Cloud computing – barriers for faster adoption

Handing over your corporate data to a third-party is indeed a very difficult decision for most CIO’s and IT managers. A myriad of questions immediately arise; how can I be sure that my data is sufficiently protected; is my data encrypted while stored and what about when being being transferred to and from the service provider; what about back-ups and access to data in case of data center failure; how about restoration strategy? And the list goes on. Fortunately, many of the larger public cloud providers, like AWS, Google and many others, provide a lot of measures and even SLAs that guarantee a certain level of responsiveness and measures in the case of security breaches and hardware/software failure situations within their own domain. Currently, the problem is more related to smaller cloud providers that do not have the capacity, resources and sometimes knowledge to provide sufficient security measures that relief the concerned CIO/IT manager.

Then there is the thorny and related issue of data privacy, especially of personally identifiable data (PII). If you are a CIO/IT manager, you already know your organization protects personal data and limits data exposure. Internally, organizations institute their own processes and policies for protecting privacy of corporate and individual data and ID’s. However, in the cloud, how can you be sure your data is protected by the provider in equal, or better, way? Additional fear include different legislation and regulations, especially in the context of cross-border cloud services – potentially leading to seizure of your data or confiscation of network servers by authorities in the residing country of the cloud service provider. This is an especially relevant where a buyer located in a particular jurisdiction, e.g. the EU, uses cloud computing services located in another jurisdiction, e.g. the USA. In fact, the EU, for example, prohibits the cross-border transfer of PII data originating in the EU, unless the host country applies to certain EU regulations. In the case of data transfer from the EU to the USA, the US service provider needs to apply to the so called “Safe Harbor Principle”.

In general, the World Privacy Forum provides a helpful guide called Privacy in the Clouds detailing the risks and problems relating to privacy and cloud computing.

Not far behind security is the issue of reliability. One of the key characteristics of cloud computing is the Internet as the main transport mechanism – with all its notorious bottlenecks (e.g. response time, latency and packet-loss). How can an organization using cloud services be certain that it obtains and maintains acceptable service levels? Pobably, by securing access through managed networks, e.g. MPLS, and/or using overlay network from network providers like Akamai. Within their own domain, cloud service providers usually comply to strict operational policies and measures to minimize failures or outages in their systems. Automatic fail-over and self-healing infrastructure of virtualized components aids to increase reliability and redundancy.

Finally, many CIOs/IT managers are afraid that by choosing a particular cloud service provider, they will enter a “lock-in” situation with that particular vendor. Due to the lack of standardization, most of the current cloud vendors have implemented and deployed proprietary solutions that lack interoperability with each other. This is a big problem, although some analysts, like David Linthicum at InfoWorld in a blog post “The data interoperability challenge for cloud computing”, are suggesting that in 2010 this issue will be addressed to drive cloud computing adoption. Some cloud related standard organizations, like the Open Cloud Consortium, are working on interoperability standards for cloud computing and frameworks for interoperating between clouds. When this has been resolved, a lock-in situation is less likely to occur and the CIO/IT manager can evaluate vendors in terms of their interoperability levels.