What you need to know about cloud computing

Confusion reigns because 'cloud' is a metaphor, not a function you buy

Depending on what surveys you look at people in both business units and IT are either wildly enthusiastic about SAAS and cloud computing, or are desperately confused about how to do it, why they should and what all the noise is about.

As best I can tell from talking to a lot of them, CIOs and IT managers working on cloud projects don't see them all as "cloud" in the same way vendors or analysts do.

Rather than look at SAAS, private cloud, public cloud and hybrid cloud all as different animals – which vendors do because it matches their product and service SKUs more closely – end-user companies tend to use several or all of them together, depending on need.

They might virtualize their internal servers to save money on physical servers and add some cloud software on top to make even more efficient use of internal resources.

They might hire an external cloud provider for additional compute capacity to meet seasonal spikes in demand, to provide a place for short-term projects or de facto DMZ to help link business partners without the additional work or risk of linking them directly into the core data center.

Business unit managers – who buy so many SAAS contracts that far more big companies are running "cloud" applications than even top IT people think is the case – often don't think of SAAS apps like Salesforce as anything that would interest IT, or even as being part of the "cloud."

Cloudishness is a big factor – about the same as the OS a system supports – but not the only one involved.

SAAS portfolios

Many companies, whether purposely or not, end up with badly managed or completely unmanaged portfolios of SAAS applications, often wasting money by buying the same function twice from the same vendor for different departments, or buying something new that IT already bought for them.

Business-unit managers won't stop buying SAAS apps without consulting IT. It's too easy to get exactly the functions they want without having to wait for internal developers or compromise on features with other departments that don't want quite the same thing, or on quite the same schedule.

That's not necessarily a bad thing, either; one of the biggest advantages of cloud or SAAS is that they take some of the load off IT. If it puts your whole department out of a job that's not a good thing.

If it just shortens up your project backlog, so much the better.

Letting them do that with no management or coordination will not only waste money, it will spread your corporate data across half a dozen SAAS or cloud providers. That makes security and compliance almost impossible because you have no direct control over most of it and no idea which version is accurate – let alone demonstrating you're complying with reporting regulations or even knowing what much of the company is up to.

Pick the right cloud

Even the biggest advantage of a cloud app – that it's housed in someone else's data center and can expand or contract to meet the customer's changing capacity requirements – isn't set in stone.

A private cloud means you can distribute your compute resources more efficiently across all your data centers, applications and departments, but it's not as flexible as using someone else's data center. You still have to buy new servers if a seasonal spike tops out everything you have on hand.

Public clouds are better, but there's a tradeoff there, too. If you don't mind running your applications on virtual servers that run on the same physical servers as VMs running another company's software, you can add or subtract resources on the fly and up to physical limits on capacity that are far beyond what you probably have in your own data center.

Isolation and security

If you want a little more privacy – or are required to want it as many federal agencies are – you can't share physical servers with anyone else.

A lot of non-government agencies do the same thing just because they're uncomfortable running on the same boxes as companies that might be competitors or that might have far too much interest in seeing if there are little holes in the VM infrastructure through which interesting data can leak.

Providers often describe that arrangement as a "private cloud," but you have to make sure about the specifics.

Private network

All the apps run on VMs, so they're taking data in through network ports they share on the physical servers on which they live. Do they also have to share the networks that link those physical servers to the Internet and eventually your data center?

Some providers just run big pipes into the back of their servers and run the data-center network as a slightly more secure Internet. Your data can stay separate from that of other customers if it's encrypted in a virtual private network (VPN) tunnel, but the packets that contain the encrypted data are bumping along through the network wires, routers and switches along with packets belonging to other companies.

Some providers will create more isolation for your cloud by providing either separate physical connections to the Internet – which requires at least one separate network interface card on each server dedicated to your traffic alone. If you don't share physical servers it's a little easier, but you'll still end up paying for separate network connections and routers or switches that provide a private channel to the 'net or through a private (MPLS) connection to your data center.

A few providers are able to virtualize the networks as well, dividing 1GB/sec or 10GB/sec network pipes into separate streams and dedicating one or more to your data.

Virtual I/O setups can also isolate network traffic, but isn't as common as some of the other methods.

Private storage?

