is comes down the pike. risky, posing a Hobson’s Choice: either overprovision capac- RAD recommends exploring “fedexing” entire disks to ity to be certain of meeting peak demand (thus probably the cloud provider to overcome bandwidth limitations. They wasting capital by purchasing unnecessary capacity), or quote calculations that show that this option is 75 times as purchase capacity to meet average demand and thereby fast as using the network. My reaction is that Pixar can prob- forego having the processing capacity available to meet ably get special handling for its situation, but that a typical user demand greater than average. Essentially, this risk medium-sized IT shop is unlikely to get Amazon’s attention, boils down to being uncertain about how much hardware so the attractiveness of this option will remain theoretical for capacity to purchase; in environments with potential for most users. Overall, their list of impediments is not incor- extreme swings in demand, this risk is enormous. By relying rect; however, they are presented as if they are all of equal on a cloud provider to provide sufficent capacity to absorb weight, whereas some of them will have more impact on whatever user load might occur, an IT organization trans- cloud adoptions than others. I will discuss the most impor- fers the risk of capacity planning to the cloud provider. By tant impediments in this list later in this post. using a cloud provider that operates on a scale one or two RAD then goes on to make three recommendations, and magnitudes greater than any one end user organization, the this is where you should pay very, very close attention. They user can be comforted that, no matter what level of its own say: demand it puts to the cloud provider, the provider’s large 1. Applications Software of the future will likely have a infrastructure can easily manage fluctuations in overall piece that runs on clients and a piece that runs in the Cloud. demand. The cloud piece needs to both scale down rapidly as well as To sum up, RAD identifies key characteristics of cloud as scale up, which is a new requirement for software systems. reflecting an easy-to-get-going, scalable upon demand, no The client piece needs to be useful when disconnected from upfront commitment computing environment. Its recom- the Cloud, which is not the case for many Web 2.0 applica- mendations reflect systems that are attuned to that infra- tions today. Such software also needs a pay-for-use licensing structure and operating characteristics. And finally, they model to match needs of Cloud Computing. identify a number of impediments to cloud computing and 2. Infrastructure Software of the future needs to be cogni- recommend ways to mitigate them. zant that it is no longer running on bare metal but on virtual I’d like to address some implications of the report as well machines. Moreover, it needs to have billing built in from as what I view as its—if not shortcomings—its rather too- the beginning, as it is very difficult to retrofit an account- glib assumptions regarding this new environment.. ing system. As to implications, in its first recommendation, RAD sug- 3. Hardware Systems of the future need to be designed at gests that “the emphasis should be horizontal scalability to the scale of a container (at least a dozen racks) rather than at hundreds or thousands of virtual machines over the effi- the scale of a single 1U box or single rack, as that is the mini- ciency of the system on a single virtual machine.” This sen- mum level at which it will be purchased. Cost of operation tence carries significant implications for IT organizations. In will match performance and cost of purchase in importance particular, it suggests that cloud-based applications need to in the acquisition decision. Hence, they need to strive for be architected with specific capabilities—easily partionable, energy proportionality by making it possible to put into able to incorporate additional resources without need for

