In February, a consortium of service providers, vendors, government bodies and consultants started work on a set of measurements designed to make it easier for businesses to compare the security features offered by cloud-computing providers.
As the Common Assurance Metric (CAM) project gets under way, ZDNet UK talks to Imad Mouline (pictured), chief technology officer at Gomez, a specialist web application and site performance firm, about the wider issues of cloud service comparison and measurement.
Q: Are you seeing many companies moving to the cloud?
A: We are seeing a lot of customers asking what their cloud strategy should be. Speaking with many chief information officers and chief technology officers, I know there seems to be some requirement in companies to come up with a cloud strategy — at the very least to be able to defend why that company is not moving to the cloud.
But what about organisations really moving to the cloud?
In terms of the people actually taking the plunge and doing something about it, they tend to be the smaller companies and start-ups that find the time-to-market capabilities of the cloud incredibly appealing. In larger organisations, there is certainly a lot of experimentation — whether it's in development, quality assurance or skunkworks projects.
But I am seeing far fewer mission- or even business-critical applications being deployed into the so-called public clouds. I don't actually know of any.
That perception obviously excludes some of the traditional software-as-a-service [SaaS] tools. Under some definitions, SaaS still counts as the cloud. But in terms of the more recent type of cloud offering — the infrastructure as a service, the platform as a service — I really couldn't point to anything mission-critical.
What are the main issues facing organisations in terms of measuring cloud performance?
There is this real lack of transparency about performance. Unfortunately, most of the cloud providers aren't helping because they don't necessarily come out with well-defined service level agreements [SLAs] — or their SLAs do not have real teeth. They are not punitive enough.
Why establish an SLA just to get a £1,000 credit at the end of the month? That is not the goal of an SLA. The goal is to make the service provider pay attention to the agreement and ensure the processes and redundancy infrastructure live up to the terms.
So what is the best approach for organisations considering a move to the cloud?
My best advice to people is: before you choose a provider, sit down to write a strategy or talk about pricing or performance. You need to understand why you might move to the cloud. There are good reasons and some not-so-good ones.
You might be a small start-up deciding that you do not have the funding [to do a project on premises], so why not go to a model when you can spend operating cash and quickly grow if you need to. That would be a fantastic reason.
Others might go to the cloud because they see that the real promise of the cloud is elasticity. Let's say I have a traffic pattern for my web application with a peak-to-trough ratio of 50 or 100, and the peak only happens 10 percent of the time. Why should I build capacity in-house? Again, that would be a fantastic reason for going to the cloud.
Still others might be thinking of deploying an application on Google App Engine or Amazon EC2 just because, hey, Google and Amazon are probably the best-performing, most stable applications out there. That may not always be true, though, because there are additional services and pieces of infrastructure that Amazon and Google deploy that are not necessarily made available to their cloud offerings.
If you are interested in elasticity, there are two components: one is raw capacity. I need to be able to get 100 machines whenever I want them. No questions asked. The second component is the velocity: how quickly do you need those 100 machines and how much notice do you need to give the system? Do you need those 100 machines in 10 minutes or seven days?
So ask yourself what your goal is and write down your overall criteria, especially when it comes down to performance. Then test according to those performance issues. If you first define why — what's of interest to you — then you can determine which supplier is right for you by tying your selection criteria to those goals.
You need to be assured that when you go into production any time you want, day or night, at the notice you've given, you'll be able to get that capacity. But now multiply that capacity by all the consumers of the cloud and ask yourself whether they will all be able to get it.
Is there really that much spare capacity? Is the demand for the cloud so diverse that it really fulfils the overall promise that anybody can get as much capacity as they want any time they want it and it will all balance out?
So not everyone will be able to get the capacity they need from the cloud?
The cloud is the ultimate shared environment. So you should keep a closer eye than ever on your application or portion of your application that's running in it, because it is, by definition, a shared environment.
As much as virtualisation can supposedly give you a slice of the computing power and bandwidth, the cloud remains fundamentally...