But I'm still bullish on cloud computing. If you've been following Forrester's analysis of the cloud computing market, you already know this. Forrester believes cloud computing is one of the Top 15 technology trends in 2010 and that it warrants investment now so you can gain the experience necessary to take advantage of its many forms to transform your organization.
Tenancy, shared economics, virtualized deployment, and cloud service-to-service integration are game changers for those who are using these services. Not only do they bring potential cost advantage to applications that might otherwise have been deployed on-premise, but they create opportunities for new business applications that simply aren't feasible any other way.
Like any emerging technology, however, you have to go in with your eyes open. It isn't as easy as some vendors make it sound, and if you get it wrong it can cost you more than you're hoping to save.
Cloud services can, in fact, save you money, particularly if you have applications with highly variable load. An application that normally consumes only 20% of a single server, but during heavy use can consume 10 servers, is a great fit for cloud deployment where you only pay for the VMs you light up. However, if that application has to take credit card transactions and your cloud provider won't let you audit its environment or won't provide the logging and reporting you need for PCI compliance, then it may cost you more to address these issues than what it would have cost to simply run it in your own data center.
Cloud providers will only go so far in providing security, management and reporting for their services. You have to fill in the gaps between what they provide and what your business requires. A recent concern among Infrastructure as a Service (IaaS) customers has been visibility into cloud congestion in order to ensure application performance. There are no guarantees of performance from the cloud providers and certainly not performance as you may define it for a given application.
The same is true for availability. Where most public clouds will alert you when their services are out (and rebate you for time lost) they won't monitor your application. You have to do that. If your application hangs or fails, it is your responsibility to have a redundant deployment that can identify the problem and work around it. Same with cloud outages.
Another issue most enterprises don't think about is the implication of where the cloud resources are based. Most cloud services aren't geographically ubiquitous. They are like any other Internet service, served up from a data center in a specific geography. And if you do business in multiple geographies you'll need to take into account various local privacy and data protection laws.
In fact, in our analysis of just the IaaS space, 90% of the providers have U.S.-based data centers. If you have European clients, you're subject to European privacy laws which state that personal information on EU citizens must be stored in the EU. That makes many of the cloud providers a non-starter for this use (see Forrester's interactive cloud map.
The promise (and delivery) of geographic diversity should be one of cloud computing's value tenets. And if so, the providers will have to provide a simple means of ensuring compliance with privacy laws. Right now, it's simply far too easy to run afoul of these laws. And it's you, not your cloud provider who will carry the liability.
As one IaaS provider told us recently, "Most of our clients don't have a clue about these privacy laws and frankly aren't worried because there's little enforcement." It's an understandable circumstance but a very risky one, as enforcement can become a real concern overnight. All the government in question needs to do is fry one large enterprise for violations to shock everyone into compliance. And claiming ignorance of the laws isn't a suitable defense.
As you might expect, application developers are less concerned about compliance. They're focused on accelerating time-to-market and raising productivity, and they see cloud computing as a significant accelerator.
While IaaS clouds can deliver, the dynamic scaling involved can expose the company to risk if not managed, and that's the role IT needs to fill.
Don't try to stop your company from using cloud computing – that horse has already left the barn. Instead, create a use policy that serves as guardrails to protect your company as they move down this new path.
James Staten is a Principal Analyst at Forrester Research, where he serves Infrastructure & Operations professionals and covers cloud computing. He will deliver a keynote address at Forrester IT Forum, May 26-28, 2010 in Las Vegas.