Recently in Customer Experience Category

A recent report by Forrester's Andrew Reichman titled Business Users Are Not Ready For Cloud Storage: Current And Planned Adoption Of Storage-As-A-Service Is Minimal For Now paints a picture for cloud storage adoption, that at first blush, is not encouraging.

He states:

In Forrester's Enterprise And SMB Hardware Survey, North America And Europe, Q3 2009 survey, we asked businesses about their interest in "hosted storage capacity" offerings. Interest was minimal at best. Forty-three percent of all respondents said that they were simply not interested, and another 43% said that they were interested but had no plans to move forward.

While it could be argued that as a cloud storage supplier, I am necessarily bullish about the ultimate prospects, I believe the data is actually quite good and clearly represents what we are experiencing in the marketplace.  Now, Mezeo is engaged with many service providers, as well as the early adopters in the enterprise space as they begin their evaluations.

When I look at enterprise cloud-storage adoption based on Everett Rogers' diffusion curve I see a pretty clear view of the typical market place approach to adoption of disruptive technologies:    

For new, emerging, and potentially disruptive technologies, we should look for what the next practices are, i.e. the practices of the innovators and early adopters. The survey reflects the typical technology adoption cycle and re enforces what we are experiencing in the market place.

11% of companies are taking the plunge - these are the early adopters and innovators.  The early majority (43%) is interested, and watching.  The late majority is not in the game, yet.

So we are on track. And to prove it, let's look at one of these enterprise-level innovators: General Electric.

According to IBM storage expert Tony Pearson, GE has implemented cloud-based backups and archive for GE Corp, NBC Universal and GE Asset Management divisions running at only 32 cents per GB/month, representing a 40-60 percent savings over their previous methods. This includes backups of their external Web sites, archives of their digital and production assets, RMAN backups including development/staging databases. They plan to add out-of-region compliance archive in 2010. They also plan to monetize their intellectual property by offering "CloudStorage Manager" as a software offering for others.

1. Security will continue to be a big issue for the cloud, and, unfortunately, there will be at least one event this next year that is disruptive to Cloud Storage adoption, be it data loss or unauthorized data access.  Security will be an even more important point of evaluation for the use of specific Cloud Storage service offerings. The “trusted service provider“  becomes a requirement when selecting a cloud offering.
   
   
2. Cloud Storage will be characterized by a single word, “more”!  More adoption, more cloud storage offerings by more IT service providers, more variation in cloud capabilities, and more worries and concerns about the cloud.
   
   
3. The intersection of enhanced mobile devices with better wireless bandwidth will be combined with Cloud Storage to create exciting new work/life blended digital life applications. The user experience is of paramount importance.
   
   
4. Cloud Storage will see extraordinary adoption as a solution for backup, archiving and for policy-based georeplication for disaster recovery.

If you're accessing your data anytime, anywhere in the cloud, location shouldn't matter, right?

As it turns out, it does. There are several reasons why it matters where your cloud storage is located:

Legal & Regulatory Policy: How do companies ensure they are archiving and protecting business data to comply with  electronic data laws? According to BCS for example, no matter what data storage and security strategy an organization uses, IT decision makers should consider these six key questions:

1. Will content be stored and remain unaltered over the required retention time frame?
2. How will this technology stay updated to ensure long-term availability of records?
3. Does this technology enable the organization to retrieve data quickly enough to respond to a legal request within the stipulated deadline?
4. Can this technology grow with the business and meet regulatory requirements?
5. Can this technology be used with other content generating applications?
6. How will this data storage architecture address litigation and discovery challenges?

Add to this the effect of country and international compliance regimes and you understand why companies need to determine which data storage regulations affect them and require compliance.  Since the cloud is so new, I can safely wager that the data storage laws of most countries will not yet have a statute for the cloud. Thus, physical data storage laws will still apply.  So your cloud storage may have to be located in-country. This is possible through geo-location and geo-replication.

Performance: To reduce network latency, cloud storage and the applications that access it should be as close together as possible, even in the cloud, and they need to be close to the end-user.  Thus New York-based users who use NY-based applications should have their storage in a cloud in the NY area as well. 

Backup & Replication: Cloud-based backup and recovery makes sense as well. Having multiple instances of your data replicated by geography is a key function for distributed datacenter replication, and shows potential for rapid growth. 

So, at Mezeo, we see three ways to think about cloud storage and geographic options and how to improve the distribution of data across geographically distributed data networks:

Geo-Location: Locating stored objects close to where they will be used for. Faster access via the closest cloud storage instance using data center peering (this also allows you to define where you store your data/objects).

Geo-Replication: Replication through policies, with uninterrupted access to content.

Single Namespace: Providing a single means of access to stored objects regardless of where the objects are located.
 
Geographic placement supports creation of an object in a specific cloud storage instance.  At Mezeo, our replication policy allows for the specification of the locations of the replicants.  For example, the policy indicates "create the object in New York, LA, and Houston."  If an object is created in New York, it will be replicated to LA and Houston.  If it created in Houston, it will be replicated in New York and LA.

Some storage vendors support replication as a component of their disaster recovery recommendations.  If your selected storage vendor offers this option, then the storage solution could ensure there are at least two copies of every object in every instance of Mezeo's cloud storage.  Recovery in the case of disaster with this approach would be handled by the storage vendor's solution. 

By considering a combination of replication provided by storage vendors and replication provided by Mezeo, a service provider could offer a highly differentiated service.  Your customers would be assured of recovery in the case of any possible failure, from a single disk failure to a catastrophic data center loss.  Mezeo works with our service providers to determine the benefits of various replication options and the impact as you design your SLA level(s).

Policies are assigned in the onboarding/provisioning process and may be updated if requirements change.  There are also special situations for policy updates, such as if a particular data center has a catastrophic outage, the policies associated with replication to the Mezeo instance in that data center can be modified.

CloudStorageStrategy.com welcomes OpSource CEO Treb Ryan for an in-depth interview on cloud computing, from the perspective of the service provider.

NOTE: OpSource is a customer of Mezeo Software, the underwriter of this blog.

What are the opportunities you see in the cloud computing space, both for OpSource and your customers, and what impact has the downturn had on this?

It's interesting, but when people talk about cloud computing, they immediately go to the downturn and pricing - and cost being the big driver.  There's no question that cloud computing is cost effective, and it's accelerating adoption many times over, but what we're really seeing is something much more fundamental - a generation of users who are entering the workforce who've been using cloud computing all along; they've grown up on the Internet, and their interface to technology has always been through the Internet. 

As a result, this "Cloud Generation" has clear expectations of how technology should work:

1) it should be immediately available,
2) you do a search and get going,
3) it should be very flexible,
4) you should have ubiquitous access - anytime, anywhere,
5) sharing and collaboration - the expectation to collaborate and share anything they are working on.

This is not a generation which distinguishes between work data and home data - like my generation did. They've grown up with the concept of APIs and communities that grow around them; for instance, we see programmers who have grown up with Google and Facebook APIs, and now they expect that kind of thing in their work applications as well. So they're coming into the workforce and driving change in the workplace. They see technologies like client-server applications or hard-coded storage arrays pretty much the same way my generation saw green screens, mainframes, and mini-computers - as dated, inflexible, technology - hard to use, without nearly the power of cloud-based systems. So they have the day-to-day experience of the "consumer cloud" which they're now driving into business applications as well. 

To the Cloud Generation of programmers this means anything they can interact with on the Cloud they can program to through APIs. The idea of infrastructure being an item that can be addressed as part of the application, instead of something the application lays on top of, is a radical concept.  It has allowed not only for innovative applications, but also for true elastic computing making the Cloud environment even more flexible.



Great Cloud offerings have great communities around them. This is the aspect of Cloud computing that is so often missed - and even scoffed at - by the IT folks who think it's all about virtualization. One of the biggest gripes about Cloud computing is that support is done by the Community and not the vendor. While most will agree that far more proactive vendor support is necessary for Cloud computing, Community support is just as critical. For questions of configuration and usage tricks, the Community is a far better source of information than some call center employee with limited access. Often the Community devises more innovative solutions than the vendor ever could. And in addition to support, the Community can create third-party add-ins that make the Cloud even more useful.

The downturn has accelerated adoption from the top down as well.

We're seeing executives who have become enamored with this idea of the cloud - because of the ability to turn capital expenditures into operational expenses - and are pushing cloud computing into their organizations.  The CEO of one of our customers went so far as to tell his technical people - "now can you finally start using the cloud so I can get the board off my back?"

So, for different reasons, we have both top-down and grass-roots support for cloud-based applications, which makes this very interesting to say the least.

Which customer segments do you see leading the way in adoption?

Obviously, our traditional focus has been on ISVs and start-ups coming into Software-as-a-Service, business applications in the cloud, and we're seeing continued adoption of cloud infrastructure by those segments, but what has been interesting is that now that we offer the ability for any company to buy and use cloud infrastructure for any type of application, we're seeing a much broader spread of usage and adoption. Beyond the enterprise we also see widespread adoption by systems integrators, consultants, and VARs - upto 40% of our customer base - all without us targeting that segment at all.

How does OpSource differentiate its cloud offerings from other service providers?

We offer the best of the public cloud, combined with enterpise security and compliance, performance guarantees, and enterprise controls.

For instance, we offer:

• easy online sign-up & purchase with infrastructure provisioning in minutes
• pay by the hour and only for what you use, with no commitment (or purchase a monthly plan for a discount)
• a rich online community to share and collaborate with peers; get third party add-ins, images and configurations
• a web interface plus complete set of APIs

On the straight cloud, we provide a lot of the more robust, enterprise tools than you see from more consumer-based providers like Amazon, for example.

We focus on three different areas:

1) Security and Compliance: we provide a much more secure environment, because Opsource provides every customer with a Virtual Private Cloud within the public Cloud, allowing them to determine their own degree of public Internet connectivity. We also provide:

• Unique customizable security for firewalls
• VPN administration of all servers
• Unique username/password for each administrator
• Audit logs of all environmental changes
• SAS 70 audited
• 100% uptime SLA

2) Performance: we offer a multi-tier architecture with guaranteed latency in-between systems, sub-millisecond access time, industry standard technology, like VMware, instead of open-source, because that's where enterprise is comfortable.  Our 24/7 suppot also makes a diffence.

3) Control: today's cloud environment are single user environments, one user name and password, which is fine for individuals, but not so useful for the enterprise. We offer the ability to provision multiple users, do things like cross departmental billing, execute policy based control - which user can do what - and finally link all that back though an API to your existing management systems. So you can control how your users use the cloud same as you do your corporate datacenter.

So do you see any links into these large companies where they need to use ITIL for systems management?

Absolutely. OpSource has always focused on compliance as a major issue for our SaaS customers, eveything from SAS 70, PCI to European Safe Harbor, and even industry-specific ones like HIPAA, or government-specific certification, but in the cloud, we think about sophisticated  management techniques like federated authority and single sign-ons, and things like ITIL - while it's still in its infancy, it's shocking that most providers don't even have the ability to give their customers the critical capability to have more than one person manage the cloud for them - because they have a single user accounts. So while you can institute more sophisticated IT governance regimes like ITIL with the OpSource cloud, we give IT the capability to manage who does what, and track who did what, even if they aren't ready for something like ITIL.

So IT gets to do their own provisioning?   
  
Yes. So you want to know who provisioned what, how much it costs, and we give them that visibility instantly across their entire user community.  That way there are no surprises or charges they aren't aware of. It sort of reminds me of the controls I had to put in to alert me to my daughter's texting costs - so I'm aware of the charges before they get out of hand! I just blogged about this issue.

That's why you say that OpSource is what Amazon wants to be when it grows up... 

Absolutely.

And that's how you respond to cloud critics - the ones that say that the Cloud is not yet ready for the enterprise.

There are large parts of the cloud that are not yet ready for the enterprise. The cloud is still young, and it would be like asking that first 286 PC to run all of your corporate financials. However, a lot of these issues around enterprise adoption like security and compliance have been addressed, and are being taken care of, so as the cloud becomes more robust, we'll see increased adoption. We're seeing enterprise-level capabilities come to market that did not even exist six months ago.

We have just signed a partnership agreement under which OpSource will resell Gomez's Web performance management solution to our enterprise customers as well as use it to validate and monitor our own cloud performance service level agreements (SLAs). Through this partnership, we'll bring powerful performance monitoring to cloud computing, making it easier and more compelling than ever for enterprises to justify bringing their applications to the cloud.

Do you see infrastructure elements like storage growing now?

For true, full use of the cloud, we have to have the ability to access storage, go though the APIs to get to it, and give our customers a range of storage solutions, including cloud storage based on the specific application or need. We're giving our customers the widest range of choices.

What about agile programming? I heard you use agile methods to improve the customer experience.

Agile programming methods have helped us with not only development, but compliance and security as well. We talk to our customers to see how they are using our cloud offerings though our community, and we learn what's important to them.

We also test our offerings by having two programmers work on the same keyboard - literally  - one with the user story - so they can make sure that the customer is getting the exact functionality they need.

It's agile customer service.

Can you tell us a bit about your enthusiasm for composite applications (corporate mashups) and how they help your platform?

Of all the phenomenon in the cloud, we see the need for anytime-anywhere access and the idea that anything I can interact with I should also be able to program to.  So when Facebook enthusiasts start working in the enteprise, they bring their enthusiasm for integration as well.

So we see things in the cloud like direct access to the infrastructure as part of the application, which allows for all sorts of flexibility and robust usage.

We see real-time reporting applications of every kind you can imagine.  I myself am addicted to checking on everything that's coming out of our billing and customer systems tied into our Salesforce tabs.  So I'm always checking on the business in real-time via my iPhone.

I say this a lot, but integrating SaaS is a huge issue for today's enterprise. OpSource Connect can help SaaS companies -- of any size -- overcome integration hurdles and break out of the SaaS-only box. This speeds up adoption of SaaS in larger enterprise environments, opening the door for on-demand companies to cultivate business with large systems integrators. Plus, I'd say we're the only company providing Web operations from the ground up, addressing operational infrastructure, application management, and business operations. Today, integrations are expensive and one-to-one. For instance, while you can currently integrate your application with Google Maps as a composite application, OpSource Connect lets you integrate your app with many others, using just one platform. You can integrate your application with, for example, SAP, salesforce.com, Intuit QuickBooks, NetSuite, and a host of other SaaS and legacy applications. 

Everything is much more dynamic today, and programmers expect that. 

The announcement that Salesforce is integrating directly with cloud-storage Box.net is the tip of the iceberg when it comes to the future of the cloud:

Techcrunch explains what Box.net is thinking:

CEO Aaron Levie says that this is the first step in Box.net's plan to give businesses a secure way to share their files across multiple services on the web. He says that many of the cloud services geared toward the enterprise don't work well together -- oftentimes you'll have to reupload the same content to multiple sites to share or edit it. Box.net wants to help unify these services by serving as the central hub for your uploaded files, which you can then access from these other web-based services. Levie hints that we'll be seeing more integrations with other services in the near future.

What we are witnessing is the future of enterprise IT infrastructure. We have been talking about programmatic access through RESTful APIs for some time now.  This move by Saleforce is an evolutionary step in how enterprise IT will manage its IT infrastructure - it will be a cross-cloud platform, with applications and open access to the storage cloud of your choice.

Security is not an issue, and the future is about cross-cloud collaboration.

Phil Wainewright says that Box.net wants to be the "Switzerland of Data" - he's right and wrong.  Cloud Storage, provided by the various service providers are going to be the "switzerland of data storage."  Vendor lock-in is going by the wayside.

ReadWrite is spot on when they say that "you can start to see how platforms will evolve into service networks - where enterprise users may subscribe and get access to applications that they pay for on a per use basis."

The biggest threat then, is to traditional software vendors, and applications like Sharepoint.  We will see heated debates on this very topic in the days and weeks ahead.

We've discussed ITIL and Cloud Computing and the role of trust as a differentiator for service providers. Yes, we see the evidence that IT Hosting companies and managed service providers are closer to their customers and we see that their differentiation is their commitment to serving the customer.

But Amazon, Google, and Microsoft aren't going away. As they pressure customers to make the switch to the cloud, traditional service providers must find new ways to compete. Step one, of course, is providing alternatives - cloud services, like storage for example.  Step two is to highlight their customer commitment - the relationships they already have and defend this "advantage" by becoming even more responsive. 

So how do you build trust? According to Stephen Covey Jr. trust is built through behavior. His work has identified 13 behaviors which build trust:

1. Talk Straight
2. Demonstrate Respect
3. Create Transparency
4. Right Wrongs
5. Show Loyalty
6. Deliver Results
7. Get Better
8. Confront Reality
9. Clarify Expectations
10. Practice Accountability
11. Listen First
12. Keep Commitments
13. Extend Trust

But how do these behaviors translate to a cloud service delivery model? 

To answer this question, I dug up an old model for assessing service quality - SERVQUAL -  which was introduced to the world of service and retail back in 1988 (those were the days before ITIL).  SERVQUAL has its share of detractors, but even recent research reminds us that it is still a useful model.  In particular, I'm interested in how it can be used to help service providers improve and extend their intangible advantages over the more impersonal big shops.

Over the years, the SERVQUAL instrument has been a popular methodology used to measure consumers' perceptions of service quality. Its five generic dimensions or factors are still valid:

(1) Tangibles: physical facilities, equipment and appearance of personnel.
(2) Reliability: the ability to perform the promised service dependably and accurately.
(3) Responsiveness: willingness to help customers and provide prompt service.
(4) Assurance: includes competence, courtesy, credibility and security; the knowledge and courtesy of employees and their ability to inspire trust and confidence.
(5) Empathy: includes access, communication, understanding the customer; caring and
individualized attention that the firm provides to its customers.

None of these dimensions will change in the cloud, with the exception that some of these dimensions are now virtual and must be proven online (customer support, for example) or through superior automation of work processes.

Let's also analyze the SERVQUAL "gap model," as it was called, and see how it applies to service delivery in the cloud:

Let's look at the meaning of each "gap" - the possible breakdown areas in service delivery:

Gap 1: Customers' expectations versus management perceptions: caused by the lack of a marketing research orientation, inadequate upward communication and too many layers of management.

Gap 2: Management perceptions versus service specifications: caused by an inadequate commitment to service quality, a perception of unfeasibility, inadequate task standardization and an absence of goal setting.

Gap 3: Service specifications versus service delivery: caused by role ambiguity and conflict, poor employee-job fit and poor technology-job fit, inappropriate supervisory control systems, lack of perceived control and lack of teamwork.

Gap 4: Service delivery versus external communication: caused by inadequate horizontal communications and propensity to over-promise.

Gap 5: The discrepancy between customer expectations and their perceptions of the service delivered: caused by the influences exerted from the customer side and the shortfalls (gaps) on the part of the service provider. In this case, customer expectations are influenced by the extent of personal needs, word of mouth recommendation and past service experiences.

Gap 6: The discrepancy between customer expectations and employees' perceptions: caused by the differences in the understanding of customer expectations by front-line service providers.

Gap 7: The discrepancy between employee's perceptions and management perceptions: caused by the differences in the understanding of customer expectations between managers and service providers.

Three of these gaps are directly connected external customers: Gap 1, Gap 5 and Gap 6.  Service providers will find their optimal "trust-building" opportunities here.  Apply Covey's 13 behaviors to each one of these gaps to build on your commitment to your customers.

Amazon, Google, and Microsoft aren't building a high-touch responsive model for their cloud services. But you, the service-provider, already have a high-touch relationship. Your cloud-based SLAs must reflect this advantage. The security issue is just a small part of this reality.

Service providers who dedicate themselves to closing the gaps will succeed in this new world.

The quest for quality service didn't start yesterday. I highly recommend that service providers give Delivering quality service: balancing customer perceptions and expectations by Valarie A. Zeithaml, A. Parasuraman, Leonard L. Berry, a second look.

With all due respect to Cory Doctorow, he's wrong.

In his article Not every cloud has a silver lining (Guardian) he states:

There's something you won't see mentioned by too many advocates of cloud computing - the main attraction is making money from you.

And I suppose all the vendors of physical storage, the hard drives, etc., are interested in your spiritual well being!

Here's the heart of Doctorow's beef with cloud computing:

Rather than buying a hard-drive once and paying nothing - apart from the electricity bill - to run it, you can buy cloud storage and pay for those sectors every month. Rather than buying a high-powered CPU and computing on that, you can move your computing needs to the cloud and pay for every cycle you eat.

The point he misses is that cloud computing exists because it answers a real need.

We aren't prohibiting you from buying physical hard drives, I assure you. In fact, we think physical and cloud storage will work together, complementing each other. It's not one or the other.

Our focus is to provide specific services which deliver quantifiable value for both individual consumers and business users. As we mentioned earlier, the basic promise of cloud computing: instant access to your data anytime, anywhere, on any device, is already a reality. It's all about convenience, ease-of-use, cost, and of course, value-delivered. The cloud is a disruptive innovation.

Let's review the benefits of cloud computing:

For Businesses
In addition to cloud storage, the cloud brings game-changing pricing and service capabilities to disaster recovery, fault tolerance, geographic redundancy, and other solutions that have been prohibitively expensive to everyone except for the largest organizations in the world. Here are some specific drivers of business value:

Financial Benefits: The very nature of "pay per use" makes large upfront financial outlays a thing of the past. So your CFO won't bug you about capital expenditures.  You'll simply have to pay a monthly fee for renting the data center and the services you choose. And yes, that's a monthly operational cost.

Better use of Human Resources: Your IT people don't have to spend time doing repetitive tasks like provisioning and  setting passwords.  That will be done in an automated way by your service provider.

Agile Provisioning: "Time to value" is greatly accelerated using the cloud.  Softlayer, for example, allows lets you deploy on-demand computing instances running enterprise-grade and open source operating systems in as few as five minutes. Can your IT department do that today?

Scalability and Flexibility: The cloud provides customers with the capability to start small and grow with demand, in real-time. Cloud "burstability" allows for rapid scaling to meet demand caused by usage spikes.

Leaner and Greener Infrastructure: The cloud allows companies to outsource their IT infrastructure, and maximize utilization of the computing power of their service provider. This makes for a leaner and greener IT infrastructure for all.

Service Oriented Architecture:  Cloud Storage accessed via RESTful Web Services APIs provides new capabilities for developers.  For the first time, an abstracted, services rich storage layer is a true SOA implementation.

For Individuals
I already hear commercials on TV:

"Are you tired of lugging your laptop everywhere? Are you tired of transferring your files every time you switch devices? Are your running out of space for your endless downloads of videos, songs, and movies? Do you want to access your files anytime, anywhere, on any device? Try cloud computing, and your life will never be the same."

The flexibility cloud computing offers individuals is unparalleled. Again, it is the user-experience which will determine cloud use by the consumer.  And as we see more and more personal files (videos, music, photographs) explode, we'll see a bigger and bigger role for cloud computing.

A final statement. We do want to make money. Like everyone else in the market, we're going to have to deliver value to earn your trust and dollars. And if you find that you get more value from buying your own physical storage or owning and operating your own datacenter, go ahead.  We're betting we can show you a better way, a way that complements your local storage.

Articles and blog posts associated with security and cloud computing are a daily occurrence, unless some well-publicized breach occurs in the cloud.  At that point the number of commentaries and discussions will increase exponentially, and then, over the following week, return to normal frequency.  I decided to focus on security as it relates to cloud storage, to see if something really new and different is occurring, and if overall changes need to be contemplated, as it comes to classic data security activities.  When I focused in this way, I quickly discovered that not much has changed, and security of data in the cloud is highly dependent on the same precautions and understandings as security of your data in a private data center.

In this recent article, it was suggested that files of one owner residing on a physical device with the files of others could somehow result in unauthorized access. It could, and the answer to this and a myriad of concerns fits within traditional approaches and understandings of security.   For example, Mezeo encrypts all files prior to storage.  So, even if you somehow got access to another's file, it would do you no good.  My point is that the cloud introduces a few additional complications, but it is not a problem that the current level of speculation seems to portray it as.  An extension to typical security practices, diligence, effective execution and audit of your current practices is what is required.

With this underlying theme, we look at how best we can ensure the security of the data in the cloud. Let's look at five areas that you should consider in regards to storing data in the cloud.

1. Physical Security: First, understand some things about the data center that is hosting the cloud where your data is stored:

• Is the data center physically secure? 
  
• What about it's ability to withstand power outages? 
  
• For how long? 
  
• Are there multiple, independent (on different grids) electrical power paths? 
  
• How are communications facilities enabled and where does the fiber enter the facility?
  
• How many communications providers have a POP (point of presence) at the facility? 
  
• How is the data center certified (SAS 70 Type II)?  

World class data centers are expensive, and they are also well understood.  What is the tier rating of the data center? (Tier IV is best). Make sure you do business with a cloud storage service provider who makes use of such facilities.

2. Data encryption: Encryption is a key technology for data security.  Understand data in motion and data at rest encryption.  Remember, security can range from simple (easy to manage, low cost and quite frankly, not very secure) all the way to highly secure (very complex, expensive to manage, and quite limiting in terms of access).  You and the provider of your Cloud Storage solution have many decisions and options to consider.  For example, do the Web services APIs that you use to access the cloud, either programmatically, or with clients written to those APIs, provide SSL encryption for access, this is generally considered to be a standard.  Once the object arrives at the cloud, it is decrypted, and stored.  Is there an option to encrypt it prior to storing?  Do you want to worry about encryption before you upload the file for cloud storage or do you prefer that the cloud storage service  automatically do it for you? These are options, understand your cloud storage solution and make your decisions based on desired levels of security.