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 15 PUTTING IT TO WORK

manual intervention, lack of concurrency contention for key We can expect that support of the type of pricing RAD resources, and so on. These capabilities map extremely well recommends will present significant issues for software to the cloud characteristics they identify. The key challenge vendors. They will want to craft pricing supportive of their this poses to IT organizations is that most applications today current licensing schemes and revenue streams. Being are not architected this way; most assume a relatively stable reluctant to endanger current licensing means that vendors load and a fixed topology. In other words, most of the skills will probably take a long time to actually deliver the pric- in today’s IT shops are not oriented toward the architecture ing structure RAD recommends. That probably won’t be RAD recommends as the basis for cloud-based apps. Prob- much of a problem for applications designed consistently ably the nearest most mainstream IT shops come to this with traditional architectural assumptions, but will pres- kind of application is web-based systems, but these repre- ent real challenges for IT organizations that seek to design sent only a fraction of the overall application portfolio. applications consistent with RAD’s recommendations. Con- This is not to say that traditionally-architected applica- sequently, the recommendation that infrastructure software tions cannot be run in cloud environments, merely to note needs to have billing built in glosses over real challenges IT that to fully leverage the unique characteristics of clouds organizations will face as they attempt to incorporate cloud a different architecture is required. Moreover, the type of infrastructures. For this reason, I expect that open source applications that clouds enable, along with the suggested will get a boost from the move to cloud software, since it architecture, are just the type that could not be counte- can be more easily implemented in a horizontal scaling nanced in traditional data centers, operated as they are with environment. assumptions of capacity scarcity. The second challenge that is glossed-over in the report There are two aspects of the report that minimize issues resides within IT itself. In its list of adoption impediments, that will challenges mainstream IT organizations will con- the report identifies “Data Confidentiality and Auditability.” front when moving to cloud computing. One of those chal- This is a commonly-cited issue, and the report recommends lenges emanates from outside IT: it is located within the some ways to address it. However, too often this issue is vendor community. The second resides within IT itself and raised as a stalking horse for a whole range of objections relates to internal cultural issues. relating to risk that are brought up as reasons to avoid cloud In its second recommendation, RAD advises that “Infra- computing. I have often heard these kinds of issues voiced structure Software of the future needs to have billing built reflexively, trotted out as rationales for sticking with the in from the beginning.” In that statement a whole range of current mode of operation. While RAD has identified logical issues resides. Infrastructure software, in this formulation, ways to address the issues, it fails to recognize that this battle refers to commercial software obtained from third parties, is fought emotionally, not logically. Many IT organizations i.e., databases, application servers, and so on. Most IT orga- will hang back from cloud computing, citing these risks, nizations would tend to look toward current vendors for but really preferring to avoid embracing something new infrastructure software, given pre-existing relationships, that seems challenging. In my experience, culture always a trained employee base, and a desire to minimize compo- triumphs logic, and poses an enormous barrier to change. nent duplication. However, most software vendors are likely If you’re advocating cloud computing, prepare to confront a to take a long time to deliver this billing requirement. In concern with risk that will be steady and stubborn. particular, most vendor licensing assumes that individual With its report, RAD has indicated that academic institu- software packages will be tied to a specific piece of hardware, tions are paying attention to technology trends. The work and is licensed on a perpetual basis. There is definitely no RAD did for its report is excellent and valuable and should pricing model that incorporates the likelihood of the num- be required reading for anyone considering the potential of ber of operating instances of the package ballooning up cloud computing. n and down with charges based upon duration of execution. Oracle has announced support for its products in AWS, but Bernard Golden is CEO of consulting firm HyperStratus, which I believe its pricing is consistent with current assumptions specializes in virtualization, cloud computing and related issues. and traditional application architecture, i.e., no ballooning He is also the author of “Virtualization for Dummies,” the best- or limited-duration pricing. Likewise, IBM has announced selling book on virtualization to date. AWS support, but pricing (and the pricing basis) is not yet available.

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 16 “In a shared pool outside the enterprise, you don’t have RISK/REWARD any knowledge or control of where the resources run. So if you have a concern over data location, as an example, that may be a reason for not using it,” Cearley says. The Dangers of Security standardization has Cloud Computing not come to the cloud There is a huge body of standards, including services like On-demand apps and services SAS Interaction Management, for example, that apply for IT security and compliance, governing most business interac- have several security risks that tions that will, over time, have to be translated to the cloud, IT should address up front notes consultant Greenbaum. But in the meantime, until security models and standards he idea of cloud computing—designed around an emerge for cloud computing architecture, most of the risk architecture whose natural state is a shared pool out- and blame if something goes wrong will fall directly on the Tside the enterprise—has gained momentum in recent shoulders of IT—and not on the cloud computing service months as a way to reduce cost and improve IT flexibility. providers. “The Salesforce.coms and NetSuites of the world But the use of cloud computing also carries with it security don’t offer the kind of governance, risk, and compliance risks, including perils related to compliance, availability, [mechanisms] mandated by regulatory regimes,” Green- and data integrity. baum says. Yet many companies don’t think through those risks upfront. For example, having proper failover technology A best practice guideline for cloud computing in place is a component of securing the cloud that is often Ultimately, the consumer of the services is responsible for overlooked, notes Josh Greenbaum, principal at Enterprise maintaining the confidentiality, integrity, and availability Applications Consulting. Yet these same companies make of data, agrees Kristin Lovejoy, director of IBM’s security, sure they have failover for established services, like elec- governance, and risk management division. tricity. “If you look around, go to Lovejoy cites by way of exam- any major facility, what is sitting Greatest Concerns Surrounding ple the fact that the HIPAA in a box outside is an alternative Cloud Adoption at Your Company (Health Insurance Portability power supply. They don’t rely on Security 45% and Accountability Act) makes just the grid,” says Greenbaum. Integration with existing systems 26% no specific statements regard- He argues that cloud computing ing outsourcing or offshoring. Loss of control over data 26% should be no different. Instead, the act’s sections 164.308 Availability concerns 25% In some cases, the risk is too and 164.314 simply require that a great to rely on the cloud. And Performance issues 24% company get assurance from any where the decision is made to put IT governance issues 19% third parties handling its data that some services and applications Regulatory/compliance concerns 19% the data will be safeguarded, she in the cloud, the business must notes. Dissatisfaction with vendor offerings/pricing 12% ask how that risk should be man- As far as placing limitations on aged. Ability to bring systems back in-house 11% when to deploy the cloud, Lovejoy David Cearley, a vice president Lack of customization opportunities 11% advises that companies adhere to and fellow at Gartner, says placing Measuring ROI 11% Geoffrey Moore’s consideration of limits on the use of cloud technol- Not sure 7% “context versus core.” (Moore is a ogy is a subtle issue that com- business strategist and managing Other 6% panies have to examine closely, partner of TCG Advisors.) measuring the risk against when *Respondents selected up to three criteria. Core business practices pro- and where cloud computing SOURCE: CIO Research vide competitive differentiation. can be effective. For example, by Context practices deliver business giving up some control over the data, companies get in activities that are typically internal, such as HR services and exchange cost economies. IT, along with other C-level execu- payroll. Both core and context can be divided into mission- tives, must decide if that trade-off is worthwhile. Cearley critical applications and non-mission-critical ones. “If a non- says that everything will eventually be available as a cloud mission-critical application goes offline, the company can service—but at any individual business, not everything will survive,” Lovejoy says. be accessed from the cloud. The rule of thumb Moore comes up with, notes Lovejoy,

