Not long ago, the prospect of outsourcing mission-critical applications to a cloud service provider made IT managers cringe. Despite promises of agility, scalability, and the elimination of infrastructure management headaches, there were serious concerns about security and regulatory compliance.
But these fears have largely proven unfounded. In fact, Gartner recently went so far as to call the unsuitability of the cloud for mission-critical apps one of the Top 10 myths in the world of technology.
According to Gartner, "Many organizations have progressed beyond early use cases and experimentation and are utilizing the cloud for mission-critical workloads. There are also many enterprises (not just small startups any more) that are 'born in the cloud' and run their business (clearly mission-critical) completely in the cloud."
Barriers needed to be addressed
Historically, IT execs were slow to place their full trust in the cloud to handle an ERP, CRM or sales-management application based on technical, architectural, cultural and even psychological barriers, says James Staten, an analyst at Forrester Research.
Technical hurdles, for example, include mission-critical availability requirements of almost 100 percent. At the same time, many mission-critical apps leverage commercial software that isn't licensed appropriately for cloud environments. The cloud was also perceived as lacking in scalability, he says.
"Many mission-critical apps scale up, meaning they have to be running on very large compute resources even if most of the time they aren't tapping all the power allocated. When the apps get busy they scale into this assigned capacity. These types of apps in the cloud cost you a ton of money and are a misfit with cloud economics that center around pay per use pricing where you always want to be turning resources off," says Staten.
Those perceptions are changing, however, and agility is the main reason. Last year, Verizon asked IT managers what drove them to move an application to cloud. The results: 32 percent of companies said business agility was the primary driver, while only 14 percent said reducing costs was their main motive.
For its part, Forrester Research, in an October 2014 report, surveyed 300 IT managers worldwide about their consumption of cloud services. The company found that agility is the most important driver of cloud adoption, with 77 percent of the enterprises interviewed citing agility -- including responsiveness, resource utilization, collaboration and innovation -- as the most important driver for cloud adoption.
Goodwill cloud hunting
That was the case for Goodwill Industries, where IT managers initially handed off disaster recovery to Bluelock. Since then, the company has put its ERP and CRM applications on Bluelock's cloud computing platform.
Jeff Ton, Goodwill Industries
"Saving money was not the reason we did this. It's about agility and elasticity. Our business is very entrepreneurial-driven and IT has to react fast. You can't just buy new servers, provision them, and then use them two months later. With Bluelock, we can spin up the server in 20 minutes. Regarding elasticity, we can scale up or scale down on demand, as opposed to the traditional 'stair step' model. Now, when we need more resources, we can quickly and easily provision them," says Jeff Ton, CIO and senior vice president of corporate connectivity.
At Altisource, a financial services company, Verizon's cloud services provide the agility customers demand, says CTO Girish Juneja. "If we do our job right, and build in the right capabilities up front, we have the potential to surprise customers. We can deliver agility, which means quick deployment. With the automation we've put in place, when we have to expand or upgrade, instead of days and weeks in the data center, it takes hours," he says.
"We're building our newer apps on cloud because they can be somewhat seamless as we add more of a workload. In addition, it's now more secure, which is important to not just us, but our customers are now satisfied with security," he adds.
At Direct Energy Solar, Salesforce.com cloud's scalability shaved months off the time it would have taken to roll out a new CRM application, says CIO Stephen Simons.
"When we integrated the ERP system with the CRM system, a rollout that would have normally taken 12 to 18 months, implementation took five months, from pilot to going live. The scalability is such that we had 40 people on the system at the outset, and now we have 400 people on it. By the end of the year, we'll have more than 1,000 people on it."
Costs still matter
Agility may be the reason IT managers cite first when they discuss moving mission-critical apps to the cloud, but cost savings also play a part.
At National DCP, the supply-chain company for Dunkin' Donuts, CIO Darrell Riekena cites reduced IT spending, along with accessibility and scalability as primary drivers for moving to the cloud.
"The shift to the cloud reduces our spending on technology infrastructure, reduces capital costs, improves accessibility from our growing number of distribution centers, and provides flexibility and scalability, as well as real-time reporting.’’
He adds, “Cloud works for us because our focus is on core differentiators. We leverage partners for cloud, managed services, and in other areas we don’t feel are core to our business and partners have the expertise. Also, the economics work for us as we are implementing new systems and our company is in growth mode. We talked about what it would cost to hire the personnel to monitor and maintain the server, license renewals, hardware upgrades and operating system upgrades.”
Losing control of IT
Another historical impediment to moving mission-critical apps to the cloud is loss of control. The move creates the perception that an app and its data are out of an IT department's hands. But this is changing, as providers work to increase transparency and offer proof of regulatory compliance.
"Operations organizations look at cloud and say, 'I can't control it, so I don't trust it.' But security from a major provider like Amazon or Azure is pretty good now, and it has become more transparent. Providers are asking, 'What do you need to see?' So when the IT manager asks, 'How do you do these things,' they can show them," says Lydia Leong, an analyst at Gartner.
Compliance audits and certifications help too. Many of the major clouds now have certifications of compliance with PCI-DSS, HIPAA, MPAA and other performance and security standards that enterprises are getting more comfortable with cloud criticality.
Also, all the leading clouds have rich documentation now detailing how to achieve mission criticality and as they have matured have made improvements in their practices, infrastructure elements and supplemental," says Forrester's Staten.
Such regulatory compliance and transparency are key in the financial services industry, where an organization's clients expect regulatory compliance, as well as a certain level of comfort with their financial advisors' application and data-management practices.
