Learning Resource

An Essential Guide to Possibilities and Risks of Cloud Computing

By Maria Spinola

By 2011, early technology adopters will forgo capital expenditures and instead purchase 40 percent of their IT infrastructure as a service….Cloud computing will take off, thus untying applications from specific infrastructure.

—Gartner Highlights Key Predictions for IT Organizations and Users in 2008 and Beyond, January 2008

Cloud Computing is quite possibly the hottest, most discussed, and often misunderstood concept in Information Technology (IT) today. In short, cloud computing proposes to transform the way IT is deployed and managed, promising reduced implementation, maintenance costs, and complexity, while accelerating innovation, providing faster time-to-market, and providing the ability to scale high-performance applications and infrastructures on demand.

The goal of this white paper is to provide a realistic perspective of the possibilities, benefits, and risks of cloud computing—what to look for, what to avoid, and some tips and best practices on implementation, architecture, and vendor management strategies. It is important to consider all those aspects before you decide whether or not to move your systems, applications, or data to the cloud in a hype-free approach.

Note: Mentions of vendors and products are not endorsements or recommendations.

Why Should You Care?

Business managers know that in spite of the benefits of every new technology and business model, there are also risks and issues like trust, loss of privacy, regulatory violation, data replication, coherency and erosion of integrity, application sprawl, and dependencies, among others. Therefore they realize that rushing into a cloud computing arrangement or can be a very bad decision, especially if accompanied by irrational exuberance and unrealistic expectations. However, ignoring cloud computing altogether because of a belief in your ability to secure your own environment better than a service provider ever could isn't smart either.

This white paper contains useful information even if your company, public or private, has already decided not to use cloud computing in the near future. It is likely that unbeknownst to you, some of your departments are already using cloud computing, and you will need to define a cloud governance program and make it available to all your internal customers.

For instance, if your company has an IT department, it's probable for software developers, pressed to demonstrate a proof of concept, to use a cloud computing service provider and configure the servers in minutes or hours, instead of waiting days or months for new server acquisitions to be approved, delivered, set up by IT, have the network configured, and so on.

Or maybe it is your sales department that decides to go to a cloud computing service provider and start using their cloud computing CRM immediately, instead of waiting months to have a CRM program on the premises, and you will only become aware of this initiative when they ask to integrate it with the billing and finance programs.

Also, a relatively young company without a huge IT infrastructure, will tend to move more quickly to the cloud, be able to enter and build new markets more rapidly, and thus achieve competitive advantages over more traditional businesses.

Defining Cloud Computing

Cloud computing disrupts the conventional on-premises IT model, where you keep acquiring servers, PCs and software licenses as your business grows. Running application services on a cloud platform moves CapEx (capital expense) to OpEx (operational expense), because business can develop, deploy, and use more application services as they require them, without needing huge initial capital investments (and ensuing operational costs) for dedicated infrastructure that may never be needed.

The convergence of grid-and-cluster computing, virtualization, web services, and service-oriented architecture (SOA) offers the potential to set IT free from the costs and complexity of its typical physical infrastructure, allowing concepts such as utility computing to become at last meaningful. With the global economy in crisis, the timing could hardly be better for the technologies and services cloud computing provides, as IT managers are forced to make tough decisions and do more with less.

Myth: Cloud Equals SaaS, Grid, Utility Computing, Hosting, etc.

With virtually every vendor and provider on the planet jumping on the cloud computing bandwagon, sometimes it's difficult to discern whether a service is truly a cloud computing offering or simply a pre-existing offering that has the cloud label slapped on it, such as hosting, outsourcing, ASP (application service provider), on-demand computing, grid computing, utility computing, SaaS (software as a service) and so on.

In fact, cloud computing is not a technology revolution, but rather a process and business evolution on how we use those technologies that enable cloud computing as it exists today: SaaS, inexpensive storage, REST, AJAX, SOA, on-demand computing, grid computing, utility computing, virtualization, etc.

The issue is that many providers of those technologies hijacked the term cloud computing, and it is this confusion that discredits the entire industry. If everyone is doing "cloud computing," then in a sense, no one is doing it. The advantages the cloud are supposed to deliver become dissipated in the mist of confusion, deception, and disillusionment.

Consider the following analogy: any example of franchising is a business, however not all businesses are franchises. This line of reasoning can be applied to cloud computing; While some SaaS offerings are cloud, that doesn't make all SaaS offerings cloud services. SaaS is one of the three possible cloud computing delivery modes. However, to be considered cloud computing, any of those delivery modes must have certain specific characteristics, which are described in the next section.