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 17 Risk/Reward

is this: If the business practice is context and non-mission- that do business across national boundaries, as different critical, then always put it in the cloud. If it is context and privacy and data management laws apply in different coun- mission-critical, it is likely you should make it cloud-enabled. tries. For example, the European Union places strict limits However, if it is core and non-mission-critical, you may want on what data can be stored on its citizens and for how long. to think about keeping it behind the firewall; if it is core and Many banking regulators also require customers’ financial mission-critical, then definitely keep it behind the firewall, data to stay in their home country. Many compliance regu- she says. lations require that data not be intermixed with other data, such as on shared servers or databases. Good security takes time Today, you never know where your data is stored in the The cloud approach doesn’t map naturally to how good secu- cloud. And that fact raises all sorts of compliance issues rity is typically designed, says John Pescatore, Gartner’s around data privacy, segregation, and security. But this chief security analyst and a man whose résumé reads like indeterminate location is beginning to change. For exam- it came from a James Bond movie, including a stint with the ple, Google lets customers specify where their Google Apps FBI, the National Security Agency, and the Secret Service. data is stored, thanks to its acquisition of Postini, an e-mail The area that worries Pescatore most is how quickly security company. The Swiss Bank for example, wanted its cloud-based services are updated and changed. He cites customer data files stored in Switzerland, which Google can Microsoft’s painstaking development of the SDLC (Software now do. Development Life Cycle) initiative that assumes mission- Further out is the ability to physically separate your critical software will have a three- to five-year period in data from other customers’ data in the cloud’s multitenant which it will not substantially change. architecture, says Pescatore. But he foresees such separa- “In the cloud, every two weeks we add a new feature, tion being enabled from the still nascent but increasingly changing the app all the time. But the secure SDLC is not powerful virtualization technology. built to do that. We are going back to the old Netscape days of pushing out new features real quick, and nobody has a Trust your “control freak” impulse security cycle that moves that fast,” Pescatore says. The security experts agree that no matter how stringent a What makes matters even worse is that the business user vendor’s SLA (service-level agreement) or how strong its can’t say he wants to stay on the old version. “In the cloud security technology, reducing risk in any environment rests you have to accept the next version, possibly nullifying any with the individual company’s willingness to audit what is security that was built into the old application or assumed and what is not working. through integration at the customer site. Consultant Greenbaum says we all have a bit of the “con- trol freak” in us, trusting no one but ourselves. Perhaps that Winners and wannabes in cloud-based security is a good thing, he says. When it comes to cloud computing, In the near term, where security is core and mission-criti- the experts fundamentally offer the same advice, which can cal—the upper end of the enterprise, financial institutions, be summarized by two very famous quotations, one an old and the government—IT will have to add its own security Russian proverb that President Reagan liked to use—“trust layer. That means cloud computing won’t be any cheaper but verify”—and the other by ’s famous former CEO, than running the application in-house, says Pescatore. Andy Grove—“only the paranoid survive.” n “But a few years from now, strong security will be pushed down a layer, and there will be enough security baked in for Ephraim Schwartz is editor at large at InfoWorld. He also writes all but perhaps the DoD,” he says. the Reality Check blog. But if larger enterprises can’t yet rely on security in the cloud-provided security, smaller companies may actually get better security from the cloud, says Pescatore. One reason is that a cloud provider can invest more in security than any individual small business could, because the cost Cloud Computing Survey is applied across hundreds of customers. Another is that as soon as a cloud provider patches a security vulnerability, all IT leaders see big promise, its customers are protected immediately, unlike the case for have big security questions downloadable patches that IT must apply itself.

Gaining control over data location loud computing has become too popular a term for its Another issue that can affect customers large and small—the own good. As Oracle chief Larry Ellison pointed out location of their data—will see a shift in the next few years, Crecently, so many tech marketers are using the term Pescatore says. That’s especially important for companies “cloud computing” in so many contexts that it can almost

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 18 Risk/Reward

mean anything—and thus often means nothing. Still, a new And research firm IDC (a sister company to CXO Media) CIO survey of IT and business leaders shows that Ellison’s believes the current U.S. economic woes will only drive more dismissal of cloud as a disruptive force in the technology enterprises to consider and adopt cloud offerings. IDC pre- industry is premature. Among our survey respondents, 58 dicts that spending on IT cloud services will hit $42 billion percent say cloud computing will cause a radical shift in by 2012. “The cloud model offers a much cheaper way for IT and 47 percent say they’re already using it or actively businesses to acquire and use IT—in an economic downturn, researching it. the appeal of that cost advantage will be greatly magnified,” Just 18 percent of our survey respondents call cloud com- noted Frank Gens, senior VP and chief analyst at IDC. puting a “passing fad.” Still, some of you refuse to even think of cloud comput- CIO surveyed 173 IT and business leaders in August, ing as a technology, per se. “We view it as another sourcing 2008 to get first-hand feedback on what enterprises really option,” wrote one respondent to our survey. think about cloud computing, and how, when and why they plan to deploy it in their enterprises. (Among our respon- When you’ll jump into the cloud dents, 54 percent are the head of IT at their company or busi- A big question about cloud computing: When will IT ness unit; 74 percent work at companies headquartered in departments stop talking about it and start actually using the United States.) it? According to our survey results, IT’s comfort with using For the purposes of the survey, we used a broad defini- cloud options in the near term is split. Almost half of you (47 tion of cloud computing from market research firm Gartner: percent) say you’re either currently using or implementing “a style of computing where massively scalable IT-related or actively researching cloud options. capabilities are provided ‘as a service’ using Internet tech- But a notable 29 percent say you have not placed cloud nologies to multiple external customers”. Cloud computing computing on your technology roadmap yet. offerings are often described in terms such as “on-demand And breaking down these responses by those people who services”, “cloud services”, “Software-as-a-Service (SaaS)”, say they head IT in their company reveals more skepticism etc.” among IT chiefs than IT staffers: 38 percent of respondents One sentiment came through loud and clear in our sur- calling themselves IT heads say cloud computing is not on vey: IT wants the flexibility and cost savings that cloud com- their technology roadmap. puting promises—the same kind of flexibility you’ve won Consider this survey respondent’s verbatim comment from virtualization, which is a key enabling technology for as to why cloud is not on his roadmap: “We’re waiting for the cloud. But you will not rush with regards to implement- reality to strike, vendor solutions/pricing to mature and the ing use of the cloud. 54 percent of our respondents say that hype to be replaced by honest to goodness experience.” The cloud computing is an evolving concept that will take years lack of case studies and customer references is a real stum- to mature. That’s right in line with what CIOs told us earlier bling block now, according to our survey respondents. this year in our look at early cloud adopters, Cloud Comput- ing: Tales from the Front. What you hope to gain from the cloud Unsurprisingly, the number one factor stopping IT lead- What’s even more precious to IT than cost savings? Agility. ers from tapping into the cloud right away is security wor- The big win with virtualization, to date, has been the ability ries. A whopping 59 percent of our survey respondents say to deliver to the business on IT requests in a lightning fast vendors have not adequately addressed security concerns way, as compared to the old one-app-one-server days. Vir- related to on-demand offerings. tualization has helped many IT departments change from Read on for the details on what you and your peers say “no” people to “yes” people. about cloud computing and how you are using it or plan- Similarly, you already see the ability to deliver more flex- ning to do so. ibility to the business via cloud offerings: In fact, you named this as your top desire from cloud computing, followed by Cloud computing: no passing fad reduced hardware and staffing costs. As Gartner analyst David Cearley recently commented to Cloud computing “allows the IT organization to focus on attendees at Gartner’s Symposium ITxpo, “You can’t swing differentiating IT capabilities and not on infrastructure,” one a dead cat without hitting somebody that’s talking about respondent to our survey wrote, explaining why he thinks cloud computing these days.” The hype level has been the cloud will change his IT department—and his company. extreme, and IT pros know it. Many of you say current offer- “It also allows the business to pursue an opportunity that ings are still not quite baked or appealing enough to roll out has unclear ROI without significant capital expenditures in production environments. on infrastructure.” But you have not written off cloud computing. More than half of you believe cloud computing will radically change What you’re already doing in the cloud the way enterprise IT looks in a few years. Cloud computing offerings that fall under what most people

