"Cloud development by itself isn't any different than traditional development. What it is, however, is less tolerant of poor development practices."
"These problems are not inherent to cloud development but can be magnified in a cloud environment as an unintended consequence," says Kevin McDonald, senior analyst at ICF International and author of Above the Clouds: Managing Risk in the World of Cloud Computing. He recommends that developers become familiar with organizations like the Department of Homeland Security's National Cyber Security Division, which is promoting Build Security In and identifying the Top 25 Common Weakness Enumerations.
Cloud security for developers also means thinking about data security and choosing providers that suit your business requirements as well as technical needs. In the experience of Bienvenido David III, CEO of consulting firm TeamEXtension, "The issues were more of configuration and policies than software development." For instance, TeamEXtension stores credit card numbers AES-encrypted in its database. If a security breach happens, PCI DSS auditors need access to the servers, which Amazon EC2 does not permit. "We cannot be PCI level 1 compliant with Amazon EC2. We can store the card numbers elsewhere, but this opens a lot more security issues. Rackspace Cloud had the same PCI issues as Amazon EC2, so they were out of the running," he says.
Re-Think Your Software Architecture
Despite developers' expectations that deploying to the cloud is "just like" any type of web development, you do need to be cognizant of architecture differences. Explains Standing Cloud CEO David J. Jilk, "Developing applications in the cloud is a little like visiting Canada from America. Most everything is the same, but there are small differences that you notice and need to accommodate." Most differences relate to the infrastructure and technology stack layers rather than to the application code itself, he says.
Internal hosting environments tend to be stable with little impact from outside forces, says Anthony Eden, lead developer at Heavy Water Software. But cloud computing environments (and all virtualized environments to some extent) are messy because of resource sharing. "The behavior of the system as a whole can be, and often is, influenced by things completely outside of your control," Eden points out. His solution: practice gorilla engineering (the practice of dealing with rapidly changing environments).
Don't mistake scalability for system performance, cautions LaFleur. Design applications with latency in mind. Scalable systems are more reliable under load and maintain relatively consistent performance; but do acknowledge the performance hit incurred by moving to the cloud as well as its intermittent failures. Your application should handle disconnections gracefully.
"To really implement web services in the cloud properly developers have to think 'functionally' not 'object-ly'."
"A database in the cloud may be able to grab data out of storage at a fantastic rate, but that data still has to reach the client application," LaFleur says. Often, he's found, minimizing the amount of data moved can have a substantial performance impact. If you only need three fields from 100 records, make sure that is all you grab; even better, he says, grab and display those records in batches of 25.
This may require a different mindset. Says Limewire VP of engineering, John Pavley, "To really implement web services in the cloud properly developers have to think 'functionally' not 'object-ly.' Functional programming means defining functions dynamically that act on data without state and can be evenly distributed to any number of cloud servers as needed. Unfortunately most, if not all, developers are trained to think in terms of objects: stateful entities that bind data inside a single Java or C# class. It's hard to load balance objects and they end up creating artificial limits in your cloud."