Cloud Computing: What is it, do we need it and what are the pitfalls?
Publish Date: October, 2011
With the floods in Queensland leaving many firms without access to their intranets and the impending launch of Apple’s iCloud, the topic of Cloud Computing has once again been raised for discussion.
Cloud Computing is still in its infancy and standards regarding Cloud Computing are yet to be fully developed. However, to be clear, the concept of Cloud Computing is not novel and Cloud Computing does not represent any great advancement in technology per se. Rather, Cloud Computing utilizes a collection of existing technologies. The term Cloud has been used as a metaphor for the internet for many years and historically, any service supplied via the internet was considered to be supplied via the Cloud. However, in recent years, a new model of providing information technology services via the internet has emerged. This model, in its various forms, is referred to as Cloud Computing.
In practice, Cloud Computing allows firms to outsource computer infrastructure and services to a Cloud Service Provider (CSP). It allows users to access software applications over the internet rather than installing the applications on each workstation. Traditionally, firms install software on each workstation and store data on a local server which is accessed via the firm intranet. Under the Cloud Computing model, firms can outsource infrastructure (such as a server) and also remotely access third party software installed on remote infrastructure. In addition Cloud Computing offers firms the option of installing their own software (or acquired software) on cloud infrastructure.
In short, Cloud Computing is a model for enabling persistent, convenient, on-demand network access to computing resources which can be rapidly supplied and released with minimal effort or interaction.
A longer definition is provided by The United States, National Institute of Standards and Technology (NIST), which in January 2011 issued the following draft:
a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Cloud Computing currently offers three distinct services and has five essential characteristics. It can also be deployed in various ways.
Cloud Software as a Service (SaaS). SaaS allows the user to access applications or software installed on the cloud infrastructure ie: the firm would access software online. By way of example, the iCloud service, soon to be provided by Apple, is a SaaS service by which users access what is effectively a data backup and distribution service.
Cloud Platform as a Service (PaaS). PaaS allows the firm to install or deploy software on infrastructure operated by the CSP ie: a firm can upload its own software applications (or acquired applications) onto a server provided by the CSP.
Cloud Infrastructure as a Service (IaaS). IaaS allows a firm to access infrastructure operated by the CSP. The firm would not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components. By way of example a firm would rent a remote server (or cluster of remote servers) on which the firms data is stored.
Cloud services can be deployed in various ways being:
Private cloud: The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.
Community cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
Public cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Hybrid cloud: The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability.
From the definitions above, it can be seen that Cloud Computing comprises five essential characteristics, namely on-demand self-service, broad network access, resource pooling, rapid elasticity (meaning the system can be rapidly expanded to meet demand) and measured service.
These characteristics provide advantages which include constant access to data regardless of location. This allows employees to access data no matter where they are in the world. It also provides the advantage that if the firm office is unavailable, such as in times of flood, employees can still work, so long as the cloud service is available and users have internet access and of course power.
Cloud Computing shares resources between users, which allows users to access applications which may not necessarily have been installed on their own workstations.
Cloud Computing also offers a reduction in IT administration costs as it removes the need for firms to administer at least some of their own infrastructure. This reduces the burden on in-house IT staff and represents a considerable cost saving compared to purchasing and maintaining infrastructure.
As stated above, Cloud Computing is elastic. This means that the system is scalable and expandable. If one service (such as the provision of storage) is in demand, the system is easily expanded to accommodate the additional need. When the need is reduced, the system is reduced accordingly. The elasticity is seamless to user and rapid, thus there should be no productivity reduction.
In addition to the advantages above, Cloud Computing is a user pays system. Thus, a firm pays for what it uses, ie: access to the system, and data uploaded and downloaded.
Along with the advantages that Cloud Computing offers, there must be disadvantages. One great criticism of Cloud Computing is the lack of physical control of data. This lack of physical control leads to concerns regarding security of the data stored by the CSP. Client data is a firm’s asset. The firm is effectively entrusting all of its data to an entity with which it may have no prior relationship. Data which would normally be stored in the secure premises of a firm would be stored in another location which may not be as secure. This raises questions regarding both the security of the data on the servers (whether it is encrypted or otherwise) and the issue of secure access of the data. In addition, the location of the servers and therefore, the data itself, may be unknown. This raises the issue of jurisdiction. Inspection of the data centers or auditing for compliance with any service agreements may be impossible. Whilst a CSP may consider its system is robust and secure it should be borne in mind that no system is infallible.
Security concerns are not alleviated by the use of cluster systems in conjunction with Cloud Computing. Cluster systems are comprised of a group of independent computers working together which may or may not be in the same geographical location. Cluster computing comes into their own when components fail, are temporarily not accessible or are replaced. If one component fails, the other components will assume the load of the failed component. In addition if a hard drive is removed (or lost) the data on the drive can be recreated by the system. The advantage of such a system is obvious; however, the disadvantage is that merely removing a drive does not protect the data on that drive.
Another criticism of Cloud Computing is the dependence placed in another entity. The firm is entrusting the CSP to perform backups and maintenance of infrastructure and other disaster recovery contingency procedures. Furthermore, the firm has little, if any, control over these procedures. Quality control procedures and procedures which ensure the CSP is always accessible are not under the control of the firm. Neither are procedures in the event that the CSP is ceases to operate. In addition, it should be borne in mind that whilst the CSP can grant access to the data, it can also deny access to the data. This is particularly important during times of dispute with the CSP.
Along with the advantage of reducing IT costs, there can be hidden costs associated with CSPs, such as costs for error fixing and simple backup procedures.
Before moving to the Cloud Computing model firms should consider whether the advantages offered by such systems outweigh the possible disadvantages. Firms should maintain an exit procedure which includes the migration of data and services to another CSP. In addition they should develop in-house procedures and policies regarding access to the data and determine if a CSP will accommodate those procedures and policies. Moreover, when considering a CSP, a firm should at the least:
- settle an exit procedure with the CSP, including the secure deletion (or otherwise) of data;
- settle a dispute resolution procedure with the CSP, including provisions regarding access to data during any dispute and during any migration of data;
- seek a CSP’s reports regarding its historical performance in terms of security, outages and other quality procedures;
- determine guarantees, warrantees and penalties, including penalties against the firm;
- determine the CSP’s compliance with industry standards;
- seek any independent security audit reports regarding the CSP; and
- seek advice regarding the location of data and should, at least in part, familiarize themselves with local data protection and consumer protection provisions in the relevant jurisdiction;