3. Access Controls: Authentication and identity management is more important than ever.  And, it is not really all that different.  What level of enforcement of password strength and change frequency does the service provider invoke? What is the recovery methodology for password and account name?  How are passwords delivered to users upon a change?  What about logs and the ability to audit access?  This is not all that different from how you secure your internal systems and data, and it works the same way, if you use strong passwords, changed frequently, with typical IT security processes, you will protect that element of access.

4. Service Level Agreements (SLA): What kind of service commitment is your provider willing to offer you? Are they going to be up 99.9% of the time or 99.99% of the time? And how does that difference impact your ability to conduct your business? What is the backup strategy that your cloud provider uses, and does it include alternative site replication?  Do they use one at all, or is backup something you have to provide for?  Is there any SLA associated with backup, archive, or preservation of data.  If your account becomes inactive (say you don't pay your bill), do they keep your data?  For how long?  Once again, realize that there are different services, with different features, at different costs, and you get what you pay for.

5. Trusted Service Provider: The trusted service provider is a critical link.  Unlike your in-house IT department, you are now putting your trust in a 3rd party.  You must feel confident that they will do what they say they will do.  Can they demonstrate that the safeguards they claim are indeed delivered?  What is their record?  Do you have a successful business relationship with them already, and if not, do you know of others who do?  Remember, are they in business to serve business, or is it simply another service that they offer, focused first on cost per gigabyte, versus service and support.  This is where many IT service providers have made their living, providing world class service and support, along with effective, efficient, low cost infrastructure.

So what has really changed? More than anything it is a heightened awareness of the need for security.  Security is delivered on a sliding scale, and the result you achieve is based on well understood principles.

Of equal interest are the legal implications associated with hosting your data at service providers.  You can extend the notion of security to access by various government entities, depending on where your data is hosted.  While the focus of this post has been associated with preventing unauthorized access, this is yet another consideration associated with where your data is stored. 

Sure, cloud storage requires that you add some additional and/or different considerations to your evaluation and monitoring process, like understanding your service provider versus your own IT department.  The IT Service Providers know and understand the importance of this. Most will step up and ensure that they deliver excellent service to you and become your long term Trusted Partners. Those that don't will fall by the wayside.

One of the interesting side effects of the rapid adoption of Cloud Computing by the enterprise is the impact this adoption will have on the design and delivery of IT service processes.

In his article Assessing cloud providers, Frank Ohlhorst reminds us that "moving to the cloud is primarily a business decision" dependent on the metrics of ROI (Return On Investment), performance, sustainability and suitability to task.

Managers, writes Ohlhorst, must be prepared to do the following:

- audit the target applications and business processes impacted to create a cost-benefit-risk analysis that compares a traditional client/server solution to a cloud-based solution.
- audit the cloud services provider, including an assessment of geographic redundancy, packet transport performance, latency and service guarantees.
- audit the business's own ISPs, including performance at connecting points, failover capabilities and guaranteed throughput rates to and from the cloud services provider.
- monitor and frequently evaluate service and performance elements.

Thus, Ohlhorst tells us, "one of the first steps for choosing a cloud service provider is to evaluate the level of service offered and the guarantees behind that service." His view is that the Service Level Agreements (SLAs) must be scrutinized under three specific lenses: data protection, continuity and costs.

While this is a traditional IT view, and seems quite logical, we disagree with his suggestion that IT Managers can turn to the Keynote Internet Testing Environment (KITE) and Internet Health Report to measure performance.

Why? Because these are uptime measures, not measures of service performance.

If you're familiar with ITIL V.3, you'll recognize this service model overview:



In the ITIL world, service management can be broken into the following components:

- Service Strategy
- Service Design
- Service Transition
- Service Operation
- Continual Service Improvement

Traditional IT systems management thinking leads us to associate systems availability with service availability, so that if a network component is running normally, we assume that the services running across that network component are also running normally.

This is largely the view being taken by the traditional systems management companies. It is what we are seeing in announcements like this one from BMC Software and Amazon.com.

