10 tips from the front lines of enterprise public cloud use

This is how GE, FedEx, Bank of America, JP Morgan Chase and Morgan Stanley use the cloud

cloud man megaphone

What have GE, Citigroup, FedEx, Bank of America, Intuit, Gap, Kaiser Permanente, Morgan Stanley and JP Morgan Chase learned from using the public cloud?

A group of representatives from each of these companies has worked for the past six months with the Open Networking User Group (ONUG) to develop a whitepaper exploring challenges of using hybrid cloud. ONUG’s Hybrid Cloud Working Group (HCWG) includes not only valuable tips from their experiences using the cloud, but also a wish-list of how these enterprises would like vendors to evolve their platforms.

+MORE AT NETWORK WORLD: What you need to know about microservices +

Here are 10 tips:

1. Categorize apps into low, medium and high risk tiers

Which apps should move to the cloud? Before answering that question you need to classify your apps to know what you have. The HCWG recommends the following categorization of low, medium, medium+ and high security tier apps.

Applications with the highest security risk should have the more stringent security protocols. Low risk data includes public or non-sensitive information such as customer-facing data. Medium risk data – such as ERP systems and business management applications, but not ones that include intellectual property or patent data - can go to the public cloud with extra security precautions. Medium+ apps are categorized as data with government controlled unclassified data or data subject to strict regulatory compliance issues. High-risk apps are not recommended to use in the public cloud; this includes information such as patents, critical business process and sensitive financial information.

2. Use a cloud broker

Once an organization has determined which apps are appropriate for the public cloud, the next challenge is getting them there. An organization can access public cloud resources from any internet connection. ONUG member companies recommend using a cloud broker or “man-in-the-middle,” though, for two reasons: security (what the HCWG calls exploit mitigation) and improved performance. A cloud broker is typically a collocation provider that provides access points to multiple public cloud providers. Example vendors include Equinix, AT&T, Verizon and Sprint.

The cloud broker can be thought of as the new “far edge” of a corporate data center, providing a secure place to inspect network traffic going into and out of the cloud before it reaches the enterprise campus or remote data center. “Packet inspection/scanning or censoring of traffic occurs in the cloud broker to mitigate exploits before entering corporate data centers from cloud providers or exploits trying to do damage to cloud hosted services from private clouds,” the whitepaper explains.

From a performance standpoint, the broker can provide direct fiber connections to multiple IaaS cloud vendors. The broker can serve other purposes too, from application delivery control functions such as load balancing and domain name system/dynamic host configuration protocol (DNS/DHCP) to hosting an active directory to authenticate users. By being a buffer between the cloud and the enterprise network, it’s an ideal spot to host Intrusion Prevention System (IPS)/Firewall security, as well as other network monitoring and analytics tools. Because it’s a collocation facility, the footprint is controlled completely by the customer and can be as large or small as the customer wants.

3. Listed prices are not actual prices

Large enterprises negotiate directly with public cloud vendors and enter into enterprise agreements with discounted pricing. Listed online pricing is usually just a guide. The HCWG warns that contract negotiations can be a long and arduous process, however.

4. Use professional negotiators

When negotiating an enterprise agreement with vendors, use a professional arbiter. Some HCWG member companies took as much as 18 months to negotiate a contract and spent up to hundreds of thousands of dollars in legal fees. Experienced negotiators can be either in-house legal staff or external experts.

5. Licensing in the cloud is different

HCWG members warn of being careful of licensing when using the public cloud. Make sure any software licensed for use on premises is legally allowed to be used in the cloud before doing so. Even if there’s no legal restriction against hosting an on-premises app in the public cloud, some licenses are just not designed with public cloud in mind. “Licensing may be based upon the number of CPUs that the software is accessed by, which may increase significantly once the application is placed in the cloud where more employees can now access [it],” ONUG explains. Search for public-cloud native software licenses where possible.

6. Compliance officer training

Auditors who have been operating in an on-premise world their entire careers may have challenges working in a public cloud arena. “The language of cloud computing and location of assets is foreign to many auditors,” ONUG’s whitepaper states. Be prepared for a potentially frustrating process with auditors if they’re not familiar with the public cloud. ONUG encourages public cloud vendors to provide training programs and tools for auditors.

7. Liability is a hassle

Some ONUG members found considerable frustration when negotiating liability with their IaaS cloud provider. In a more traditional managed services or other outsourcing arrangement, liability typically covers loss, damages and liability up to the value of the outsourced asset. Cloud providers sometimes offer a different type of liability.

“Cloud providers seek liability to cover the dollar amount spent,” the whitepaper explains. “That is, if a company spends $50,000 per year with a cloud provider to host an application and experiences damages of $10,000,000, the cloud provider seeks its liability to cover $50,000. This level of liability will limit the type of applications that will migrate to cloud providers to the low- to medium-risk levels.”

8. Beware of lock-in

Lock-in from a public IaaS cloud provider in some cases is unavoidable, and not necessarily a bad thing, the HCWG explains. The group recommends that end users recognize and acknowledge it. The whitepaper notes the relatively high cost of moving data between different cloud vendors, reinforcing the adage that it’s easy to get data into the cloud, but more expensive and difficult to get it out.

Certain applications are more prone to lock-in too, including workload creation tools, non-standard orchestration tools, non-standard provisioning tools, and vendor-specific scheduling or automation tools. The more an organization’s developers or cloud administrators use and rely on these tools specifically geared for one vendor, the more difficult it could be to run those workloads in another environment.

9. Encrypt everything, and manage the keys

It’s becoming a common enterprise practice to encrypt all data going to and stored in the cloud. ONUG reminds end users to make sure they manage the keys, too. Another security tip that is becoming common practice is to use role-based access controls – meaning that, for example, not everyone in an organization has access to administrative controls in a cloud environment. Those should be protected with at least two-factor authentication.

10. Understand the limits of the public cloud

Along with the detailed list of tips based on their experience using the public cloud, HCWG members have a series of requests for cloud vendors of how their platforms can be improved to make the cloud easier to use. By exploring these wish-list items, it’s clear to see where the public cloud falls short. For example, HCWG members would like easier portability across public clouds, common encryption protocols among various cloud vendors and a common northbound API. The cloud has many advantages, but it’s not a panacea.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022