I didn’t manage to make it to yesterday’s opening day of the Cloud Expo Europe – customer/work stuff takes precedence :) – but I managed to get to the second day. These events are always a bit of a mixed bag – it feels like I could attend cloud computing conferences every week, although it’ll be big data (or is that BigData?!?!?) conferences soon as the vendor hype machines whirr into life…
First I attended the opening keynote as Dr Werner Vogels from AWS was presenting – as Smart421 is an AWS solution provider I just kinda felt I should be there and hear what he had to say. The noise from the exhibition floor was pretty grim in all the conference rooms so it wasn’t exactly a perfect environment for him or us, but I got a few useful tidbits about how Amazon.com are using AWS (which has been an evolving story over 2010 and 2011). AWS didn’t have a stand at the event and were not a sponsor etc, and yet AWS and their CTO are such a draw that they gave him the opening keynote on day 2 – which tells you a lot about where AWS’s competitors are in the the marketplace really.
I then listened to a presentation from Joan Miller – Head of Parliamentary ICT for the UK Parliament. I didn’t quite catch the end due to having to do a customer call, but whilst I found it interesting to hear what the UK Parliament are up to relating to cloud computing (especially the BYOD – “bring your own device” – trend and how strong a driver it is for them), I disagreed with the black & white conclusion that cloud computing was the answer to their challenges. It’s certainly part of the answer, but many of the implications of making information available electronically to mobile BYOD devices anywhere are still just as nasty “in the cloud” as they are on-premise, e.g. authentication, security of data, coping with different presentation devices etc. I accept that scaling is certainly easier (or at least at a price point that doesn’t keep you awake at night), and the use of SaaS offerings makes deployment of functionality much easier and cheaper for less critical datasets. To be fair to Joan, I missed the end of her presentation, and also the presentation slots were so short that there wasn’t really enough time to get the subtleties of the message over.
I also caught a session from Chris Hinkle from Firehost on the subject of secure cloud hosting – I thought he might talk about data encryption at rest and in transit, key management etc, but he started with some interesting material from Version analysing the nature of security breaches, e.g. they are no more prevalent in public cloud deployments than private data centres, and no hypervisor based attacks have taken place, so the whole public cloud multi-tenancy concern is a red herring really. After some content about the role of web application firewalls, and I was also glad to see that he called out the security elephant in the cloudy corner of the room, i.e. guess what – your SDLC (software development lifecycle) needs to include secure development processes such as code reviews, vulnerability testing, penetration testing (and for every change, not just the first release!) etc. Shocker – insecure code is insecure wherever you run it.
Frank Jennings from law firm DMH Stallard covered some cloud legal contract points, based upon the Cloud Industry Forum white paper #3 (downloadable here) to which he was a contributor. He made some interesting points:
Cloud contracts are more about “getting out” than “getting in”, i.e. access to data in the event of a failure, lock-in periods etc.
Negotiation with public cloud vendors just isn’t typically going to happen – they operate at low margins and use a business model that just doesn’t support custom negotiations and terms for each customer – and this means living with the legal jurisdiction that the vendor
Even in the most custom of contracts, the provider’s financial liability (if you can even get them to sign up for consequential loss etc!) is typically capped at 100-150% of the fees you are paying them. Bottom line – service credits and the like are pretty pointless in a cloud or a non-cloud world and virtually insignificant compared with the potential disruption to your business (as discussed in a previous post)
The US Patriot Act gets a lot of interest, and it’s real (i.e. you need to use a UK company using a UK-based UK-owned data centre(s) to avoid it), but the reality is that most territories around the world have similar constraints and if you are not in an industry sector that is likely to get the authorities’ interest, then it’s not as big a factor as the press it receives suggests.
The last point I wanted to mention was something I picked up in a presentation about cloud adoption trends by William Fellows from the 451 Group. He observed that their research has shown that whilst security is a key concern when organisations are selecting a cloud-base solution, once they start implementing it falls away to being the fourth largest consideration. This backs up what we see in the market – cloud security is more of a fear issue than a real issue (well – it’s no more real a concern than for any deployment anyway).