Data Centres in the Cloud
In December 2010, the Centre for Economics and Business Research (CEBR) published a report commissioned by EMC: THE CLOUD DIVIDEND (Part One) – The economic benefits of cloud computing to business and the wider EMEA economy. The numbers involved are astonishing. “We find,” it claims, “that, across the five economies as a whole [France, Germany, Italy, Spain and the UK], widespread adoption of cloud computing has the potential to generate over €763 billion of cumulative economic benefits over the period 2010 to 2015.”
Savings to individual companies are equally astonishing: 20% reduction in the costs of external IT services; 2% reduction in software maintenance costs; 18% reduction in server and storage costs; and 44% reduction in network hardware costs. To this can be added the almost complete elimination of heating, cooling and floor space costs for those companies moving their entire data centre into the cloud. Nevertheless, the complete migration of data centres into the cloud is simply not happening as fast as these arguments suggest it should; and that’s what we’re going to discuss: what is a data centre in the cloud? what are the arguments in favour of moving it to the cloud? what are the arguments against moving the data centre into the cloud?
The data centre in the cloud
The key features of cloud computing are that it provides and charges for computing services on demand over a network; and that those services usually fall into one of three categories:
- public cloud: which provides computing services to whoever requires them, including, in theory, anything from a complete data centre to just Google Docs or Hotmail;
- private cloud: which provides hosted computing services, such as a data centre, to a limited number of people from one or a limited number of hosting sites;
- hybrid cloud: where companies use limited cloud services (such as the storage of non-sensitive data, or email services) while retaining their own computing resources for mission critical computing.
Technically, a data centre could reside in either the public or private cloud – but it does rather beg the question: what is a data centre in the cloud? If you keep to the traditional definition (a server farm with associated storage and telecommunications conforming to Tier 1 to 4 standards, but in a private cloud) then you effectively have a hosted data centre, not a cloud data centre. If you develop a data centre in the public cloud, then to maximise public cloud opportunities you would disperse it – and you would no longer have a data centre. William Beer, UK Director at PricewaterhouseCoopers, accepts the confusion. “If we are talking about a data centre in the public cloud,” he says, “I think it is extremely difficult to define it. If we are talking about a data centre in a private cloud, then it is a little easier in that I’ve got more understanding of what’s happening and where.”
But, he says, none of this is really important. The beauty of the cloud is that you simply don’t need to know the details. “All I need is the service level agreement with my provider – and that should supply me with all I need to know, and all I need to understand.” The logic of this argument is that you have a data centre in the cloud if you have a contract with a cloud provider to provide you with data centre services. What, where and how is simply no longer your concern: if the contract says you have a data centre, then you have a data centre.
The green argument (in favour of moving your data centre into the cloud)
One of the biggest arguments for moving into the cloud is the green argument; but this could equally be called the ‘cost argument’. “There is a genuine green argument for cloud computing,” says Philip Lieberman, President and CEO of Lieberman Software. “In conventional data centers, every system is running 24 hours a day and, by necessity, over-provisioning of systems is normal. This means huge amounts of power and air conditioning are needed to support an in-house solution. Cloud providers use more power efficient solutions, and the air conditioning strategies are also less power-hungry. As a matter of cost savings, cloud providers shut down unused systems simply because they save money doing so. The hardware used by the cloud providers is also vastly more energy-efficient compared to what data centers normally use. Finally, the cloud providers are proactively operating their infrastructures in a power efficient manner.”
Max Feneck, marketing manager at SunGard Availability Services, absolutely agrees. “In some respects, a cloud environment is the ultimate shared service – not only the servers and the discs are shared, but the cabinet, data centres, communications lines and even the skilled staff required to run the environment. It makes the data centre available at a fraction of the cost of any one company trying to buy, resource and power its own dedicated facility and allows organisations to move more of their IT costs towards an operational expenditure (OpEx) model. All added together means a more efficient and therefore greener solution than a ‘dedicated’ solution.”
So whether you call it the green argument or the cost argument, it is certainly a compelling argument: you should move your data center into the cloud. Your contract with your provider will define just how green it is; that is, how much money you will save.
The security argument (against moving your data centre into the cloud)
There are two aspects to the security problem: defending your data (traditional security), and complying with legal requirements (compliance).