Storage in a cloud facility will be virtualized, so you can't usually point to a specific disk array as "yours." How separate is the storage? Is all your data on a completely separate array? Is it isolated on a different SAN than other data? If you share the same SAN, how are the data keps separate and what is the chance of you being damaged if another customer does something irresponsible – like getting raided by the FBI, which comes to confiscate the boxes with their data? Do your data go in for interrogation, too?

Are all the data sets encrypted separately and identified in ways that make it clear to anyone examining the storage that your data is just an innocent bystander and not implicated somehow?

Otherwise the Feds might feel they have a right to sift through your very personal corporate information without paying much attention to the security policies you assembled and delineated before putting it in the cloud in the first place.

Most cloud providers would replicate your data to another SAN or array so if one box goes down (or is taken downtown) you'll still have access to it. Does yours?

If so, how up-to-date is the data? You probably don't want to put highly time-sensitive transactional apps up in the cloud, so losing a few seconds or minutes of data might not be a big deal. What's the window, though? If someone trips over a power cord, even, how much data are you likely to lose?

Physical security

Security is a real worry for most people, but tends to be the first thing most customers ask about, so most service providers have pretty good answers.

The answers aren't always complete, and don't always meet your specific requirements, so double-check. Hire a security specialist to evaluate and, if possible audit the provider's electronic security to give you an idea of how well it meets your requirements and how you can monitor whether it actually does.

Just remember that the cloud provider protects the cloud; it's your responsibility to protect the information.

Ask if the provider will let you take a walk through their secure data center so you can make sure the doors are locked and all the employees have been background-checked for criminal pasts and bonded to make sure you are compensated in case they screw something up.

If the provider lets you walk through the data center, keep on walking to the next available candidate. If they let you walk through, they'll let the next customer do it, too.

You, obviously, are on the up-and-up, but you never know what trouble complete strangers will get up to. They might be the ones that trip over the power cord keeping all your data from going poof.

Find more specifics

By now most of you have gone to sleep, unless you're trying to make a cloud decision right now, in which case you're disappointed that the section dealing with your specific set of questions was too short and non-specific while all the rest were too long and boring.

Don't worry; everyone else who read this far feels the same way, but about different sections than you do.

Like any complex IT decision, the real answers depend so much on your particular situation that it's difficult or impossible to map out all the questions and answers for you in a generic format like this.

Cloud and SAAS computing is supposed to be simpler than traditional approaches. The deeper you get into them, though, the more questions there are.

Ultimately, if you want to be able to closely manage the performance and security of your applications, you'll have to go just as deep on the technology involved as if you were building it in your own data center, and continue to manage it just as closely over time.

That's a bad idea if what you want is to offload your email or other relatively commoditized software, as many small- and mid-sized businesses do.

It's an absolute requirement if you're primarily after the higher skills, uptime, management, flexible capacity and other advantages of apps running in the cloud, but have customers (consumers or employees) who won't put up with outages or slow performance.

If your audience is demanding, no matter how high the quality of the platform, they won't be happy unless you are there personally making sure everything is running the way it's supposed to.

In cases like that, though, at least putting demanding apps in the cloud means you'll have more help than you would if all the support and capacity and performance and security were up to you and whatever limited resources you can command in a data center designed to support only one company, and do that for as little money as management could possibly get away with paying.

Here are a few more detailed guides that may also help:

Cloud guides

Gartner guide to getting the most out of SAAS and Cloud (presentation)

Do the risks of cloud computing outweigh the benefits (Risk Management Monitor)

Cloud computing for non-technologists: predictions and primer (Forbes)

Cloud computing primer (book review, click PDF at bottom)

IBM primer on cloud computing

Cisco primer on cloud computing

Microsoft's guide to cloud and Azure architecture

Amazon Web Services -- economic, technical and usage guides

VMware guides to private, public clouds, self-service, openness, automation and management

Cloud Management

Cloud computing management tools

Cloud management tools for beginners

Application performance management – data center vs cloud (Cloud Computing Journal)

Cloud Security

Cloud Security Survival Guide (CSO)

Cloud Security and Compliance Primer (SANS Institute whitepaper)

Security checklist for cloud models: SaaS, PaaS, Iaas (CSO)

SAAS security is all about the contract (CSO)

Managing Process

SAAS-based project and portfolio management

Project management in the cloud

SAAS-based business process management

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon