Judith Hurwitz's Cloud-Centric Weblog

Almost every conversation I have had over the past year or so always comes back to security in the cloud.  Is it really secure? Or we are thinking about implementing the cloud but we are worried about security.  There are, of course, good reasons to plan a cloud security strategy. But in a sense, it is no different than planning a security strategy for your company. But it is the big scary cloud! Well, before I list the top then issues I would like to say one thing: if you think you need an entirely different security strategy for the cloud, you may not have a comprehensive security strategy to start with.  Yes, you have to make sure that you cloud provider has a sophisticated approach to security. However, what about your Internet service provider? What about the level of security within your own IT department? Can you throw stones if you live in a glass house (yes, that is a pun…sorry)?  So, before you start fretting about security in the cloud, get your own house in order.  Do you have an identity management plan? Do you ensure that one individual within the data center can’t control all of the data within a single environment to minimize risks? If you don’t have a well executed internal security plan, you aren’t ready for the cloud.  But let’s say that you have fixed that problem and you are ready to really plan your cloud security strategy. So, here five of the issues to consider. If you have others, let’s start a conversation.

1. You need to start at the beginning with understanding the characteristics of your cloud provider. Is the company well funded? Is its data center designed with security at the center? Your level of scrutiny will also depend on how you are using the cloud. If you are using Infrastructure as a Service for a short term project there is less risk than if you are planning to use a cloud to store important customer data.

2. How is your cloud provider implementing security in a multi-tenant environment? How do they ensure that one customer’s data doesn’t impact another customer’s data?

3. Does your cloud provider give you the ability to monitor security of your data in the cloud? This will be important both for compliance and to keep track of your own security policies.

4. Does your cloud provider encrypt your critical data? If not, why not?

5. Does your cloud provider give you the ability to control who is allowed to access your information based on roles and authorization? Does the cloud provider support federated identity management? This is basic security best practices.

Now you are probably saying to yourself that this isn’t rocket science. These are fundamental security approaches that any data center should follow. I recommend that you take a look at a great document published by the Cloud Security Alliance that details many of the key issues surrounding security in the cloud. So, I guess my principle message is that cloud security is not different than security in any data center.  But the market does not seem to understand this because the perception is that a cloud is somehow not a data center that can be secured with regular old security. I think that we will see something interesting happen because of this perception: cloud vendors will begin to charge a premium for really good security.  In fact, this is already happening.  Vendors like Amazon and Salesforce are offering segregated implementations of their environments to customers who don’t trust their ordinary security approaches.  This will work in the short term primarily because during this early phase of the cloud there is not enough focus on security. Long term, as the market matures, cloud vendors will have to demonstrate their ability to provide a secure environment based on basic security best practices. In the meantime, cloud vendors will rake in the cash for premium secure cloud services.

Maybe I am just obsessed with cloud computing these days. I guess that after spending more than 18 months researching the topic for our forthcoming book, Cloud Computing for Dummies, I can be excused for my obsession.  Now that I am able to take a step back from the noise of the market, I have been thinking about what this will mean in the next ten years. Consequences of technology adoption are never what we expect. For example, in the late 1970s and early 1980s no one could imagine why anyone would want a personal computer. In fact, the only application people could imagine for a PC was a way to store recipes (I am not making this up). Keep in mind that this was before the first PC-based spreadsheet was designed by Dan Bricklin and Bob Franston(That’s them in the picture) . No one in those days could have predicted that everyone from a CEO to a three year old child would own a personal computer and its use would change the way we conduct business.  (I never did find a recipe storing application).

The same logic can be applied to the Internet. While the Internet has been used 40 years ago by researchers, it was not a commercially viable option until the mid-1990s. In the early days of the Internet it was a sophisticated communications technology with a command line interface. Once the browser came along, businesses tended to use it to share price lists, marketing materials, and job postings. There were certainly message boards but only for the real techies. There were environments such as The Well which was the first online community used primarily by academics and wild-eyed researchers.