At Altisource, Verizon's cloud services provide the compliance and transparency customers demand. says Juneja. "We can maintain regulatory compliance. We look at the intersection between security and compliance regulations, and what can be done on premises and what can be done off premises. We designed our cloud environment as we addressed them, and then we made the move. In our situation, the customer knows an application is cloud-based, but that's because they need to know. It has to be transparent. We spend three to four months to reach a point where customers are satisfied themselves about the new environment," he says.
One long-standing obstacle to moving mission-critical apps to cloud was security. But according to Verizon and HBR Analytic Services in their 2014 survey, 65 percent of enterprises said that cloud doesn't compromise IT security, and, perhaps more surprising, 36 percent said that it actually improves it. According to the report, IT managers are "...possibly recognizing that cloud providers have huge incentives to meet the high levels of security, and the resources to maintain them."
For its part, Gartner ranks a perceived lack of security on the cloud at No. 6 in its list of the 10 biggest cloud myths perpetuated by the general IT community, at least when that security is compared with on-premises efforts.
+ ALSO ON NETWORK WORLD: Gartner reveals Top 10 IT Security Myths +
"Cloud computing is perceived as less secure. This is more of a trust issue than based on any reasonable analysis of actual security capabilities. To date, there have been very few security breaches in the public cloud — most breaches continue to involve on-premises data center environments. While cloud providers should have to demonstrate their capabilities, once they have done so there is no reason to believe their offerings cannot be secure," according to Gartner.
As more IT managers place mission-critical apps in the hands of cloud service providers, the better they feel about data security. They also learn that security is not entirely the responsibility of their provider, says Leong.
"As people make the move to cloud for reasons of agility, and they become more confident with security, we see more shared responsibility between providers and the IT department. It comes down to how you configure security," she says.
The Zayo Group, a provider of bandwidth infrastructure services, is both a consumer and a provider of cloud services. Using cloud services from Salesforce, and at the same time offering IaaS and PaaS solutions to the telecom industry, has given IT managers at the company a view of cloud security both on and off premises.
By combining its own data security efforts with those put in place by Salesforce, Zayo Group and its customers are comfortable with cloud-based app deployments, says Sandi Mays, senior vice president of IT.
In many cases, the decision to move a mission-critical app to the cloud reflects the larger trend toward having someone else manage IT infrastructure. By offloading large chunks of the data center to a service provider, an organization can focus on its core business, rather than managing its IT assets.
"IT managers are saying, 'These are mission-critical systems, but rather than us doing it, let's make it their problem.' Mission-critical is being redefined in the hosted, private cloud. Companies are saying, 'I'm not in the infrastructure business, I'm paying someone else to do that. They're saying, `I'm in the oil exploration business’, or 'I'm in the banking business. They're responsible for the data, but now they're not picking boxes. They expect their provider to do that," says Richard Villars, an analyst at IDC.
Rethinking IT staff
At the same time, foisting mission-critical applications and all the hardware and software technology that goes with them off on a provider can put a scare into IT staffers. If the software engineer responsible for maintaining an ERP system has that job taken away, what happens to his job?
"As for reducing staff, there is some 'Is the cloud going to eliminate my job?' But it's actually providing growth and opportunity. If I'm the data center architect who used to take 10 days to get more storage capacity, but now I can develop a service to do that, [my job is secure.]," says Villars.
This was the case at Goodwill, where some IT workers felt that their jobs were threatened when the organization moved its SAS human resources and financial applications, along with disaster recovery, to Bluelock's cloud, says Ton.
"At first, IT staffers were concerned, but sometimes, with a new technology, people think, 'We'll jump into this full bore.' But this has taken us five years, and we said that if your job is to maintain hardware for servers, it won't be here anymore. If you're a systems engineer working on our on-site email, which was moved to the cloud, you need to learn new skills. You'll need to learn to architect systems in the cloud, or make a career decision. We needed to communicate our vision and they had to adjust."
The growth of acceptance of cloud computing means IT departments must adapt, and as with any far-reaching advance in the way IT infrastructure is managed, represents a cultural shift, adds Forrester's Staten.
"A lot of IT departments feel threatened by public clouds, in the sense that they are cheaper, faster, and more scalable and thus will lure corporate workloads away from the corporate data centers and thus the IT staff won't be needed anymore. This is an unrealistic concern as the enterprises which have gone the furthest with cloud haven't gotten rid of any IT staff. They have asked the staff to adapt to new needs and responsibilities which may require them to learn new skills, use new tools or adapt their role a bit but so long as the IT pros are amenable, they usually end up with more valuable and rewarding roles."
Indeed, the move to the cloud brings with it plenty to do for IT departments. The promise of agility, scalability, availability improvements, and cost savings are tempting an increasing number of IT managers to outsource everything from email to business intelligence to a cloud provider, but it's not a plug and play proposition.
"From a technical standpoint, cloud has evolved, but you still have to understand how to architect for it. Moving a mission-critical app to cloud involved many more gymnastics early on, but the concerns are still there," says Gartner's Leong.
Altisource's Juneja recommends scrutiny of data access and security. "With the cloud, you don't get a ready-made cake. You have to do some work up front in a few key areas. First, access and identity management, which you have to look at in a different way. A business application has privileged users and you have to decide how to manage access to databases, etc. Second, you have to think about data security, and how you deploy tools, drive agility, and drive efficiency and scale. Applications can morph from ground-bound to the cloud, and it takes a lot of up front investment to move to a different application paradigm."
Webster is a freelance writer. He can be reached at johnwebstervt@gmail.com.
This story, "Cloud fears fizzle, mission-critical deployments sizzle" was originally published by Network World.