And want you can do about it.
Nicholas Carr wrote a book called The Big Switch: Rewiring the World, from Edison to Google
, on how the shift towards utility computing and cloud computing are analogous to how firms shifted from providing their own sources of electricity to hooking into the electrical grid. His argument, and I largely agree with it, is that firms will begin migrating from self-hosted servers to virtual servers on the computing grid. He also gave nice presentation for Google, which no longer seems to be available, a I did find a briefer version of him stating his thesis on YouTube. The benefits of this paradigm are huge, but they are not without risk.
Cloud computing and utility computing are different in kind and nature, particularly with regards to the treatment of data. There are broad trends developing in each segment on how your data is being handled. In short, with utility computing you ‘rent’ your server space as you need it, for as long as you need it (minutes?/years?). In general, utility computing allows the customer to use a computer system just as if it were in their data center, when of course it is not; it’s a virtual machine in someone else’s data center. Cloud computing really occurs at the application level, the fact that you are renting servers is incidental to the fact that you are renting business logic from someone and consequently they organize your data in way that fits that business logic. Geva Perry the Chief Marketing Officer at GigaSpace Technologies wrote a nice blog on the technical differences.
An example of utility computing is Amazon EC2 (disclaimer: Cirrus Nine is an Amazon EC2 customer and you are reading this blog on a server hosted there). While I have found Amazon to be a very good netizen, they are still a business and they try to hook you with proprietary services. The good news is that the open source community is responding with interesting alternatives to un-do these lock-ins. Cloud computing, on the other hand, attempts to lock you in by making it difficult to migrate your data just like any other proprietary application. Examples of cloud computing are Salesforce.com and Google.
Recently, the Software Development Times wrote a good article on how three different vendors (Salesforce.com, Microsoft Azure, Amazon EC2) handle your data. In short, Salesforce.com, clearly a cloud based application, has written robust APIs to allow you to access your data. Microsoft Azure is another cloud computing platform that has utility computing aspects to it, you can host your own .NET based applications, but you do not appear to have access to the underlying operating system. It also allows a developer to loosely couple their application with the Microsoft Live applications. Amazon EC2 a pure utility play, you choose and have access to the underlying operating system and have complete, direct control over your data at all times.
Despite protestations to the contrary physical security of your data remains a concern (Salesforce, Amazon, and ominously the only mention I could find of security on the Azure site was here). I am reminded of an occurrence at a company that I worked at. The person in charge of security was also did double duty as the webmaster. He was forever berating us, the users, in not a particularly nice way, the employees about security. Remote access to internal data was encrypted and highly secure. One weekend our website went down. It turns out that the security guy had one of the few desks near a window and that somebody had seen his shiny Sparc workstation sitting on his desk, threw a rock through the window and stole it; and with it went the web site. The point is not that this exact scenario will occur at a cloud provider you choose, but what is to stop a rogue employee from accessing your data or stealing drives? In the Software Development Times article, the Salesforce representative completely dodges the issue and once again, Amazon shines, because it gives you control of the operating system and you can encrypt your own data, at the expense of making you responsible for the security of the entire system. As for Azure, who knows? Microsoft isn’t telling. You would have thought by now that Microsoft would have learned by now that security by obscurity is a defunct concept.
Of course these aren’t the only vendors in the cloud. When discussing hosting your applications perhaps the key question to ask, “Is my data encrypted at the disk?” If you don’t you may have to explain to your boss how your cloud provider lost your data.
Data portability is also a key factor in Cloud computing. Amazon being a vendor who wants to lock you in, like any other vendor, offers two services that have this potential SimpleDB and Simple Queue Service. In general I’d recommend avoiding anything that locks you into a particular vendor. Yet that leaves common problems to be solved, the answer may simply to be to use Open Source alternatives like M/DB for databases services (interestingly they mimic the Amazon API, perhaps negating Amazon’s proprietary play) or Apache ActiveMQ for queuing services. As a general rule, I believe you should not exchange simplicity for flexibility. How many firms are stuck using a proprietary application server now, because they chose the easy route?
Salesforce provides good transparency into your data. The have documented their data model and others have documented how to get your data into competing products. On the other hand they try to hook you into by encouraging you to use a proprietary programming language. According to Software Development Times article, Microsoft’s Steve Martin, said that Azure is fully portable to non-Azure hosts “so long as the customer remains with the Microsoft stack.” (emphasis mine) That’s a pretty big requirement.
When evaluating your application provider, access to data is a key point. For instance, I have a public sector client who is investigating Zimbra as a replacement for Exchange. Ideally they would like to host this with Zimbra (which is a subsidiary of Yahoo!), but they have a data detention policy. On a system they could specify using Maildir for storage and write their own a shell script and cron job to delete emails written or received prior to a set time frame. Will Zimbra provide this flexibility?
In short when working with either a cloud computing vendor or a utility computing provider, make sure that you have complete access to your data and that your data is secure, not only over the wire, but while your data is at rest too.
David Christian | 
May 26th, 2009 | 11:08 am| 