In that context, I was thinking about what we might expect to happen with cloud computing? There is a lot to say, so I decided to break this into two parts — each one will have three consequences. Here are today’s top three:

1. Cloud computing will begin to change the way we think of an application. To be truly useful to large groups of individuals and businesses requires economies of scale in terms of massively scaled workloads. The only way to accomplish this is either to cherry pick a few big workloads (like email) or to branch out. That branching out is inevitable and will mean that vendors with cloud offerings with componentize their software offerings into modular services that can be mixed and matched with other services.

2. The prices that vendors will charge for cloud computing services will drop dramatically over the next few years. As prices drop it will become a lot more economically viable to substitute on premise environment for the cloud environment. Today this is not the case; large companies supporting thousands of users in an application environment cannot justify the movement to a cloud platform. What if the costs drop to the point where the economics (with the right workloads) favor cloud based services? When this happens there will be a tipping point that we might not even notice for a few years. But I predict that it will happen. We are already seeing Amazon dropping prices for its EC2 environment based on the competitive threat from Microsoft Azure services announcement.

3. The cloud will change the way we manage data. The traditional way we think about data neatly stored in specific databases to handle a specific business problem will inevitably change.  This won’t be an overnight change but it will happen. Data will increasingly be seen as a reusable resource that can be used in lots of different situations. There will continue to be strategic line of business applications but they will be more systems of record that keep track of the final result of actions that take place dynamically in the cloud. The value of data is not in its tight packaging as we have been used to for decades but it the flexibility to move, transform, and leverage data. The watch word for data in this new model will be Trusted Data in the Cloud.

I would love to know what you think of my top three choices; send me your comments and I will add them to my list for tomorrow.

As we deal with the cloud hype it is too easy to be dismissive and cynical. But we always treat complicated new trends that way — until one day they become the normal way of business and life.

I am still at IBM’s Information on Demand conference here in Las Vegas (not my favorite place..but what can you do). In listening to a lot of discussions around strategy and products I started thinking about one of the key problems that customers are facing around business process and managing increasingly complex data. What companies really want to do is to have the flexibility and freedom to leverage their critical data across applications and situations. They also want to be able to change processes based on changing business models.

This is the core issue that companies will be facing in the coming decade and will be the difference between success and failure for many  businesses.  Here’s an example of what I mean. Let’s take the example of a retailer in a competitive market. Let’s say our retailer had five or six applications: Accounting, Human Resources, supply chain management, a customer support system, and a customer facing e-commerce system. Each of these systems has an underlying database; each one manages this data based on the business process that is the foundation of the best practices that is the value of these packages. Even if each of the packages are the best in their markets there is a core problem since each solution is a silo. Processes that move between these systems tend to fall through the cracks.  This is why we, as customers of such retailers, are often frustrated when we call about a product that wasn’t delivered, doesn’t work, or requires a change only to discover that one department has no ability to know what is happening in another area. For most companies the dream of single view of the customer is aspirational but not practical right now. In reality, it is hard for companies to mess with their existing applications. These solutions are customized for their business environment; they were expensive and complicated to implement — and change is hard. In fact, companies only change when it is more painful to stay with the status quo than it is to change. In a retail scenario, companies change their approach to process and data management when they must change their business model because the current processes will lead to failure. Retailers are currently faced with emerging approaches to selling and managing customer relationships that are challenging traditional selling models.  Look what a company like Amazon.com or Netflex have done to their slower moving competitors.

A number of customers I have spoken with understand this very well. They are looking at ways to separate their core data assets from the underlying applications. Many of these customers are at the forefront of implementing a service oriented architecture (SOA) approach to managing their software assets. They are increasingly understanding that the secret to their future success is the knowledge they have about their customers, their needs and future requirements within their own set of offerings and those from partners. These companies are setting a priority of making this data independent, secure, and accurate. These business leaders are preparing for inevitable change.  At the same time, I have seen these customers creating SOA business services that are, in essence, codified business processes. For example, a business service could be a process that checks the credit of a potential partner or links a new customer request for service to the set of applications that confirms the request, orders the part, and notifies a partner.