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 19 Risk/Reward

think of as software on demand or SaaS, in the style of Sales- ent cloud service providers, even industry vets give wishy- force.com, have been around for years now. washy answers right now. Microsoft has its own vision for Thus some IT departments are not only comfortable with solving the problem, a vision heavily dependent on client OS the cloud but also banking on it for operational savings power. VMware has another vision. Bottom line: It’s early and flexibility. Not surprisingly, SaaS offerings are the top and the integration questions are real. way you’re already using the cloud, followed by storage on As has been the case with SaaS offerings from the start, demand. Only 19 percent of respondents say they’re tapping availability and performance worries still register, with into extra computing power on demand right now, though almost a quarter of you citing them in our survey. that’s perhaps the most exciting flavor of cloud computing for the future. Show me the security Clearly, the size of your enterprise is a factor with regards “I believe cloud computing places too many variables out of to your comfort with cloud offerings. As Forrester Research our control,” wrote one respondent in the verbatim com- analyst James Staten notes, for example, it’s simpler today ments to our security questions. That opinion is not uncom- for startups or smaller companies to use Amazon’s EC2 and mon among IT vets, according to our research. S3 cloud services, as opposed to large enterprises. Staten How will IT leaders get their heads around the security believes large enterprises may inch their way into the cloud issues with cloud computing? After all, many IT leaders for the ability to do quick and cheap experimentation. Also, just got comfortable with virtual servers: now they’re being end users could use cloud services to bypass IT for some asked to work off virtual servers in cloud providers’ physi- needs or projects, Staten predicts. cal locations—where their precious data will be further from reach, and co-located with many Applications that call How Knowledgeable Are You other customers’ data. out for cloud options About Cloud Computing? Consider this, the CEO of a What specific applications are Somewhat knowledgeable 51% cloud infrastructure company leading you to use or actively Very knowledgeable 27% recently told me: Each day, IT research cloud offerings? Collabo- departments hand reams of paper Not very knowledgeable 13% ration apps rank as early winners, to an Iron Mountain representa- Not at all knowledgeable 7% according to our survey results. A tive and trust that he will shred significant portion of you are also Not sure 2% and destroy it or otherwise deal

trying to figure out the server and SOURCE: CIO Research with it according to instructions. storage on demand equations now. Do you see the rep do it? No, you And a surprising 54 percent of respondents mentioned ERP trust the vendor. Cloud vendors, he said, must get to that as on the radar or in use—notable since ERP apps often rep- kind of trust with IT, before cloud computing can take off resent the most mission-critical and expensive applications in a mainstream way. to the business. Based on our survey results, vendors have a long road “Like every other technology, it (cloud computing) has its ahead before they earn that kind of trust. place,” wrote one respondent to our survey. “Mobile access, non-mission-critical capabilities, and general support func- Understanding the cloud and tions (provisioning, e-mail, etc.) are easy targets.” trusting it are very different Despite the amount of marketing hype in the marketplace What’s stopping you: security right now, your core understanding of cloud computing is and control concerns not the problem, according to our survey results. A full 78 A whopping 45 percent of you cite security as the top con- percent of you call yourselves very or somewhat knowledge- cern surrounding cloud computing at your enterprise. And able about the cloud. you’ve been through blockbuster tech waves like the ERP It’s just early in the game and your security and integra- revolution, so it’s not surprising that you’re already wor- tion concerns are real. rying about integration issues with existing systems and SURVEY METHODOLOGY NOTE: The margin of error cloud computing. on a sample size of 173 is plus or minus 7.5%. Percents on As we’ve recently reported, cloud computing will rely on questions where a respondent could only select one answer virtualization to quite an extent. The economics demand it may not sum to 100 due to rounding. Not all respondents for cloud vendors to succeed. Yet such basic issues as mov- answered all questions. ing virtual machines between physical servers with pro- cessors from differing vendors (AMD and Intel) have yet Laurianne McLaughlin is senior news editor of CIO. to be resolved by the industry. And when you start talking about making customer data easily portable between differ-

CIO Focus Forecast: Cloud Computing Looms Big on the Horizon 20