For all of the above reasons, it's important to define what cloud computing really is, because there is definitely promise of value amid all the hype and confusion.

What Is Cloud Computing?

In a recent report, McKinsey (2009) pointed that there were "at least 22 different cloud definitions in common use."

Cloud computing allows businesses to increase IT capacity or add capabilities on the fly and in real time without investing in new infrastructure, training new personnel, or licensing new software.

However, the above definition is not complete. The National Institute of Standards and Technology (NIST) provides a simplified definition of cloud computing.

According to NIST (n.d.) there are five characteristics of cloud computing:

  • On-demand self-service—Individuals can set themselves up without anyone’s help.
  • Ubiquitous network access—Made available through standard Internet-enabled devices.
  • Location independent resource pooling—Processing and storage demands are balanced across a common infrastructure with no particular resource assigned to any individual user.
  • Rapid elasticity—Consumers can increase or decrease capacity at will.
  • Pay per use—Consumers are charged fees based on their use of a combination of computing power, bandwidth use, and storage.

There are three possible delivery methods:

  • Cloud software as a service (SaaS)—Customers rent software hosted by the vendor.
  • Cloud platform as a service (PaaS)—Customers rent infrastructure and programming tools hosted by the vendor to create their own applications.
  • Cloud infrastructure as a service (IaaS)—Customers rent processing, storage, networking, and other fundamental computing resources for all purposes.

Possible deployment models include the following:

  • Private cloud—The cloud infrastructure is owned or leased by a single organization and is operated solely for that organization. Private clouds are also known as internal clouds.
  • Community cloud—The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations).
  • Public cloud—The cloud infrastructure is owned by an organization selling cloud services to the general public or to a large industry group. Public clouds are also known as external clouds.
  • Hybrid cloud—The cloud infrastructure is a composition of two or more clouds (internal, community, or public) that remain unique entities but are bound together by standardized or proprietary technology).

To summarize, NIST defines cloud computing as nothing more than a service model where business workloads, such as software applications (SaaS), platforms (PaaS) and infrastructures (IaaS) are used in accordance with the following characteristics:

  • Services are provisioned quickly without requiring excessive administrative intervention on the part of the end user’s organization.
  • Services use a shared resource model (pool of virtualized resources) to support a cost-effective pricing structure (only pay what you consume), either housed locally within the four walls of the your data center (private cloud) or outside the data center at a secondary site or third party hosting facility (public cloud).
  • Providing self-service interfaces that let customers acquire resources at any time and get rid of them the instant they are no longer needed.

A true cloud abstracts the underlying hardware from the buyer, is elastic in scaling to demand, and bills buyers on a pay-per-use basis.

Although the right cloud computing definition is important, concentrate on what cloud computing does for your business. It provides a way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software, and you only pay what you consume.

Overall Cloud Computing Adoption

Why Large Public- and Private-Sector Organizations (Not Just SMBs) Are Seriously Considering Cloud Computing

Cloud computing gives you access to completely different levels of scale and economics in terms of the ability to scale very rapidly and to operate IT systems more cost-effectively than previously possible.

The benefits can be classified into three main categories

  • delivery of service (faster time-to-value and time-to-market)
  • reduction of cost (CapEx vs. OpEx tradeoff and costs that are more competitive)
  • IT department transformation (focus on innovation vs. maintenance and implementation)

During economic downturns, the ability to speed up time-to-value and time-to-market becomes more critical than ever, and represents what is probably the most important benefit of the cloud. Many companies are delaying projects unless they deliver a return on investment within weeks. With cloud computing, companies can speed up those times, because of the following benefits:

