By Sramana Mitra and guest author Shaloo Shalini
SM: Let’s switch the discussion to security; what are your perspectives on cloud security?
PS: Security is definitely part of it, along with the larger governance issues of outsourcing, hosting, or moving applications to the cloud. I am also talking about moving integration into the cloud . But the new rule of the IT function is around the governance of this complementary ecosystem for providers, and security is a very important part of it. We obviously have an obligation to ensure we maintain security through architecting and selecting the right service providers and through day-to-day monitoring. There is something that people tend to miss, which, I argue, is that security inside SaaS data centers inside these cloud providers is far superior than anything we could or would do internally.
SM: I absolutely agree. There is no way that SMEs can establish the level of security, the kind of security that these vendors can provide.
PS: So, you get it.
PS: Telling people is one thing and believing is another, but I believe it because we do a lot of credit card transactions and we have Sarbanes-Oxley (SOX); they do it better. But you still have the obligation to have this overall governance and make sure there is adherence at least to some high-level service level agreement for security. I argue our security is better [now]. Now, where this security could have a gap is integration. Inside the data center life is good, but between the lip and the cup, between the data center and on-premise, we are exposed. That is why I think that this model of Integration as a Service (IaaS) in the cloud is so important. In many ways it addresses this security gap.
SM: You said that you are adopting both Iaas and private clouds extensively, and we discussed use cases already. What are thoughts about solutions from vendors like IBM, Sun, and HP that are putting together stacks? We talked about decoupling and disintegration of stacks; I think IT vendors are trying to put back together certain predesigned stacks so that you can get almost a private cloud out of the box.
PS: I see HP and IBMS as service providers to a tier of SaaS providers. I don’t, as an SME, deal directly with HP or cloud service providers; I don’t need to. They are there, but I go through an intermediary to go through to them. Having said that, we are going to talk about internal or private clouds. I think virtualization is a game changer and it comes up again. One vendor that is hugely important to me and companies like mine is VMWare. This whole idea of virtualization – I don’t want to jump ahead but I would like to tell you that how these companies such as HP and Google can be of value to me – it really has to do with my internal environment, which is fully virtualized. I would like to take these virtual machines (VMs) and free them to move them, so I have a virtual machine that is a file server or Web server or does part of my ERP system. Now that is encapsulated as a VM, I would like to pick it up and move it offsite. And, say I have a disaster recovery, or I move up the stack or have a test environment. Ultimately as trust builds with these providers, why don’t I make each tier somebody else’s primary data center, and my internal center could be a back-up. Having this fluidity, this transferability, this migration capability of these VMs, opens up a whole world of adoptions. I would call it at the infrastructure and the platform level.
SM: I think their goal is to provide all the virtualization. All these different architectural aspects you need to have if you are doing good private cloud implementation; you need all these details worked in, including your virtualization plan. They are trying to provide that as off-the-shelf solution.
PS: I agree, but I can tell you from the front line, I want to do that and I am talking to Birst and Eucalyptus about that. The lack of standards in this area is a real problem. I can’t take my VM vSphere and move it to Amazon. They don’t play. I don’t know if any solution deals with this. You need to go through an intermediary to do this management. I figure that eventually it will work itself out, and once it does, you have very little friction to make a decision about moving a particular virtual machine or a series of virtual machines to any provider. With that you could identify base costs, service levels, and various other factors.