Busting the nine myths of cloud computing

Vendor hype and IT self-delusion can quickly lead to disappointment. If you're considering a cloud strategy, don't get fooled by these false premises

Wherever you turn, someone's ready to tell (or sell) you something related to cloud computing. Cutting through the myths is essential to deciding whether, when, and how the cloud is right for you. Here's our top list of myths; we welcome your suggestions and feedback in our cloud myths discussion area.

Myth No. 1: There's one single "cloud"

There are at least three forms of "cloud computing," each with different benefits and risks. They are 1) "infrastructure as a service" (bare-metal virtual servers available on demand from the likes of Amazon's Elastic Compute Cloud); 2) Web services providers, or "platform as a service," which are APIs or development platforms that let customers create and run apps in the cloud; and 3) software as a service, applications such as Salesforce.com's CRM software that users access over the Internet with little or no code running on their own machines.

[ What exactly is the cloud? Get past the hype and see what's real in InfoWorld's "What cloud computing really means" | Stay on top of the cloud from an IT pro's perspective in whurley's Cloud Computing blog. ]

The type of application you're running and the kinds of data you're generating also make a big difference in whether -- and how -- to move to the cloud. Which leads to:

Myth No. 2: All you need is your credit card
If you're a lone developer with time to burn, configuring a virtual bare-metal server from the command prompt may be no problem. But if you have a business to run, installing and configuring the OS, multiple applications, and database connections could get in the way of generating revenue. And if you're big enough to have any standards for security, data formats, or data quality, someone has to do that work, too.

Some vendors imply that a business user "can just go in and buy a development server in 15 minutes that's as good as the one it would take their IT department three or four days to provision," says Michael Kollar, chief architect at Siemens IT Solutions and Services North America, which virtualizes about 2,500 servers to provide cloud-based application services to internal users as well as external customers. However, he says, that cloud-based server may not be secure, meet corporate standards, or be integrated into the wider IT environment.

For example, even a Web server thrown up in the cloud for a short-term marketing campaign might need to meet corporate security and data format standards. That's because the customer data it gathers is subject to the same corporate and legal standards as "real" IT systems, says Kollar, and it must be usable by corporate analytic or customer tracking systems.

Many infrastructure-as-a-service players also can't meet the needs of enterprise applications. Phil Calvin, founder and CTO of Sitemasher, tried to find a cloud provider to manage the servers he now manages himself in a collocation facility. However, he says, "we couldn't find anyone to scale our standard servers" on demand. Nor could the cloud vendors provide the low-latency performance he requires or do global load balancing across datacenters.

Amazon.com recently announced a public beta of new features that include auto-scaling, monitoring, and load balancing. In a blog post, cloud management vendor RightScale said the new capabilities were a step in the right direction but appeared to lack necessary capabilities such as configuration management and lifecycle management.

Myth No. 3: The cloud reduces your workload
In the long run, maybe. But to get started, you have to figure out which model of cloud computing is right for you; which applications or services are best suited to it; and how to ensure the proper levels of security, compliance, and uptime. And remember, monitoring the performance of any vendor takes extra time.

"When you're running production applications, there's a lot of thinking that goes on in terms of redundancy, in terms of reliability, in terms of performance and latencies," says Thorsten von Eicken, CTO and founder of RightScale. Before moving applications to the cloud, customers need to ensure those requirements are met, he says, calling it "wishful thinking" that cloud-based systems automatically manage themselves.

In addition, not all apps are right for the cloud. Those relying on clustered servers, for example, aren't good fits for cloud environments where they share resources with other customers, says James Staten, a principal analyst at Forrester Research. That's because they require identical configuration of each server and large dedicated bandwidth among servers, which can't always be guaranteed by a cloud vendor. Again, thinking through these issues requires work, at least up front.

Myth No. 4: You can seamlessly blend your private "cloud" (your virtualized datacenter) with public cloud providers
Some cloud evangelists hold out the promise of the best of both worlds: the control provided by an in-house datacenter and the low cost and flexibility provided by the cloud, with the ability to drag and drop applications, storage, and servers among them as needed.

But it's not yet that easy, at least for a complex multitier application that depends on internal databases and that serves thousands of users with ever-changing access rights.

"Currently, it takes a lot of footwork, and a lot of manual reconfiguration, and lots of engineering effort" to move applications among public and private clouds, says Staten. And even then, "we're still in the 'I hope it works' phase." Seamless integration is easier if customers are running the same platforms in both the public and private clouds, he says, but for the typical, more complex environments standards efforts such as the Open Virtualization Format are still "very basic" attempts to ease interoperability.