When you move your data into the cloud, you are forced to rely on the security of your provider. This is psychologically difficult. Logic, however, suggests that a dedicated service provider will have dedicated security experts – probably more than you could afford yourself. Consider the recent pro-WikiLeaks DDoS attacks. “While some corporate brands fell under the logical weight imposed by Cyber Attacks,” comments Professor John Walker, CTO of Secure-Bastion, “some cloud based sites successfully sustained their operations during the adverse conditions.” The reason, he believes, is relatively simple. “While organisations buy the latest technology, they don’t always buy the latest training for their employees, and that creates a gap in understanding that manifests in problems. Compare this to the cloud. What the cloud does is provide solutions. If you sign on with a good provider, it will have excellent technology that is up-to-date and current; but beyond that, it will have people who really understand the technology.” In short, a good cloud provider will have a better understanding of the security threat, and a greater ability to combat it, than most companies have outside of the cloud.
Matthew Philpott, of cloud provider Telstra International, believes that the physical characteristics of the cloud itself can also lead to improved security. “Some may argue,” he suggests, “that it is easier to build a compliant cloud as the cloud used is more likely based on a specific product such as VMware or Hyper-V. Because virtualization products deal with all aspects of the host and network they are in a unique position to offer a more in-depth line of defence by being able to see the entire environment.” (It is worth noting that, beyond a few proofs of concept, there is as yet no known malware able to attack the hypervisor.)
It is certainly the compliance issue that is more difficult side of cloud security. Put simply, in most jurisdictions you are legally responsible for any personal data you hold. That effectively means every company, since a company’s own HR data will inevitably contain personal information. “People are not moving sensitive data into the cloud yet,” says Edy Almer, VP product management at Safend. “There are a lot of legal issues around that. That is probably one of the hardest things to move into the cloud because you can’t tell where your data resides; and you have to be able to assure your regulator that you are not moving it outside of the country.” And if you can’t do this, then you cannot have a data centre that is truly in the cloud.
But not everyone agrees that you cannot combine cloud and compliance: Simon Daykin, CTO at Logicalis, has no doubts whatsoever. Can you be compliant in the cloud? “Absolutely!” he says. “Compliance is about using a transparent and secure cloud where you can demonstrate separation and operate in clearly defined boundaries. With a secure and transparent cloud, the capability exists to meet most if not all compliance requirements.”
Rami Habal, Director of Product Marketing at Proofpoint, takes a pragmatic view. “As much as any individual company can be compliant in its own local / private data center, it can be compliant in a data center hosted by someone else,” he suggests. For example, with “the EU Data Protection,” he says, “it is the data owner for sure (and there is a private right of action under the EU Data Directive), but a data processor can also become liable depending on its relationship with the data subject and the relevant contracts in place.”
The key to security and compliance in the cloud is the SLA contract with the provider. It is unlikely that you can ‘contract out’ of your legal responsibilities as the data owner; but contractual proof of your attempts to safeguard that data will be an arguable defence in case of data loss.
The key to developing a data centre in the cloud, whether it’s to save costs by going green, or to specify security and compliance, is the SLA contract with the cloud provider. But how do you do this? How can you be confident that your provider is actually providing what he says? One possibility is to check that the provider uses the Cloud Security Alliance’s new Governance, Risk Management and Compliance Stack. Launched in November 2010, this is a toolkit for enterprises, cloud providers, and security solution providers, to instrument and assess both private and public clouds against best practices. At its launch, Eric Baize, Senior Director of Cloud Security Strategy at EMC (the company that commissioned the report we started with) claimed that “Gaining visibility into service provider environments and governing them according to overall enterprise GRC strategy have emerged as the major concerns for organizations when considering the use of public cloud services.” CSA’a new GRC Stack will help to enable this.
But possibly more pertinent is Europe’s new Common Assurance Maturity Model (CAMM). It is designed to provide assurance levels for the third parties that you might seek to use – and it has particular relevance to cloud providers. Raj Samani, founder of CAMM, explained that “the CAMM framework has a series of controls, and the third-party would answer the questions that provide the answers. The third-party then makes those details available. The user seeks a supplier whose answers satisfy its own risk appetite. For low-level security, a self-assessment might suffice; for high level security, an independent audit might be required. Such an independent audit would be made available to all of the customers that the third-party interacts with.”
In short, CAMM has the potential to provide the cloud buyer with an independent assessment of the cloud vendor, at no additional cost. CAMM has the potential to make moving into the cloud easier, cheaper, and more assured. Raj Samani has now taken on the additional mantle of the Cloud Security Alliance Strategic Advisor for EMEA. We can expect the CSA and CAMM to move closer: and between them they are likely to make the cloud a more transparent, secure and compliant location.