So, here is the problem. These customers are implementing this new model of abstracting data and process based on specific projects or business initiatives.  These projects have gotten the attention of the C-team because of the impact on revenue. But, in reality, the real breakthrough will happen when the separation of data and process are the rule, not the exception.

This is going to be the overriding challenge for the next decade because it is so hard. There is inertia to move away from the predictable packaged applications that companies have implemented for more than 30 years. But I suggest that it will be inevitable that companies will begin to understand that if they are going to remain agile and change processes when they anticipate a competitive threat. These same companies will understand that their data is too important to leave it locked inside an application linked tightly to a process.

I don’t have the answers about what the tipping point will be when this starts to become a wide spread strategy. I think that the cloud will became a forcing action that will accelerate this trend. I would love to start a dialog. Send me your thoughts and I promise to post them.

There has been a lot of discussions these days about private and public cloud. More discussion has been generated because  both Amazon.com and Salesforce.com have added a Virtual Private Network (VPN) option to their public cloud services.  What does this mean in the context of how customers will move to cloud computing? It is clear from the research that I have been doing that the private cloud and the hybrid cloud are real and will be part of the computing landscape for a long time.  The emergence of the virtual private cloud is an early indication that customers some customers want a better guarantee of their data. The combination of a public cloud with the privacy offered by a VPN is only going to grow over the coming year.

So, is a Virtual Private Cloud still a public cloud? I particularly found the blog published by Amazon’s CTO,Werner Vogel’s  announcing the virtual private cloud fascinating. On one hand, the private virtual cloud announcement is a proclamation that customers want to be able to have secure access to services on the Amazon EC2 Cloud. On the other hand, he is quite clear that this there is no such thing as a private cloud.  Clearly, it is in Amazon’s best interest for customers to focus on public clouds. Vogel states in his blog that “What is called private clouds have little of these benefits (he means characteristics of the cloud) and as such I don’t think of them as true clouds” The four characteristics of the cloud he points to include:

• eliminating costs – lowering both capital expenses and operating costs
• elasticity – avoiding complex procurement cycles and improving time to market
• and removing undifferentiated heavy lifting by off loading data center operations

While I agree that there are many situations where this is an ideal approach for many businesses, I don’t think the situation is black and white. There are indeed shades of gray. In my view, a private cloud has to be architected to be different than a traditional data center. But like a traditional data center, it is protected by a firewall and sophisticated security.  A private cloud will almost always be combined with some public cloud services (either capacity, software as a service, or platform as a service). So, I’ll take each of the three characteristics mentioned in Vogel’s blog and explain my view based on the fact that customers will make both economic and technical choices.

• eliminating costs – In reality there are data centers that work pretty well and are core to the business. The company has made an investment and therefore would not necessarily be able to lower costs. However, I expect that even if a company decided to go with a private cloud, there will be good reasons to use capacity on demand to fill gaps and expand for projects. In addition, a very large company will have the financial means to establish its own cloud that will be much more cost effective. A cost/benefit analysis of using a public cloud versus a private cloud is not straight forward. It requires a deep assessment of lots of different factors.
• elasticity – It is quite clear that many data centers do not have an efficient way to procure resources to users. However, if a data center is rearchitected to enable self-service provisioning, it can be transformed to better support users. Again, I expect that customers will take advantage of additional capacity or platform services even if they have private cloud services. This is especially true for companies where their computing infrastructure is the foundation of their business.
• removing undifferentiated services – This will really depend on whether the data center helps a company differentiate itself. There are definitely services that offer no value to the bottom line that should be placed in a public cloud (with a VPN for security, in some cases) such as electronic mail. However,  where these services are at the core of the business and probably need to be in a private cloud. Many companies will select which services are not differentiated and which ones are and create a hybrid environment. Companies will have to do their homework both in terms of focus and costs. It might initially cost more to move a service such as email to a public cloud but will have huge resources in the long run. In other situations, paying per hour, etc. may be a lot more costly than you might imagine.

My bottom line is this. The cloud will continue to evolve over the coming decade and there is no one approach that will become the standard. The cloud is primarily an economic proposition that will require careful evaluation. Companies need to understand what their business is, what the value and role of the data center is and what is the best set of services available. The good news is that with the evolution of the cloud companies will have lots of good options.

I had a very interesting conversation with Jeff Barr, the senior web services evangelist at Amazon. I have known Jeff for almost 15 years. In those days Jeff was one of the architects at a company called Visix, an early graphical development environment that was ahead of its time. Visix’s software development environment was designed as an abstraction of the underlying infrastructure. Visix came into the market before the Internet infrastructure became the defacto standard. But for me, it set the vision for where we are today. Jeff started at Amazon in the summer of 2002 with the Visix and some Microsoft experience in his consciousness.

Amazon’s business model is different than a traditional software company that often spends 18-24 months convincing customers to adopt new hardware/software or services. Amazon is leveraging a different computing model based on providing customers will a set of predefined services that can be bought without making a long term commitment. In a sense, Amazon has had the luxury (or good sense) to roll out service after service and see what sticks. As Jeff sees it, “people’s brains light up. They can build their business and applications in a positive way without having to worry about bandwidth, power and cooling.” His perception is that customers don’t think about whether the cloud provided by Amazon will support their needs. Clearly, he is able to talk this way because Amazon has made the investment in a scalable architecture to support an infrastructure that is designed for massive scalability. The other issue is that having built this architecture for its own retail requirements, Amazon had the foresight to exploit the technology to create a new line of business — in essence, a compute cloud based on providing a set of tools and product offerings to the market. The message to the market is straight forward, use these services so that you can innovate quickly without having to build from scratch. In taking this approach, Amazon creates both a test bed that allows the company to collaborate on new functionality with partners. In addition, and perhaps most importantly, it allows customers to buy incremental capability so they can scale up and down when they need to. According to Jeff one of the benefits of the cloud is that it isn’t dominated by the needs of one customer. In other words, one customer may have a spike in demand while another has less need at that point in time. Over the years, Amazon is able to understand usage patterns that are predictable.

Amazon’s business model follow this approach. A customer creates an account with Amazon that in essence gives them a charge account with Amazon. Customers get access to all of the Web services APIs. Their usage is tracked and they are billed for what they use. The business model is quite straight forward. Amazon charges 15 cents per gigabyte per month — not a lot of money even when you scale. What is interesting to me is there is no contracts to negotiate — everyone understands the rules. I asked Jeff if customers ever ask to buy a “private cloud”. While Amazon has been asked by customers, Jeff felt that because of the amount of experience that Amazon has with its hosted services discourages customers from explaining, “This is a business we want to be in. We have a lot of experience in our organization. We build highly cost effective data centers and sophisticated monitoring and operations.” He contends that Amazon has the expertise based on its 13 years in the business is enough to keep customers from walking away from its cloud. If you do the math, it would be difficult to argue. For example, if a customer needed 500GB of storage for two years, the cost would be $1800. In addition, it avoids the requirements for managing that environment.

Jeff makes a good point. If a customer needs to scale from 10GB to 100 TB in a month it might be hard to pull off. “This is routine for us,” Jeff claims. From his vantage point, the cloud changes the relationship between the customer and their hardware vendors. In effect, customers are sharing hardware resources with lots of other customers. So, the question becomes, who is your partner? It is no longer the provider of the hardware or the operating system. You probably still have a relationship with your software provider.

So, Amazon’s view of the cloud is pretty straight forward — it is a way to get value out of virtualization. Jeff points out that if developers uses Amazon’s elastic cloud service, for example, they pay to access servers on an hourly basis. Amazon allocates server to that account, provides a copy of the operating system they need to get started. That process takes a few seconds.

