By Tim Weber Business editor, BBC News website
Cloud computing is more secure than on-premise solutions, say its fans
Cloud computing may be the hottest thing in corporate computing right now, but two IT disasters - at Amazon and Sony - beg the question: Is cloud computing ready for primetime business?
It's a nightmare moment. You are under pressure - to meet customer orders, finish a project, execute a deal - and nothing. Your computers, servers or network are down. If you are lucky, a few nail biting hours and a reboot or three later, you and your IT team have restored services.
But what if your IT infrastructure goes down and there's nothing you can do because your computing power sits in the cloud, provided over the internet by another company? When a key part of
Amazon's EC2 cloud service collapsed, many of the firm's customers were reduced to publishing apologies on their websites, and click "refresh" on Amazon's
service health dashboard.
Two of Sony's online gaming services, meanwhile,
were hacked, compromising confidential data of more than 100 million customers.
The twin worries of cloud computing, security and resilience, are back, just as the promise of huge cost savings persuaded many companies to make the jump. 2011, experts said, would be the year when companies would
get their business ready for the cloud.
According to a new global study by IBM, more than 60% of organisations plan to "embrace cloud computing over the next five years" to boost their "competitive advantage."
Marc Benioff, chief executive of Salesforce.com and one of the pioneers of cloud computing, speaks of a "fundamental shift, the move of computing resources into the cloud [that] gives small and large companies access to the same resources."
Jay Heiser at technology consultancy Gartner lists the benefits: easily obtained and highly reliable services, delivered quickly, conveniently and at a relatively low cost.
Until something goes wrong, of course.
Time for a rethink?
"A cloud is not a cloud is not a cloud," says John Engates, chief technology officer at cloud services provider Rackspace. Every kind of cloud service requires a different risk assessment.
There are cloud services for consumers holding masses of customer data. Sony had to take its service offline for four weeks. A nasty bump for the global consumer electronics giant, potentially lethal had it happened to a smaller business.
Then there are infrastructure and platform services for companies that provide cheap storage, raw computing power, or software as a service. When a software upgrade at Amazon's data centre in North Virginia went wrong, many companies using the service disappeared from the face of the online world for a full four days.
"How long does it take to reboot a cloud," asks Mr Heiser and argues that many companies focus too much on the operational process of integrating the cloud into their business, but do not pay enough "attention to architectural and build issues" of their cloud strategy.
So is it time for chief information officers and chief technology officers to rethink the cloud?
'No computer is perfect'
Not so, cloud fans protest.
"Most companies have had major outages, that's the nature of computing" argues Marc Benioff. The cloud just makes these problems more visible - and less frequent.
"Traditionally, companies were running both their own business and an IT business," says Mr Benioff. Going into the cloud shifts the computing to the experts "who do this for a living".
"No computer is perfect, but if you look at the history of cloud computing, it's more secure and reliable than traditional on-premise computing," insists Mr Benioff.
Rackspace's John Engates believes that cloud outages can actually be beneficial. "(They) make us better, they force us to repair and bolster the service, they even help competitors to see the challenges that other folks faced," he said.
Stuck with one provider?
Customers have to sharpen up, though.
Cloud computing may be cheap, but robust back-up solutions cost money. Cloud users will have to re-examine how many copies of their data they need, and where to keep them, says Mr Engates.
"If you build a robust infrastructure across geographies, you can sustain an outage," he says and points to video-on-demand provider Netflix, one of the Amazon customers that dodged the outage without obvious problems.
Companies have to make a risk assessment: Do they need parallel infrastructures, multiple cloud service providers, even a hybrid cloud where the data is shared and synced between the cloud and the company's own servers?
"People will want to bulk up their cloud strategy," says Paul Maritz, chief executive of virtualisation software company VMware. "It's unlikely that they will want to depend on a single [cloud] provider."
While companies may be able to switch suppliers or spread the risk, consumers may find themselves stuck.
Once you have settled on a cloud-based service - whether it is Flickr, Playstation Network, Facebook, Gmail or Hotmail - it is tricky to switch, unless you are prepared to sacrifice your content and social network.
Security questions
"Yes, the cloud is a concentration of risk," says Mr Engates, but people are attacking the customer, not the cloud. "It is easier to defend the cloud, because it has more resources and bandwidth".
Kurt DelBene, in charge of Microsoft's Business division, says Amazon's and Sony's problems "haven't dampened the enthusiasm of our customers for the cloud." The advantages - both cost savings and the ease of integrating diverse systems, for example after mergers and acquisitions - are just too great, he says.
And anyway, says Mr Benioff, Sony's massive data loss "is not a cloud computing issue, it's a cybersecurity issue."
Indeed, Verizon's
2011 Data Breach Investigations Report found that cloud computing played no role in security breaches: "We are often asked whether 'the Cloud' factors into many of the breaches we investigate.
The easy answer is 'No - not really.' It's more about giving up control of our assets and data (and not controlling the associated risk) than any technology specific to the Cloud."
Mikko Hypponen, chief research officer at internet security firm F-Secure, warns both consumers and companies that when they "move into the cloud, you get lots of benefits, but at the same time you lose control of your data... you have to blindly trust the vendor."
Consumers can help by playing it safe. When answering security questions "don't use your mother's real maiden name; don't give out your real birthday; answer with a number, or a street name or deliberately misspell."
Keeping online email accounts safe is key to cloud security, says Mr Hypponen, because it's here that criminals will find all the registration emails for financial services, it's here that they intercept requests for a password reset.
"Whether we like it or not, cloud is here to stay, because the benefits are clearly larger than the risks," says Mr Hypponen. "During the first years of this major shift [to the cloud] we will see more problems, but we will also learn, and the systems will get more secure."
Back to IT basics
When cloud services fail, the data is likely to get lost, and recovery is slow at best.
After Google's cloud-based email service crashed, says Joe Heiser, "it took Google four days to restore [the data of] 0.02% of the users of a single service."
"What is not in the least bit clear is the relative ability of any cloud service provider to restore your data into their services," Mr Heiser warnings cloud customers.
"We do not believe that the cloud is ready for everything yet," admits Rackspace's John Engates, but believes that cloud services can be part of the solution.
Companies that had a mail server outage can take "days and weeks to recover data from back-up tapes," he says. Putting the back-up into the cloud, with a different provider in a different locations, could speed up recovery.
It's back to IT basics: One concept "that should never be lost in the cloud," says Mr Heiser, "is the need for contingency planning."