  • There is no upfront capital investments and less financial risk, allowing companies to shift from capital to operational expenses, which also means better cash flow and a more competitive business. Cloud computing also removes the huge upfront capital investments on on-premises infrastructure (applications, servers, network, maintenance, licenses, hardware, facilities, etc.) that present an uncertain payoff and that may never be needed. After all, what if the benefits don't materialize? Too bad, the money's been spent! With cloud computing, you only pay for what you use when you need it and you can terminate the contract. "The biggest financial benefit of cloud computing, particularly in these capital-constrained times, is avoiding taking on debt and keeping cash in the company longer. If a project uses a cloud-based service provider, then the CFO avoids writing a big check upfront. Instead, checks are written monthly or quarterly, in alignment with the return" (Microfocus, 2008).
  • Clouds can provide an almost immediate access to hardware resources. For large enterprises, the ease of deploying a full service set without having to set up base infrastructure to support it can be even more attractive than cost savings. For start-ups, it allows you to test your business plan very quickly for little money.
  • Large-scale multitenancy contributes a significant economic advantage. Sharing the resources and purchasing power of very large-scale multitenant data centers provides an important economy of scale.
  • Cloud computing allows for easier change management of infrastructure, including maintenance and upgrades. Cloud vendors extensively virtualize and commoditize the underlying components to make it nondisruptive to replace and improve them frequently. In distributed computing environments, up to 85 percent of computing capacity sits idle, and a 2009 Gartner report revealed that energy costs per year can exceed $105,000 for two racks of servers.
  • Cloud computing offers improved agility to deploy solutions—Instead of taking months or weeks, now you just need days or hours—and choice between vendors, particularly when cloud interoperability becomes more of a reality than it is today.
  • It reduces the headaches of integrating and maintaining servers, storage, and software, and eliminates mundane IT management tasks from skilled staff, delegating those tasks to cloud specialists. This shift in responsibility allows your staff to concentrate on what they are skilled at, and to focus on the service innovations and other actions that drive the business, rather than maintaining server uptime, installing yet another software upgrade, or adding yet another user account.
  • Cloud computing also offers an on-ramp for your IT staff to recent computing advances such as non-relational databases, new languages, and new computing frameworks.
  • Cloud computing can lower IT barriers to innovation and increase interoperability between disjoint technologies

To summarize cloud computing allows you to pay for innovation, not infrastructure. The best way to understand all these benefits may be to give an example, which is featured in the next section.

Cloud Computing Benefits Example (IaaS)

Consider a researcher at a pharmaceutical company who needs to analyze a lot of data fast. If the results turn out as expected, the company could have a world-class success (and high profits) on its hands. But 25 servers are needed to crunch the huge volume of data!

  • Scenario without cloud computing—Wait until the purchase request is approved, the servers arrive, the servers are configured, etc. All of these steps can take several weeks or even several months. Let's say it takes three months. In an industry where the cost of delaying a product is estimated at $150 per second, that three-month wait would cost more than $1 billion.
  • Scenario with cloud computing—The researcher clicks over to Amazon web services, configures the 25 servers in the cloud in one hour, and within two hours has crunched the data. Total fee for the time using Amazon’s resources? Just $89.

This isn't an imaginary example! This really happened at the pharmaceutical company Eli Lilly. Despite the upshot, the company also faced concerns about security and SLAs: how could they prove there was no trace of their data left in the Amazon cloud? They had to take Amazon's word for it—an issue we will address in the following sections.

If all of your infrastructure (applications, data, servers, etc.) could be moved 100 percent to a public cloud model, your business wouldn't need to buy any more hardware, any more software, or hire any additional IT staff.

So if cloud computing is all that, why isn't every business using it? There are some risks—including some major ones involved—as well as inherent challenges: the security of the enterprise data that is stored in the cloud, the risk of lock-in to cloud platform vendors, loss of control over cloud resources that are run and managed by someone else, reliability, governance, performance, human capital, compliance, and integration with legacy systems. Some of these risks still don't have an industry-wide solution.

Also keep in mind that the majority of those risks and challenges aren't new. They already exist in current on-premises solutions, hosting, etc., but they are more visible and need a different analysis or reanalysis. This analysis is valuable because, even if you decide not to move to the cloud, its findings will benefit your business.

What Are the Cloud Computing Challenges and Risks?

Perhaps by now, you may be asking the following questions, among many others:

  • Where is my data?
  • How does my data securely enter and exit the cloud?
  • How is my data protected in transit?
  • Who has access to my data?
  • Who is accountable if something goes wrong?
  • What’s the disaster recovery plan, including response to a pandemic?
  • How do I comply with export and privacy laws?
  • Will my data disappear when my online storage site shuts down?
  • What happens if my cloud provider disappears?
  • How is the environment monitored for OS or DB application failures, and how are we notified?
  • How is the data protected and secured from theft and damage? How is it encrypted? How are the encryption keys rotated and managed?
  • How easy is it to integrate with existing in-house IT?
  • Does the system have enough customization capabilities to suit my needs?
  • Will on-demand cost more? What is the sweet spot to consider when weighing cloud vs in-house systems?
  • How difficult is it to migrate back to an in-house system? Is it even possible?
  • Are there any regulatory requirements on my business that can prevent me from using the cloud?

Let's start with what is likely the biggest question: security issues.

Security Issues in Cloud Computing Environments (Advantages and Challenges)

GTRA research showed that the most common concern about implementing cloud programs was security and privacy, a finding supported by an IDC study of 244 CIO's where 75 percent of respondents listed security as their number one concern about cloud computing.

"With services such as Google's SaaS, data loss is less likely because the information is accessible from anywhere and anytime without saving it to an easily lost or stolen USB stick or CD," said Eran Feigenbaum, director of security for Google Apps.

Chenxi Wang, principal analyst at Forrester Research commented, "One common mistake is that as soon as you talk about the cloud, organizations assume it's less secure than their own IT security operation." And the source of that common mistake is that most organizations pay extraordinary attention and devote considerable resources to IT security, but that doesn't mean that their data is any more or less secure. The reality is that many attacks come from a lack of timely software update management and server misconfiguration. And the likelihood of such issues occurring (at least as frequently) is greatly reduced in the cloud, where the security-patching process is more streamlined than in a typical enterprise. Vendors, servers and software architecture tend to be more homogeneous, and due to economies of scale, there is staff dedicated to security, ensuring application of the latest security patches.

In addition, the larger Cloud providers tend to have a better grasp of threats, because as Forrester's Wang says, "These people deal with security issues at more complex levels than your own IT team sees on a daily basis."

Cloud Security Advantages

While there are security challenges, there are also some security advantages associated with cloud computing:

  • Data fragmentation and dispersal are held by an unbiased party (cloud vendor assertion). In fact, shifting public data to an external cloud reduces the exposure of the internal sensitive data. A recent survey found that more than one-third of IT professionals abuse administrative passwords to access confidential data (InternetNews.com, 2009)
  • Cloud homogeneity makes security auditing and testing simpler.
  • The cloud offers a dedicated security team.
  • The cloud offers rapid reconstitution of services.
  • There is a greater investment in security infrastructure (e.g., real-time detection of system tampering, low-cost disaster recovery and data storage solutions, hypervisor protection against network attacks).
  • The cloud simplifies compliance analysis.
  • On-demand security controls are provided.

However, that doesn't mean you should blindly assume instant security when you opt for a services provider. Verify the Cloud provider procedures, even if that provider has security certifications.

Let's now look at some Cloud Security Challenges.

Cloud Security Challenges

On the other hand, cloud security entails the following challenges:

  • trusting vendor’s security model
  • customer inability to respond to audit findings
  • obtaining support for investigations
  • indirect administrator accountability
  • proprietary implementations can’t be examined
  • loss of physical control, data dispersal, and international privacy laws
  • need for isolation management
  • multitenancy
  • logging challenges
  • data ownership issues
  • quality of service guarantees
  • dependence on secure hypervisors
  • attraction to hackers (high value target)
  • possibility for massive outages
  • encryption needs for cloud computing

How Can You Be Sure Your Data is Safe?

Data safety in the cloud is not a trivial concern. Some online storage vendors such as The Linkup and Carbonite have lost data, and were unable to recover it for customers.

Secondly, there are data access governance concerns, because there is the danger that sensitive data could fall into the wrong hands, either as a result of people having more privileges than required to do the job, or by accidental or intentional misuse of the privileges they were assigned to do their job.

For example, how can you be sure that cloud providers (especially external providers) apply the right patches, workarounds, access restriction, and isolates systems in a secure way? How can you be sure that they are doing what they are meant to do? Who establishes, maintains, and checks audit trails, assuming they are being done in the first place?

Data segregation is another major concern, because in the cloud your data is typically in a shared environment alongside data from other customers. Find out what is done to segregate data, besides encryption.

Ensuring Compliance in the Cloud

When it comes to compliance, more questions arise than answers!

For example, if you have customer data in the cloud (files, documents, emails, memos, scanned images, etc.) what controls are available to ensure compliance with your published privacy policies and with the privacy and freedom of information regulations in all of the countries where you do business? Where does liability fall in the case of law suits?

Monitoring SLA's and Contracts

Before choosing a cloud vendor, due diligence is necessary by thorough examination of the SLA's to understand what they guarantee and what they don’t. In addition, scour through any publicly accessible availability data. Amazon, for example, maintains a service health dashboard that shows current and historical up-time status of its various services.

Regarding the level of performance, there will always be some network latency with a cloud service, possibly making it slower than an application that runs in your local data center. But third-party vendors, such as RightScale, are building services on top of the cloud to make sure applications can scale and perform well.

But even when SLA's are set and contracts are signed, there are some concerns that should not be ignored. For example, who is responsible for monitoring, auditing, and enforcing the SLA's? Or if security is breached or audits fail, who is responsible for measuring and reporting those breaches? What liability for your business is there in the case of a breach of the SLA ?

Since the cloud service consumer has no visibility inside the cloud, the only option is to trust the provider. Until an independent entity arises that performs those verifications, providers have little or no incentive to admit fault.

Integration with Your Legacy Systems

Of course you are not going to rely entirely on the cloud—far from it. Therefore, there will be plenty of integration work integrating cloud applications with your legacy systems, as well as securing the applications as they move around the cloud and your legacy systems.

Can Applications Move From One Cloud to Another?

Applications can move from one cloud to another, but that doesn't mean it will be easy. There are two main issues with this arrangement: interoperability and migration cost policies.

Regarding interoperability, cloud vendors will have to adopt standards-based technologies in order to ensure true interoperability. The recently released Open Cloud Manifesto supports interoperability of data and applications, while the Open Cloud Consortium is promoting open frameworks that will let clouds operated by different entities work seamlessly together. The goal is to move applications from one cloud to another without having to rewrite them.

However, there are two sides to this coin; the massive capital investments cloud computing providers have made in their data centers, on hardware and software, on highly qualified personnel and so on, will not be generating revenue if customers leave, so customers may incur switching and migration costs.

Another reason this concern is very important is that it creates many issues if your cloud provider disappears, as happened with the provider Coghead. "It took about 4.5 person-months for Shockey, founder and principal of Hekademia Consulting, to port his CRM application from Coghead to Intuit's QuickBase database. While he's philosophical about the forced migration, it's a stark reminder of how quickly a cloud vendor can go under (Scheier, 2009).

The Delicate Balance Between Risks and Benefits

Keep in mind that before moving to the cloud, as with any emerging technology and business model, the most important factor is that you know your team, know your solutions, and know the cloud providers.

The decision to move to the cloud should involve at minimum enterprise architects, developers, product owners and stakeholders, IT leadership, and outsourcing teams.

Take into account that human capital in your organization may be lacking, because exploring new models requires an adventurous spirit and technical astuteness, and if your team is not willing to stretch and learn new things, cloud computing can be very frustrating. Also consider the chance that some of your team elements may think (and with some reason) that cloud computing may place their jobs at risk.

Some business managers are simply too scared to move forward with cloud initiatives! However, this concern, while valid, is not insurmountable. Solutions do exist and are being fine-tuned every day. There are countless examples of successful cloud computing implementations.

Real-World Cloud Computing Applications

Consider the following real-world applications of cloud computing:

  • Coca-Cola Enterprises uses a cloud-based system to streamline operations with merchandisers in the field.
  • Nasdaq uses Amazon’s S3 cloud service to deliver historical stock and mutual fund information, rather than add the load to its own database and computing infrastructure.
  • Animoto, a small start-up which decided to use Amazon's cloud services, was able to keep up with soaring demand for its service and scale up from 50 instances to 3,500 instances over a three-day period.
  • Mogulus streams 120,000 live TV channels over the Internet and owns no hardware except for the laptops it uses. It handled all of the election coverage for most of the large media sites. Its CEO states that he could not be in business without IaaS.

Cloud Computing Implementation Road-Map

Determine the Bad and Good Candidates for the Cloud

First, start by taking a broad look at the applications and other IT resources and systems under your control (both existing ones and planned ones), and categorize them into mission critical (i.e., if it goes offline your company will not survive) and non–mission critical. Both mission-critical and non-mission-critical can be further subcategorized into core business practices (those that provide competitive differentiation) and noncore practices (typically internal activities such as HR services, etc.).

Then apply the following rules of thumb:

  • If mission-critical and noncore, then the application is a good candidate for deployment in the public clouds.
  • If mission-critical and core, then definitely keep it behind the firewall. You may choose to put them in a private cloud or noncloud.
  • If non-mission-critical and noncore, then deploy in the public clouds.
  • If non-mission-critical and core, then it's a good idea to keep it behind the firewall. You may choose to put it in a private cloud or noncloud.

With these rules of thumb in mind, let's take a look at some more considerations of good and bad candidates for public clouds. The following can be characterized as good candidates for public clouds:

  • applications that are used by a group of mobile workers to manage their time and activity (like sales support and field service support applications, e-mail, etc.)
  • software development environments
  • applications that require system hardware or software not normally used by your company's IT operations; you can save money on IT infrastructures that you don't use often
  • applications that are run infrequently but require significant computing resources when run, like test and preproduction systems
  • companies who want to have backup for critical applications
  • companies that have distributed server locations and data centers; you may be able to make more efficient use of servers and storage, lowering equipment costs, and also support your IT investment more efficiently

Bad candidates for public clouds include the following:

  • applications that involve extremely sensitive data, particularly where there is a regulatory or legal risk involved in any disclosure, will require special treatment if they are to be run on a public cloud; get legal advice before committing any applications of this type to public cloud computing
  • applications that require access to very intensive data workloads (for example, loading the database onto the cloud may be costly) as well as any performance-sensitive application (i.e., one that is very likely to create performance problems if it is to run on a public cloud)
  • applications that require high customization (e.g., customized SaaS)

You should conduct a feasibility study that engages legal, risk, and compliance officers to determine if cloud computing is appropriate with respect to laws and regulations your business is subject to.

Prepare Your IT Portfolio for the Cloud

Second, prepare your IT portfolio for the cloud (it can be somewhere in between cloud services and installed applications).

Your portfolio could comprise anything from new assets to the redeployment of certain existing assets, or a complete rewrite of some existing applications. Remember, not all your current applications are cloud-enabled. Service-oriented architecture and virtualized applications are better candidates. Take into account the security, audit, and compliance systems requirements, as discussed earlier in the Cloud Computing Challenges and Risks section. And of course, if you take an insecure application to the cloud (either public or private), it won't become automatically secure!

Next you need to find a vendor that meets those security, legal, and compliance requirements. (See the list of cloud platforms, providers, and enablers and the references section of this paper.)

Key Questions to Ask Cloud Computing Providers

While reading this section, keep in mind that exact security measures don’t need to be fully described by the cloud providers (nor should they, otherwise they may have security problems themselves), but the degree of security provided needs to be stated, then audited by you or by a trustworthy third party so that you can be sure the provider is doing what it claims to be doing.

The following are some of the questions you should have answers to regarding your cloud computing providers, so that you can be confident that they are secure, collaboratively enabled, and compliant with applicable regulations:

  • Where is my data and who has access to it? The provider’s access control and authentication procedures should be reviewed, and companies should find out if third parties have access to the information.
  • How is data being protected? Ask to review the service provider’s architecture to make sure proper data segregation is available. Review their data leak prevention (DLP) deployment to prevent insider attacks. Review the vendor’s data protection techniques to ensure appropriate cryptography is used for both data in rest and in motion. Finally, make sure the appropriate documentation is available for auditors.
  • Will you maintain the features we contracted? And what are the penalties?
  • What is customer support like?
  • How can I ensure that my data and the cloud services will continue to be available, in the event of the provider’s bankruptcy or change in business direction?
  • What's the exit strategy?

Test, Deploy, Monitor and Measure ROI

One of the major benefits of cloud computing is the ability to test a concept relatively quickly and easily. Before making the final decision to either deploy or not deploy to the cloud, you should perform full cloud integration tests. This may seem like a lot of work, but it's worthwhile, because when you move a system into the cloud, you introduce a range of new variables that are beyond your experience and direct control, such as security, performance, etc.

Finally, you should have monitoring systems so that you can measure the performance, while continuing to measure the ROI. And remember, this effort also takes extra time, capital, and human capital resources.

Summary and Recommendations

Experienced business managers know that cloud computing, like most trends and new concepts in the industry, has a tendency to be overhyped. That can create unrealistic expectations and disappointing results from early adopter and first implementations. The best way to prevent this disappointment is to have a realistic plan for cloud computing adoption that assures the applications being targeted have the best potential for generating benefits. That way you are likely to reap the rewards of the risk and gain the competitive advantage you sought by using cloud computing in the first place.

To move beyond the hype and the doubt about cloud adoption by enterprises, vendors need to put aside their differences and agree on common security and interoperability principles. Sooner or later that will happen, and of course it will help for it to happen sooner than later.

In summary, remember the following key points:

  • Cloud computing is all about efficient use of resources, principally, managing capital and technology support costs. Cloud computing is not about technology, it's about process and the business model.
  • Some solutions should not be pushed to the cloud regardless of the perceived fiscal values.
  • Some applications and IT teams are not ready for cloud integration.
  • The cloud reduces your workload in the long run, but to get started, you have to figure out which model of cloud computing is right for you, which applications or services are best suited to it, and how to ensure the proper levels of security, compliance, and up-time.
  • Cloud applications don’t have to be all-or-nothing in the cloud. You can have applications that take full advantage of the rapid deployment and scalability in the cloud, without having sensitive data in public clouds.
  • Whether cloud computing is a viable choice for your business or not, define the governance policies on the use of cloud computing, implement them, and make sure that all your organization knows and applies them.
  • Cloud computing is evolving every day, so keep informed.
  • Not all risks and challenges have clear answers at this time.
  • Ask for help. It's okay to not fully understand cloud computing and how it can be applied to your organization or department, but there are cloud computing consortiums, NIST, and industry leaders who have applied cloud computing to their business and are willing to share knowledge with you. You just need to ask!

Here is a short list of the major vendors and consulting companies where you can ask for help:

  • Dell
  • Sun
  • HP
  • IBM
  • VMware
  • Cap Gemini

The main objective of this white paper was to bring business managers out of a state of uncertainty and fear, and give them the understanding and knowledge necessary to make informed, educated decisions regarding their cloud initiatives.

Of course, this paper could not address all that’s needed, because some issues such as security or interoperability are complex enough to be the subject of one or even several white papers.

References

Cloud computing (n.d.). InfoWorld. Retrieved fromhttp://www.infoworld.com/d/cloud-computing

Cloud computing. (n.d.) In Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Cloud_computing

Cloud computing: An overview. (2009). Acmqueue. Retrieved from http://queue.acm.org/detail.cfm?id=1554608

Cloud Computing Blogs & Resources. (2012). [Online forum] Retrieved from http://groups.google.com/group/cloudcomputing/web/cloud-computing-blogs-resources

Cloud Computing Interoperability Forum (CCIF). (2012). [Online forum]. Retrieved from http://groups.google.com/group/cloudforum

Cloud Computing Use Cases. (2012). [Online forum]. Retrieved from http://groups.google.pt/group/cloud-computing-use-cases

Cloud Security Alliance. (2012). [Online forum]. Retrieved from http://groups.google.com/group/cloudsecurityalliance

Forrester. (n.d.) Cloud computing technologies. Retrieved from http://blogs.forrester.com/it_infrastructure/2009/06/your-thoughts-how-mature-are-cloud-computing-services.html

Gartner. (2008). Gartner highlights key predictions for IT organizations and users in 2008 and beyond. Retrieved from Gartner Highlights Key Predictions for IT Organizations and Users in 2010 and Beyond

Gartner. (2009). Technology trends you can't afford to ignore. Retrieved from https://www.gartner.com/webinar/2232822

Geelan, J. (2009). The top 150 players in cloud computing. @ContainersExpo Journal. Retrieved from http://virtualization.sys-con.com/node/770174

InternetNews.com (2009). IT workers snooping more on colleagues. Retrieved from http://www.internetnews.com/breakingnews/article.php/3824296

Microfocus. (2008). Talking to your CFO about cloud computing: Cloud-based services' pay-as-you-go model works in good times and bad [White paper]. Retrieved from https://www.microfocus.com/media/.../forrester---talking-to-your-cf_tcm6-3653.pdf

NIST. (n.d.) NIST cloud computing program—NCCP. Retrieved from http://csrc.nist.gov/groups/SNS/cloud-computing/index.html

Scheier, R. (2009) What to do if your cloud provider disappears. ITWorld. Retrieved from http://www.itworld.com/article/2772545/software-as-a-service/what-to-do-if-your-cloud-provider-disappears.html

Worthington, D., (2009). Cloud providers vow interoperability. SD Times. Retrieved from http://www.sdtimes.com/content/article.aspx?ArticleID=33410&print=true

Licenses and Attributions

An Essential Guide to Possibilities and Risks of Cloud Computing by Maria Spinola is available under a Creative Commons Attribution-ShareAlike 3.0 Unported license. UMGC has modified this work and it is available under the original license.