The vast majority of large enterprises are actively building private clouds for application hosting, but few intend to make significant use of public-cloud hosting providers, such as Amazon.com Inc. and Rackspace US Inc. -- at least not in the next one to three years.
To capture a more holistic view of the public cloud's suitability for large enterprises, The Corporate Executive Board Co. surveyed 82 senior IT managers, all CEB members, about the 19 most commonly cited public cloud flaws (see sidebar below).
The survey's purpose was to understand the significance of each flaw and the expected timeline for its resolution. (The flaws were drawn from leading scholarly papers, such as Above the Clouds: A Berkeley View of Cloud Computing, then expanded based on in-depth interviews with CEB members.) The survey interviewees worked at large, global organizations, the scale, complexity, security needs and hefty legacy infrastructure of which differentiate them from the small and medium-sized businesses that have been early public cloud adopters.
The CEB found that half of the senior IT managers surveyed expect less than 10% of their total application hosting capacity to be in the public cloud by 2015, although they intend to move as much as 50% of their total hosting capacity to a private cloud. The board believes organizations underestimate the viability of public cloud hosting because of the model's current setbacks, such as security and privacy flaws.
The public cloud, however, has shown it could improve rapidly, so the CEB recommends that companies segment their applications and data to pressure-test how much ultimately might be suitable for the public cloud, in order that they not be left behind as public cloud computing evolves.
Concern about the public cloud starts with its security and privacy features and extends to its quality of service and cost-effectiveness. These are the five flaws the interviewees cited most frequently in the survey:
- Data leakage. Difficulty implementing adequate measures to protect confidentiality and prevent the loss of regulated, private data or data pertaining to important intellectual property, such as new products.
- Security governance. Loss of direct control over such day-to-day security protections as intrusion detection, vulnerability monitoring and denial of service. Concerns are heightened if a provider outsources aspects of its service to an additional third party.
- Service-level agreements. Reluctance or inability of vendors to offer service or operating-level agreements with specific, contractual quality targets covering both availability and performance.
- Disaster recovery. Providers must have their own business continuity and disaster recovery plans, but they are not often transparent about these features, and that complicates customers' own planning.
- Legal ambiguity. Lack of clarity or assurance about the ability to execute common, day-to-day legal tasks like e-Discovery, litigation holds, or the production of documents and data.
Although all 19 flaws were seen as significant, the CEB believes they can be overcome, suggesting it may just be a matter of time before the public cloud becomes viable for large organizations. The senior IT managers in the survey expect that all the flaws can be resolved by vendors, or that they, as clients, can develop sustainable workarounds by the end of 2013.
The way these flaws are resolved, however, will differ from the assurances provided by traditional outsourcing partners. Indeed, few of the senior IT managers in the survey expect public cloud vendors to begin offering the kind of customized service levels they have negotiated with traditional service providers, because this would challenge the business model of the cloud providers. Nevertheless, the interviewees see that for applications with moderate requirements, they can take proactive steps -- such as paying for hosting power in multiple "availability zones" or even across multiple cloud vendors -- to achieve the required levels of availability and redundancy.
The organizations that took part in the CEB survey expect to participate in reducing public cloud flaws in the following ways:
- Resolution of legal ambiguities.
- Prevention of data leaks.
- Greater disclosure of cloud vendors' third-party risk.
- Use of billing models effective for companies requiring massive data transfers.
- The emergence of cloud architecture standards that prevent lock-in with a single vendor.
In contrast, these enterprises see cloud vendors taking more complete ownership of such things as technical flaws, such as multi-tenancy risk, and the development of cloud management tools.
Organizations should find opportunities for risk-free experimentation with the public cloud so they aren't caught by surprise should the model not mature on schedule, the CEB advises. This could include the migration of public websites with nonrestricted information; or the identification of noncritical, moderate-scale applications that don't contain highly sensitive data. Most organizations have done this kind of application segmentation for other purposes (disaster recovery, for example) in recent years, and they could easily identify a handful of applications for experimentation in the public cloud.
Another CEB recommendation is that new internal-capacity investment should be done very cautiously. Private-cloud programs are mostly about building on existing server virtualization to offer valuable features like rapid, self-service access and pay-for-use, and therefore don't pose a large risk by themselves. Nevertheless, it's important these programs don't balloon into investments in physical data centers or long-term contracts, or end up with the company locked into a proprietary vendor platform.
The Corporate Executive Board Co. is an IT and corporate strategy consulting firm in Washington, D.C. Its IT practice serves 2,500 member CIOs. Let us know what you think about the story; email Christina Torode, News Director.