So far in this series, we've looked at the available options for Cloud computing, budgeting and performance tuning for a Cloud implementation. While it's not difficult to make a persuasive case for moving your infrastructure to the Cloud, there are some scenarios where the Cloud is not the right option. There are several concerns related to security, portability, economics and system criticality that can limit the benefit you would receive from moving to the Cloud.
As we discussed in part 3, a Community or Public Cloud will be hosted remotely. The vendor providing your Cloud services will have copies of your server images, applications, and data. Additionally, your data and applications may physically exist on devices that are shared with other Cloud customers. The Cloud vendor should have infrastructure level security measures in place to ensure that data is secure and isolated from other customers.
However, even if the vendor's security is sufficiently strong, in order to be compliant you need to be able to prove that the vendor meets or exceeds regulations. Make sure the vendor provides enough detail to satisfy auditors, and updates security measures as new threats are found and new regulations are implemented.
Application access via the internet can also be a security concern even if the connection between the Cloud application and user’s browser is encrypted. It is very difficult, but not impossible, to decrypt traffic. Traffic patterns can be analyzed. Users very often create passwords that are far less secure than they should be. And, last but not least, users could be accessing the site through infected browsers that compromise data confidentiality. These issues may not be significant if the client and server are both behind a firewall, but over the open internet they can lead to a security breach.
Another issue is portability. Vendors can and do go out of business, or get acquired by other vendors. Before porting an application to a Cloud vendor, make sure you have a plan for what would happen if that vendor were not available. Rebuilding an IaaS application with a new vendor is relatively straight forward, but moving SaaS or PaaS applications could require rebuilding applications according to the new vendor's requirements.
There may also be less of an economic benefit to the Cloud if you have very large servers running very heavy workloads 24x7. At that point, the per hour cost of a Cloud based server can end up being higher than the amortized cost for an in-house enterprise server. Additionally, the one time cost for a hardware upgrade may be significantly smaller than the ongoing cost for additional Cloud resources.
Finally, there are some critical systems which are just not suited to Cloud applications. As per NIST's Cloud Computing Synopsis and Recommendations:
Safety-critical systems, both hardware and software, are a class of systems that are usually regulated by government authorities. Examples are systems that control avionics, nuclear materials, and medical devices. Such systems typically incur risks for a potential of loss of life or loss of property.
Such systems inherit “pedigree” as a byproduct of the regulations under which they are controlled, developed, and tested. Because of the current lack of ability to assess “pedigree” of one of these systems within a cloud (due to many distinct subcomponents that comprise or support the cloud), employing cloud technologies as the host for this class of applications is not recommended…
The lack of visibility into the exact hardware underlying the Cloud makes it unsuitable for “safety-critical” systems. The Cloud hardware may meet or exceed the required specifications, but there is no way to ensure that it does, or that the underlying hardware might not change without notice. If your organization has business critical applications that have similar stringent requirements, you would be best served by controlling the hardware directly.
This is the last post in the Considering the Cloud series – while the Cloud can suit many IT needs, it is not appropriate for all, and if it is suitable for your needs, finding the appropriate application service, deployment option, and then a vendor to meet those needs can be a daunting process. The purpose of these posts was to provide a framework of the currently available options, and we will be posting updates to the series as Cloud technology evolves.
Much of the source material for these posts was taken from the previously referenced Cloud Computing Synopsis and Recommendations from NIST, and I would also highly recommend the European Commission’s Unleashing the Potential of Cloud Computing in Europe, which has a different perspective on Cloud Computing.