Even as interest in cloud computing grows, central hurdles to adoption persist. Given concerns about data privacy and security, some industry watchers wonder whether enterprises will opt for public clouds at all. Will IT shops instead opt to roll their own internal clouds until their fears have been put to rest?
The barriers to cloud adoption were key themes at the sixth annual Hosting and Cloud Computing Summit in Las Vegas. During two panels, experts faced cloud security, privacy and adoption concerns head-on and explored how providers and users alike might march forward.
Security concerns remain barrier
During the past few years, companies' concerns about data security, privacy and compliance have blossomed, and their spending shows it. Between 2007 and 2010, the percentage of IT budget spent on security and compliance issues increased from 4% to more than 13%, according to Tier1 Research data.
But despite increases in security spending, achieving data security and compliance in a cloud model continues to vex companies. The immaturity of cloud computing, a vacuum of standards and a trail of data security breaches haven't helped the cause any, either.
In a panel on security, experts noted that companies cannot be PCI compliant on Amazon's Elastic Compute Cloud (EC2) platform because of a lack of service-level agreements (SLAs) and security guarantees. Abstracting services that have been provided by hardware in traditional enterprise data centers and moving them to external clouds has left companies with no way to prove they are in compliance -- a serious disincentive to moving to the public cloud model.
The legal ramifications of storing data in different jurisdictions can be immense as well, according to Tier1 analyst Rachel Chalmers. Betfair.com, a U.K.-based online sports betting service, opted not to expand into Amazon's EC2 because of gaming commission requirements and the legality of honoring wagers in the multiple states in which Amazon houses data centers. Because Amazon could not guarantee a location for the data, Betfair.com could not comply with the law, and so the company relinquished significant cost savings to remain compliant.
Another key question for the fledgling industry is a lack of standards and frameworks that companies can use to become compliant. A new framework, CloudAudit, is built on the concept of automating audit, assertion, assessment and assurance via an application programming interface (API). In existence since January 2010, CloudAudit has attracted attention and may fill a clear void, moving cloud computing from the fringe into the mainstream.
Panelists also stressed that companies cannot just stand by idly and await improvements. They too must minimize the fallout of a security breach by considering purchasing insurance. According to panelist Andy Ellis, when a loss occurs for large organizations -- and one will -- insurance is crucial in preventing serious financial burdens from a company devaluation or shutdown.
To public cloud or not? (That is the question)
For the cloud market, another key question is whether public clouds will be enterprises' "cloud of choice."
In a panel on hurdles to cloud adoption, experts explored whether companies might instead opt to build their own internal clouds as they await a transition to public clouds.
"[Enterprises] will move to the public cloud," predicted Patrick Bryant, a product manager at Racemi, a systems imaging and portability management firm, "when somebody comes to them and says, 'I have a solution that will move your existing workloads into the cloud, scales up and down, and takes the management out of your hands while delivering on the SLAs and security you demand.'"
Until enterprises see this reality -- the ability to roll their existing workloads into a self-service, on-demand, secure infrastructure that they don't have to worry about or manage -- they may bide their time and exploit their existing infrastructure in a private cloud model. Until they see such results, they may remain hesitant to move to an insecure external provider's environment that they cannot control.
JOSEPH FORAN'S BIO:
Joseph Foran is the IT director for Bridgeport, CT-based FSW, Inc., and principal at Foran Media, LLC. He has been in IT since 1995, specializing in infrastructure, and involved in virtualization and cloud computing since 2002. Email Joe at email@example.com or follow him on Twitter (@joseph_foran).