Managing the cloud

If there’s one word that dominated IT in 2009, it was ‘cloud’. And for good reason; the rapidly maturing market of cloud services is growing closer to realising its true promise of reducing IT costs, increasing automation, flexibility and mobility of end users and, arguably, allowing IT managers and their staff to spend more time on innovation.

Along with these benefits the cloud has also introduced a new set of IT management complexities, regardless of whether it is the public, private or hybrid model. The need for visibility is a major area of focus, followed by the control of the management of both physical and virtual environments while ensuring that data is secure, protected and compliant. IT managers must also consider issues around interoperability and the need for automation.

Securing the nebula

The security ramifications of the of the cloud have dominated discussions about cloud management. Detractors will argue that the cloud is inherently insecure. Proponents counter that it is safer than traditional computing and therefore an aid to IT management.

Spearheading the latter argument, Peter Coffee, director of platform research at Salesforce.com, argues enterprise-grade cloud service providers can apply a higher level of expertise, under far more stringent scrutiny, while spreading the costs of rigorous security across a far greater number of customers than the data centres of even the largest enterprises and government agencies.

“People are intrigued to discover that in a cloud services installation, it may actually be more difficult for an administrator to snoop or to misappropriate information than is the case in the on-premise data centre — where a sizable fraction of administrators admit, anonymously, to doing these things,” he says. “People need to be aided in recognising that the cloud should be compared, not to a theoretical ideal, but to the facts of the costly but inadequate security that most organisations tolerate now.”

Coffee’s argument is supported by Asia Pacific IT solutions practice manager at Verizon Business, David Rosengrave, who says customers of the company are deliberately moving testing and development environments which require external collaboration into the cloud.

In the ‘cloud security must be managed’ camp, IDC analyst, Linus Lai, says that despite improvements in security, IT managers should look to reviews, assessments and verification of cloud service provider’s security practices as the first step in managing the risks.

A security review should also cover aspects such as disaster recovery, failover plans and access to management systems.

There will always be data that is too sensitive to leave your business. The priority, according to Clearswift managing director, Peter Croft, lies in the routes between your business and the cloud, not the cloud itself.

“The potential for data getting in to the wrong hands starts from the moment it leaves an organisation, and it’s therefore at this boundary between the organisation and its external environment that security has to be the key priority for those looking to use cloud-based services,” he says.

“Some have suggested a standardised security Kitemark system [BSI Group’s quality certification mark] for cloud providers could be the answer, but the commercial considerations and logistics involved in this render it a long term possibility at best.”

In addition to choosing which apps and data suit the cloud and which should be left on-premise, IT managers must also think about the security back into their organsiation from the cloud.

“If you’re letting applications in the cloud talk back into your internal organisation, does that mean that anyone one that external cloud can access my internal applications and data?” asks Melbourne IT’s chief technology officer, Glenn Gore. “You need to look at how you create virtual private networks between yourself and the public cloud provider. Tracking the use of information and data flow between the public and private cloud is important.”

Robert Yue, general manager, Australia, HP Software and Solutions says trusting your data to a cloud service provider doesn’t mean your company is off the hook for ensuring its protection.

“The cloud raises risks that some service providers may not address,” he says. “For example, a cloud service provider’s logging and record retention schemes may not meet company-specific regulatory obligations, which may cause an organisation to fail a security audit. Many cloud service providers offer no service level agreements. That means companies have no guarantees about data availability, privacy or data protection.”

Next: Governance, risk and compliance

Page Break

Security is one thing. Utilising the cloud can also mean that sensitive data is stored off-shore and IT managers must also answer the question: Where in the world is my data, and what laws apply to it?

The answer is far from straightforward. A myriad of standards need to be supported, such as ISO 27001 for information security, ISO 9000 for quality, compliance to privacy laws, the introduction of ITIL for the operations and quality of service. To do this, IT mangers must implement a robust governance structure.

“IT managers must implement services according to ISO standards, with good governance and security monitoring,” says Harry Archer, head of BT Australia’s Business Continuity, Security and Governance Practice. “This should be followed up by audit and compliance checks and security testing in accordance with the ISO 27001 policy. Transparency with the customer is important during auditing and testing to ensure their confidence in the solution.”

Compliance regulations are often geographically specific. The cloud can provide for agility and unanticipated growth through ‘cloudbursting’ — dynamically deploying software into the cloud to address a spike in demand — but cloud outages render applications and data unusable.

Next: Vendor lock in

Page Break

Vendor lock-in can be another fear for IT managers and one which varies depending on the type of cloud services you’re procuring.

Compatibility issues generally occur as you move higher into the application layer, but there can be differences in the way each vendor provisions the move to a virtualised infrastructure, says IDC’s Lai.

“Today, migrating data on and off clouds is not an issue, and even then we expect to see more in the way of meta-data tagging to improve portability,” he says. “There will always be some lock-in until the day we see more ‘open’ standards cloud provisioning.”

Lock-in can occur within individual cloud services — such as Google Apps or Amazon’s EC2 which have specific APIs that are difficult or don’t translate to other providers. It can also occur within cloud environments, such as VMware’s v Cloud.

“The great thing is that, while yes you’re still locked in, in a way, if you do have a cloud provider and you’re not happy or their cost is too high you can just move your data to a new provider and you don’t have to reinstall everything,” Melbourne IT’s Gore says. “You get a new set of APIs as they’ll be the same across the environment.”

For Simon Kaye, ANZ cloud computing lead architect at IBM, the issue isn’t about vendor lock-in; it’s data lock-in.

“If your vendor makes you follow certain standards that over time the application market moves away from — APIs et cetera — then you are stuck either adapting custom code or staying on back-level versions of your applications,” he says. Next: Interoperability

Page Break

A key management issue for interoperability between private and public clouds is that there are several business-level IT management systems that fundamentally break when you interoperate; chief among them back-up and recovery, Melbourne IT’s CTO, Glenn Gore, says.

“If you back up a virtual machine in your own private cloud then move it out from your private data centre out into the public cloud the entire backup methodology breaks,” he says. “You also don’t want to backup from the public cloud back into your private cloud as it will kill you in terms of band width costs and will not perform well. If you use your hosting provider’s back up service it will be a different client with a different regime.”

The difficulty in wrapping meta data around virtual machines (VMs) in the cloud means that, when it comes to moving cloud providers, describing the security posture of VMs becomes an issue. IT managers should therefore detail which VMs should be backed up, how often they’re backed up and how often.

Move from provider A to B and C, and each of provider will have a copy of backup data. Requirements should consequently detail whether providers must destroy the data or keep it for a nominated period. How will you ship every copy of that data on to the new cloud provider from the last one?

“You may also start with a 50 gig virtual machine, but once you start shipping it around it may grow to a terabyte or two, with six months worth of change histories being imported and exported between providers,” Gore says.

Next: Cloud management

Page Break

A key factor in successfully managing the cloud is removing managers and staff from IT management processes — in other words, automating as much of the cloud as possible. “Once you have people involved in any process, it doesn’t survive the journey to the cloud because the cloud is dynamic and you don’t have the time in the day to continually change this as they happen,” marketing CTO for EMC ANZ, Clive Gold, says.

Likewise, application migration — a physical to virtual (P2V) process — should also be fully automated to include correct placement, high availability needs, fault tolerance and automated disaster recovery should be an integral part of any cloud implementation.

For hybrid public-private cloud, an automated approach to chargeback is also essential, according to VMware’s Di Pietrantonio.

“If an organisation elects to run in a private cloud for six months, then move into the public cloud for the next six months, there should be some automated process to correctly calculate the various loads and consumption rates of a particular service,” he says. “It shouldn’t need to manually generate charging invoices; the data consumed is already captured by the environment. Another example is disaster recovery.”

The benefit of automation is the IT managers can stop managing resources and focus on the IT service delivered to end users. “You can then ask questions around how IT reports to end users, how you can offer a service catalogue, how you can show end users what you’re doing,” EMC’s Gold says. “After that, you can then think about whether you want to provide the service yourself, look to an external provider to deliver it cheaper than you can yourself, or do a combination of the two.”