But the cloud service model is different, and - while it's great to see BMC extending its enterprise systems management platforms to incorporate Cloud infrastructure - Cloud computing brings about a different measure for service performance, best exemplified by a new breed of cloud computing management vendors like Nimsoft. Their view is as follows:

The "pay-as-you-go" nature of cloud computing breaks the link between component and service performance: typically, organizations pay for capacity or throughput, rather than specific components. Plus, the highly dynamic nature of the computing infrastructure that exists in the cloud makes traditional CMDB (or simple list) based systems management virtually impossible to implement. All the traditional server and network reporting that shows 99.999 up-time will become secondary and probably irrelevant for future service level management and reporting. What this means is that synthetic transaction monitoring--that is, generating, monitoring, and reporting on simulated service requests--will be of paramount importance.

This perspective puts an interesting twist on ITIL's IT Service Management model. Since there is no way to predict which cloud computing infrastructure components are accessible at any point in time, service delivery processes in the enterprise - and SLAs from cloud computing service providers - need to be all about service reliability rather than component reliability.  This is a paradigm shift. 

As we have written previously, cloud computing is unleashing the potential of SOA (Service Oriented Architecture) applications.  In a world of SOA applications running on Cloud infrastructure, the concepts of IT service delivery in the enterprise and SLAs from service providers will rest upon services and processes that can run on any infrastructure components within the cloud.  The notion of using discrete infrastructure components as the basis for measuring service quality goes away.  This is the philosophy of the new breed of cloud systems management providers: the focus of availability and performance measurement moves toward measuring the user experience.

And, as this transition comes about, what happens to CMDB-based systems management? How do we think about the CMDB when the management of these infrastructure parts is abstracted even further away from application peformance?  Does anyone see a new "cloud edition" of ITIL service delivery on the horizon?

Once again, there is an opportunity here for service providers to seize the initiative.

A recent SmartMoney article tells us that Ray Ozzie, Microsoft's chief software architect, is concerned  that cloud services could undermine the company's margins over the long term:

"The margins on (online) services aren't what the margins on software are... It will increase our profits, it will increase our revenue, but you won't have the margin."

According to the article, Ozzie also said that there was probably room only for a few players in the cloud. Because of the need for costly, large scale data centers to process and store computing tasks, very few companies would be able to afford the investment necessary to get economies of scale.

Also, it seems very convenient to assert that their can only be a "few" cloud players who must be "huge" companies.  What this means (according to Microsoft) is that it will only be a Microsoft/Google world of "cloud" services. We beg to differ.  It is the IT Service Providers who already have the core competencies required to deliver on the promise of cloud computing.  And while the profit margins might not be in Microsoft's software, they are present in cloud storage. In the recent meetings on Cloud Storage at the SNIA Cloud Storage Technical Work Group, one of the specific topics was cloud interoperability, a discussion that assumes multiple clouds by multiple service providers.

Wait, there's more. A few weeks ago, Ozzie shared a few more thoughts on the cloud.  Courtesy of the Seattle Times:

On cloud computing:
"Right now the way I've been framing things is in essence we are moving to a world of three screens and a cloud. That's the most succinct way that I can describe it. For the user experience we will all commonly consume solutions immediate to us, whether it's in media, entertainment consumer or business, that will be delivered to us in something the size of a phone, something the size of a PC, and something the size of a TV. There will be solutions that weave those things together, brought together by cloud on the backend."

On how Microsoft Office will change to adapt to cloud computing:
"We have to repivot to think not 'Is this the specific device?' but 'How do you deliver these scenarios across these devices.' We are rethinking Office. We aren't conceptualizing Office as a PC product anymore. There are scenarios in the realm of productivity that are very, very appropriate for PC such as viewing a spreadsheet. When you are trying to share something, the Web is a much more appropriate concept in terms of how to share because that's how people are brought together. They aren't brought together on the PC; they are brought together on the Web.

"When we're in meetings like this or when you're in a conference room, you have your phone with you, you don't have laptop in front of you, you don't have a browser in front of you. You might use the camera and take a snapshot, you might activate the headset and record. ... Every device will be appliancelike so you'll go buy it, you'll log in with cloud-based identity and profile of what belongs on that device comes down to that device."

Looks like Microsoft is re-evaluating the cloud user experience >>