Renata Budko, vice president of marketing at virtualization management vendor HyTrust, says the best candidates for movement are those with relatively few modules and tiers, that are relatively "stateless" (not overly dependent on the timing and sequence of processing events), and those with relatively few user profiles to track. "If it's an internal cloud, you can access the policy database within the same cloud," she says, while customers may be reluctant to host sensitive security data in an external cloud or allow external access to their internal security data.
Having said that, beware of:
Myth No. 5: You won't ever be able to seamlessly blend your public and private clouds
Vendors are scrambling to provide such seamless blending. Kollar, for example, expects to provide it to his customers within 12 to 18 months. Until it's widely available, RightScale's Von Eicken recommends standardizing configurations, data models, and automated deployment policies for both public and private clouds. That allows you to take advantages of the public cloud when it makes sense today, while building a foundation to do more sharing of public and private resources as the technology, standards and processes mature.
Myth No. 6. Cloud computing always saves you money
McKinsey & Co. recently released a hotly contested white paper claiming customers are only likely to save money when running specific platforms, such as Linux, in the cloud. For an entire datacenter, the report says, you're better off staying in-house.
McKinsey declined to comment, but in a blog posting, Google Apps senior product manager Rajen Sheth said that the study erred by only considering the savings of using low-cost servers in a highly redundant architecture. It neglected, he says, the additional money customers save by using "the same scalable application server and database that Google uses for its own applications" and not having to purchase, install, maintain, and scale their own databases and application servers.
Another wild card, say Staten, is that under current licensing and support models, customers could pay significantly more to their commercial software vendors by deploying their software in the cloud than they would internally.
Myth No. 7: A cloud provider can guarantee security
Even if a cloud provider has every security certification in the book, that's no guarantee your specific servers, apps, and networks are secure. When it comes to, say, compliance with the credit card industry's PCI DSS (Payment Card Industry Data Security Standard) a retailer or credit card processor is audited on how well their servers and applications are deployed on the platforms provided by a cloud vendor such as Amazon or Google. "If you set up your applications badly," says Staten, "it doesn't matter how secure the platform you're running on is."
Securing Siemens' cloud environment required looking at IT "from the outside in" and securing every conceivable path by which a user could access critical information, says Kollar. Securing each platform was not a significant challenge, he says, but ensuring all the needed security technologies worked together was.
Staten says it may require "architect-to-architect" sit-downs to assure a vendor hasn't, for example, cut costs "by simply giving each customer their own table space in the same database," as that would allow any customer to see any other customer's data.