The key requirements, says Siemens' Kollar, are a security infrastructure that can span both environments, secure and cost-effective ways to either replicate data or access it across the public and private clouds, and orchestration software to ensure that services are working as required and proper steps taken to repair them if they aren't.

Renata Budko, vice president of marketing at virtualization management vendor HyTrust, says the best candidates for movement are those with relatively few modules and tiers, that are relatively "stateless" (not overly dependent on the timing and sequence of processing events), and those with relatively few user profiles to track. "If it's an internal cloud, you can access the policy database within the same cloud," she says, while customers may be reluctant to host sensitive security data in an external cloud or allow external access to their internal security data.

Having said that, beware of:

Myth No. 5: You won't ever be able to seamlessly blend your public and private clouds
Vendors are scrambling to provide such seamless blending. Kollar, for example, expects to provide it to his customers within 12 to 18 months. Until it's widely available, RightScale's Von Eicken recommends standardizing configurations, data models, and automated deployment policies for both public and private clouds. That allows you to take advantages of the public cloud when it makes sense today, while building a foundation to do more sharing of public and private resources as the technology, standards and processes mature.

Myth No. 6. Cloud computing always saves you money
McKinsey & Co. recently released a hotly contested white paper claiming customers are only likely to save money when running specific platforms, such as Linux, in the cloud. For an entire datacenter, the report says, you're better off staying in-house.

McKinsey declined to comment, but in a blog posting, Google Apps senior product manager Rajen Sheth said that the study erred by only considering the savings of using low-cost servers in a highly redundant architecture. It neglected, he says, the additional money customers save by using "the same scalable application server and database that Google uses for its own applications" and not having to purchase, install, maintain, and scale their own databases and application servers.

Another wild card, say Staten, is that under current licensing and support models, customers could pay significantly more to their commercial software vendors by deploying their software in the cloud than they would internally.

Myth No. 7: A cloud provider can guarantee security
Even if a cloud provider has every security certification in the book, that's no guarantee your specific servers, apps, and networks are secure. When it comes to, say, compliance with the credit card industry's PCI DSS (Payment Card Industry Data Security Standard) a retailer or credit card processor is audited on how well their servers and applications are deployed on the platforms provided by a cloud vendor such as Amazon or Google. "If you set up your applications badly," says Staten, "it doesn't matter how secure the platform you're running on is."

Securing Siemens' cloud environment required looking at IT "from the outside in" and securing every conceivable path by which a user could access critical information, says Kollar. Securing each platform was not a significant challenge, he says, but ensuring all the needed security technologies worked together was.

Staten says it may require "architect-to-architect" sit-downs to assure a vendor hasn't, for example, cut costs "by simply giving each customer their own table space in the same database," as that would allow any customer to see any other customer's data.

In the cloud world, it's easier than in the physical world to assign new network interface cards to a virtual machine that might link it to an insecure network, says HyTrust's Budko. An organization's existing firewalls would have no way of knowing the new NIC exists and that it needs to monitor traffic through it, she says. Potential threats like that make it important to independently assess, rather than blindly trust, a cloud vendor's security infrastructure.

Myth No. 8: If you're running VMs, you're doing cloud computing
Virtualization -- creating logical servers or storage that span multiple physical devices -- is one of the requirements of cloud computing. But having VMs doesn't mean you have cloud computing. To reap the full benefits of virtualization, IT or its cloud providers also must provide the ability to grow or shrink capacity as needed, provide pay-as-you-go pricing, and let users easily provision new servers and storage themselves as needed.

Letting users do some of the work of ordering virtual servers (especially those preconfigured for specific tasks) is a key money-saving goal of some cloud customers. But such self-service doesn't automatically happen just because you're running software such as VMware Infrastructure 3. Siemens, for example, had to make "a significant investment" in developing a standard catalog of virtual servers and related services users can order as needed from its private cloud, says Kollar.

Myth No. 9: Cloud computing is about technology
Technology makes cloud computing possible, but realizing cost savings and flexibility also requires that you have the right processes. The virtualization that underlies cloud computing "is very dynamic and allows a very high rate of change," says Budko, as customers move data and applications among physical devices. "What's missing is the ability to manage it smoothly," avoiding a sprawl of unused or underused virtual machines that soak up electricity, cooling, and management time and possibly create security risks -- just as unmanaged physical servers do.

Using standardized processes in the cloud can, on the other hand, increase efficiency. Using the Information Technology Infrastructure Library (ITIL) management framework in combination with technologies such as virtualization, Siemens has reduced its IT management and administration task by 25 to 35 percent, says Kollar.

The truth about the cloud
What's the takeaway? That the cloud isn't a magic wonderland of carefree computing, but a complex resource that requires understanding and hard work to manage correctly. And that's no myth.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies