Just about every organization I know -- including my own at this very moment -- is faced with a vexing question:...
What do we do with the cloud, and when? While we sit and ponder, we risk having the decision made for us. The rapid expansion and adoption of Software as a Service (SaaS), Platform as a Service (or PaaS) and Infrastructure as a Service (or IaaS) mean we must quickly but correctly figure out our cloud strategies, be they public, private or hybrid.
On the upside, cloud strategies lend themselves to projects that build on past work and previous experiences, such as virtualization and small-scale forays into the cloud. CIOs have to stay acutely aware of the lessons they've learned and position themselves as the key leader prepared to take the organization to cloud's next level.
My organization recently replaced one of our mission-critical, highly interconnected, on-premises applications with a cloud application. The only place this application runs is in the cloud, but because it has to connect with many of our on-premises applications, our SaaS effort was more hybrid cloud than pure public cloud. Through such implementations, nonetheless, we are preparing ourselves to replace other legacy applications and eventually take advantage of a more purely public cloud strategy.
Several years ago, we moved major portions of our on-premises infrastructure to an external data center. An element of this move was the wholesale use of virtualization. This combination of external data center and virtualization became our current private cloud. Moving to a private cloud required that we be good at configuring remote systems and upgrading software (as well as good at recovery, patching, software deployment and so forth). We also had to be good at remote administration because we then extended our cloud by moving some systems to an additional external data center. In effect, our private cloud has three nodes: the central office and two external data centers. We have deployed the full range of virtualization and management tools so we can respond better to the dynamic nature of our organization and projects.
Our hybrid cloud requires us to connect to, share data with and rely on someone who isn't us -- a frightening prospect for the security performance- and reliability-minded.
We also can scale our private cloud up and down as needed to support specific initiatives. Our separate nodes make disaster recovery a breeze (logistically and geographically, at least). And our private cloud experience has helped us be somewhat prepared for our new hybrid cloud. Why only "somewhat prepared"? Because we can exert a certain amount of control over our private cloud. Our hybrid cloud will require us to connect to, share data with and rely on someone who isn't us -- a frightening prospect for the security performance- and reliability-minded.
At first my team members -- who have spent their lives in an on-premises or private cloud environment they control -- simply could not accept using the public cloud. They wanted to impose the same control on the SaaS environment that they imposed on our on-premises and private world. That control, however, does not exist.
Next, they wanted to require that the software team engage in a wide range of contortions (data encryption between the SaaS application and our legacy applications, databases in the demilitarized zone and who knows what else). Finally, they tried to convince the organization to change its mind about the SaaS application and implement an on-premises application.
When none of these worked, my team resigned itself to a life in a public-cloud world. They still had reservations, however, and really had no idea how to manage the data exchange between the private and public elements of our hybrid cloud.
More about cloud computing
So, I did two things. First, I gave everyone a copy of an article from my MIT alumni magazine, in which the author explains that security in the public cloud is better than the security of private or on-premises environments. How can this be? Because the entire cloud business model depends on superior security, and so it is a higher priority for people in the public cloud than it is for someone in a private cloud environment.
Second, I told them we didn't have to solve how to manage the data exchange securely. Why? Because others (in fact, lots of others) have figured it out already. We just need to learn what the others do. So, I sent them on a best practices tour with the goal of implementing whatever best practice they found. We are now implementing our hybrid cloud. With this cloud in place, we can start to experiment with purely public cloud options.
This experience has taught me several things:
- If we are using virtualization aggressively, we have already taken big steps toward a private cloud strategy.
- If we are using an external data center and using virtualization aggressively, we have a private cloud.
- Shifting to a hybrid or public cloud model is a cultural shift, not a technology or security shift.
- Given the increasing number and quality of cloud offerings, we CIOs had better be the ones driving this cultural shift -- otherwise, we are on the path to obsolescence.
Niel Nickolaisen is CIO at Western Governor's University in Salt Lake City. He is a frequent speaker, presenter and writer on IT's dual role enabling strategy and delivering operational excellence. Write to him at firstname.lastname@example.org.