Clouds are not secure, clouds are not reliable (Part 2 of 2)
Part 1 of this article mentioned that a Bloomberg Businessweek article titled “Cloud Security Is Looking Overcast” had prompted me to expand my list of cloud computing myths. It discussed the common myth that (public) clouds are inherently insecure. The article also prompted me to consider another common “myth-conception”.
Myth: (Public) cloud services are not resilient
News of recent disruptions at some of the more well-known cloud providers has lead to concerns regarding cloud resilience. These concerns are, of course, legitimate but in the interest of brevity, the points here are very similar to those related to security (as discussed in Part 1). Without question, components will fail. As I discussed in a previous article, a key question is "will anyone notice?" Resilience can be addressed in many ways (in the cloud service, in the business application...), and that is a topic too large to address fully here though in many cases, cloud providers, again due to their size, volume, and business model, will be able to offer much stronger resilience, or at least a better platform for resilience, than some businesses on their own. Aaron Ricadela, the Businessweek story author, offers an example of this, Gmail's record of 99.99 percent uptime (less than five minutes down per month) in 2010. Some would argue that is too much down time, though many businesses would be significantly challenged to deliver that level of resilience.
Again, that is not to say that resilience issues will never surface. As Marc Benioff discussed in his book, “Behind the Cloud,” even cloud pioneer Salesforce.com had performance issues as they grew. (In the book Benioff shares the interesting story of how they responded, first incorrectly; and how a much more transparent, customer-centric response, one that led to the creation of trust.salesforce.com, delivered a better solution.)
While it is also true that some clouds may not offer the resilience that a specific business may require or desire, to state that no cloud is sufficiently resilient for business would be inaccurate.
As well, failures can and do occur in cloud and non-cloud environments, both on-premise and with a third-party. And organizations are changing the way business continuity is addressed in their applications. Application architects are now designing "cloud-savvy" resilience into their solutions that can respond to cloud platform failures, (e.g.: Netflix “Rambo Architecture” and its use of “Chaos Monkeys”) ensure resilience and business continuity even when components fail.
So, it is possible to offer resilience in cloud platforms, in applications that leverage them, or both. Though it's not "free,” it's not free in non-cloud environments either. Any resilient solution requires good planning and design; and resilient solutions will cost more. We should also keep in mind that not every application requires the same level of resilience, or security for that matter.
"Never Say Never Again"
Unlike some self-evident truths, not all clouds are created equal. Some are (or can be) very secure. Some are less secure, or not sufficiently secure to meet the requirements of certain applications. Some are not resilient, some are very resilient; and businesses can construct resilient applications that can leverage cloud platforms. Of course, the same can be said of private, on-premise services (cloud or not). Just ask the team at Sony, or any of the other businesses recently attacked that have made recent headlines.
I am not suggesting for businesses to always choose cloud for the sake of cloud... but at the same time, we should "never say never" to cloud. (Apologies to Ian Fleming for borrowing a movie title; a quick search shows I am certainly not the first.) We must keep an open mind to solutions that might offer value to our businesses and the consumers they serve regardless of whether or not we consider them to be cloud-based solutions.
We also need to consider key details such as application and platform security, built-in and "built-on" resilience, service level agreements, contractual commitments, and vendor reputation and track record.
Finally, we must remember that not all services and applications require the same level of service, resilience, and security. And once a provider is chosen, it is prudent to “trust and verify.” We cannot abdicate the duty of care for our customers solely to our providers and suppliers.
In general, I agree with Ricadela's article. It compelled me to further discuss some of these cloud "myths", and I am certain that I am only scratching the surface.
biography
George Watt (@GeorgeDWatt) is VP of Strategy, Cloud at CA Technologies. For nearly 25 years, George has been helping customers simplify and automate their complex IT infrastructures.