Another dimension of Amazon’s business revolves around the companies that actually build applications that sit on its infrastructure. Amazon has built a bunch of its own applications that it offers as services. In addition, there are a number of application companies that are building applications on top of the Amazon platform. One that Jeff mentioned to me is called RightScale, an automated cloud computing management system intended to help customers of Amazon’s Elastic Compute Cloud with issues such as load balancing. In addition to this type of company there is a community of 370,000 developers. Because Amazon sets the barrier to use so low, it is easy for a developer to try a service without making a long term commitment.

The more I think about Amazon’s platform and business model, the more sense it makes to me. I believe that Amazon and others such as Google, Salesforce.com, and eBay are a peak into the future of the new generation computing. In a sense, this model breaks every rule that the traditional computing industry has been built on. This movement towards enterprise software as a service and utility computing is beginning to redefine hardware, software, management and services. I predict that this new business model is going to slowly but surely turn the industry upside down. It isn’t only that the business model is different. The underlying technology platform based on standards and a service oriented architecture is propelling this change. The only thing that will slow this transformation is fear of change. But what else is new.

Now that I am back from my trek to Redmond, I have time to come back to earth and think about what I heard. I think that several issues surfaced in my mind. Here are the three key issues that I think are worth more time:

1. We are at a turning point in enterprise computing. I predict that we are moving into the cloud as the focal point for enterprise infrastructure.

2. How much complexity do customers need to be exposed to? Distributed computing is hard and requires a new level of complexity that we haven’t seen before outside of small implementations and experiments.

3. What does it mean for the balance of power in the software industry? Whenever there are monumental changes in technology and customer strategy the shape of the industry changes.

Here’s my quick take on these issues. I’ll keep writing about this. In the meantime, I would love to start a dialog with you on these issues. So, if you agree, disagree or just think this is irrelevant, I would like to hear from you.

What about that cloud? What is an infrastructure cloud? Without getting into too much detail..it is a complex computing infrastucture that is hosted by an infrastructure provider that provides access to services ranging from access to storage, electronic mail, applications, etc. In some cases, this infrastructure can be well designed and scalable; in other situations the provider can cobble together a mess that is hidden from customers.

I don’t think that anyone owns this model yet but some company will. It will be the company that provides a scalable, well-designed, distributed infrastucture. This is what Amazon.com is trying to do with its Elastic Compute Cloud (Amazon EC2). It is what Google will pursue with all of its applications. However, Google’s first “official” cloud computing announcement is a joint educational venture with IBM. It is also at the heart of Microsoft’s Oslo initiative via its “Internet Service Bus”. I also expect that IBM, Oracle, and HP will get into the mix. Is there room for Apple with a Google partnership? How about Salesforce.com?

I am not ready to pick a winner(s). That is what makes this transition so interesting. A vendor doesn’t necessarily need a massive set of packaged applications or a huge sales force to gain traction. Does it avoid questions about operating systems? Does it matter if the software in the cloud is proprietary or open source? How much will the customer care? Maybe a lot right now. But who knows what we will think five years from now.

The one thing that I will predict is that the software industry is about to be turned upside down. Now, isn’t that fun?

Amazon.com is on my mind today. I ordered a book the other day; now that may not sound revolutionary but it was important to me. My father was a clinical psychologist who died 25 years ago. In the 1960s he wrote a book called “Opening Doors for Troubled People.” I have a copy of the book, but I really would like a couple more copies to give to my kids. In the olds, pre-Amazon.com days, I would have been out of luck. I went onto the web the other day and was able to order the very last copy out there. It is ironic – I spend so much of my time analyzing the consequences of emerging distributed technologies on organizations that I sometimes lose sight of some of the subtle human dimensions of this very distributed world. I am very happy to have found this very precious book – thank you Amazon!