Parlons-en Cloud 2014: some topics

17-04-2014 / CloudOps

Next week, Stephan Bureau and I will join a few hundred IT professionals from Québec for a day-long conference on cloud computing. We’re tackling three big themes, with panelists from both vendors and end-users, spanning small and large businesses as well as governments.

The three themes are at the forefront of technology policy today:

Transition and migration

Cloud computing is a major shift for IT. It is a switch from capex to opex; from ownership to rental; and from infrastructure engineering to service design. For early-stage companies without legacy investments, it’s often a no-brainer; but for bigger, more established firms, there’s a lot to migrate.

Some applications simply aren’t made for cloud environments, and at best can run atop virtual machines. Others can take advantage of automation and be managed more efficiently. But only cloud-native applications which are aware of the environment in which they’re running can truly leverage the elasticity and mobility of cloud services.

For IT this means understanding which applications fall into each category. What should be maintained and cost-reduced? What can be automated, and delivered to stakeholders without human intervention? And what should be rewritten?

Of course, in addition to these technical questions are cultural ones. Is the organization ready to transition to cloud thinking? Clouds are built on new ideas: eventually consistent data; scale-out instead of scale-up; blending public and private resources. Many of these don’t mesh well with existing assumptions and processes.

Agility vs. control

Every IT professional tackling cloud computing faces a fundamental trade-off. On the one hand, on-demand infrastructure offers agility, because it means you can add, or remove, capacity as the business changes. On the other hand, you lose control once the comfort and assurance of bare-metal, step-based growth is gone.

This tension is at the heart of cloud adoption discussions. It’s one of the key drivers of private clouds—which, on their surface, seem like having the proverbial cake and eating it too, since they offer on-premise control with on-demand provisioning. But private deployments don’t have the endless elasticity of an Amazon, Microsoft, or Google compute cloud, nor do they have value-added services like content delivery, message queue, authentication, billing, and so on.

CIOs are stuck on the horns of this dilemma. The right balance of control and agility depends as much on the business model and the organization’s willingness to change as it does on regulatory guidelines and risk management.

How should companies evaluate the tradeoff? When should they relinquish control to others, and when should they slow down and be cautious? In the cloud, is he who hesitates lost—or should IT look before it leaps?

Security and governance

The last year was an interesting one for cloud security. Whistleblower revelations confirmed what many had already suspected—that data wasn’t secure wherever it was stored. High-profile breaches at retailers, and deep, wide-ranging vulnerabilites like OpenSSL’s Heartbleed and Apple’s IOS “goto fail” undermined trust in the underpinnings of the Internet.

At the same time, governments are pushing for stricter controls on data sharing and enforcing “meaningful use” conditions in which data owners must limit the ways in which they use and share information.

Amidst these changes, the CIO has to keep the business running. Enterprises are increasingly reliant on technology to grow. A 2011 MIT study of 179 large publicly traded firms showed that companies that use data-driven analytics instead of intuition have 5%-6% higher productivity and profits than competitors; Microsoft reports that firms which adopt clouds perform better on nearly every important business metric.

With demanding security requirements, consumers on high alert, and shifting legislation that changes the rules in the middle of the game, it’s hard to know what to do next. How close to the letter of the law should organizations be? Should they take a conservative stance, or push the envelope? And since legislation often trails practice, how should they act in the absence of guidance?