Frustrations with cloud computing mount
Lack of standards, industry agreements get more attention as industry expands
Computerworld - SANTA CLARA, Calif. -- Cloud computing users are shifting their focus from what the cloud offers to what it lacks. What it offers is clear, such as the ability to rapidly scale and provision, but the list of what it's missing seems to be growing by the day.
Cloud computing lacks standards about data handling and security practices, and there's not even any agreement about whether a vendor has an obligation to tell users if their data is in the U.S. or not. And users and vendors are only beginning to try to sort out those issues through industry associations, such as the year-old Cloud Security Alliance.
The cloud computing industry has some of the characteristics of a Wild West boom town. But the local saloon's name is Frustration. That's the one word that seems to be popping up more and more in discussions about the cloud, particularly at the SaaScon 2010 conference here this week.
That frustration about the lack of standards grows as cloud-based services take root in enterprises. Take Orbitz LLC, the big travel company with multiple businesses that offer an increasingly broad range of services, such as scheduling golf tee times and booking concerts and cruises.
Like many companies that have turned to the cloud, Orbitz is both a provider and user of cloud-based software-as-a-service (SaaS) offerings. Ed Bellis, chief information security officer at Orbitz, credits SaaS services, in particular, with enabling the company's growth and freeing Orbitz to concentrate on its core competencies.
But in providing SaaS services, Orbitz must address a range of due diligence requirements among customers that are "all across the board" and can vary widely to include on-site audits and data center inspections, he said.
A potential solution is a data standard being developed by the Cloud Security Alliance that would expose data in a common format and give customers an understanding of exactly "what our security posture is today," said Bellis.
If an agreement can be reached on such a standard "it would be heaven," said Bellis, and would "cut out a third of our internal work on due diligence." But he said he doesn't know when or if such a standard will be established, because it would take a lot of work to get a large number of users and providers to agree on it.
Judging from interviews with individual attendees and comments made during panel discussions here at the SaaScon conference, it's clear that there's a need for industry agreements. While flexibility -- the ability to rapidly scale and provision servers -- is the key idea driving the growth of cloud-based services, contracts with vendors may be anything but flexible, as Keith Waldorf, vice president of operations at e-prescription service Doctor Dispense LLC, discovered.
Waldorf said he once was a client of a service provider that upgraded its offerings, but he was unable to take advantage of the upgrade because his service-level agreement (SLA) kept him locked in to using only the software and hardware that he had initially signed up for.
The types of agreements offered by cloud providers "are all over the map, and it's really vendor-driven," Waldorf said. He has since moved to another provider, Sacramento, Calif.-based StrataScale Inc., that gives him dedicated hardware that's managed virtually.
Big cloud customers can negotiate terms that may give them a transparency and enforcement leverage. For example, as part of its Google Apps contract, the Los Angeles city government got Google Inc. to agree to unlimited damages should it ever violate its nondisclosure agreements.
But many other users don't have that clout. And in a lot of cases cloud providers may not even provide the logging information needed to prove a breach, said Jim Reavis, the founder of the Cloud Security Alliance.
Jeff Spivey, president of Security Risk Management Inc., said the market has to define its needs, because for now "the vendors are driving the service."
No one was willing to try to predict when the industry will reach agreements that set levels of transparency about data handling procedures and security.
Patrick Thibodeau covers SaaS and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld. Follow Patrick on Twitter at @DCgov or subscribe to Patrick's RSS feed . His e-mail address is email@example.com.
- Cloud security concerns are overblown, experts say
- Cloud computing 2014: Moving to a zero-trust security model
- Amazon hiring 'top secret' IT staff as it fights for CIA work
- Empire state ends IT empire building
- No, your data isn't secure in the cloud
- Snowden revelations may cost U.S. cloud providers billions, says study
- DHS shifting to cloud, agile development to boost homeland security
- Cloud computing's big debt to NASA
- Coke bottler picks SaaS over SAP
- Inmate data paroled from mainframe
Read more about Cloud Computing in Computerworld's Cloud Computing Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Maximize Strategic Flexibility by Building an Open Hybrid Cloud Choosing how to build a cloud is the biggest strategic decision IT leaders will make this decade. It determines their organizational competitiveness, flexibility,...
- ESG: The IBM FlashSystem 840: Technical Evolution to Deliver Business Value In this whitepaper, you will learn how this high-speed storage technology has tremendous potential to support I/O-intensive and/or latency-sensitive applications.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Cloud Computing White Papers | Webcasts