More than 7 deadly sins of cloud computing

I’m a sucker for a clever headline.

A while back I ran across an article about the “7 Deadly Sins of Cloud Computing” in Computerworld. Antony Savvas was writing about a report from the Information Security Forum (ISF) that announced it had identified those items of great IT wickedness that will turn something that sounds as angelic as it comes – cloud computing – into some sort of pit of eternal damnation.

OK, maybe I’m exaggerating, but just go with it. (Though after the beating that Amazon took from some quarters after their EC2 outage last week, maybe I’m not exaggerating by much.)

So what were those 7 cloudy yet sinful atrocities? I’ll tempt fate by listing them here, as reported by Computerworld UK:

Ignorance - cloud services have little or no management knowledge or approval

Ambiguity - contracts are agreed without authorization, review or security requirements

Doubt - there is little or no assurance regarding providers' security arrangements

Trespass - failure to consider the legality of placing data in the cloud

Disorder - failure to implement proper management of the classification, storage, and destruction of data

Conceit - belief that enterprise infrastructure is ready for the cloud when it's not

Complacency - assuming 24/7 service availability

It’s a solid list, for sure. For each of these, you can probably recollect relevant horror stories. For example, the folks whose sites were impacted by Amazon EC2 going down for an extended period of time last week are probably guilty of the last one: complacency. They forgot to architect for failure, something they had probably done all the time in pre-cloud IT environments.

As part of the write-up on these big no-nos, Steve Durbin, ISF global vice president, explains that "with users signing up to new cloud services daily - often 'under the radar' - it's vital that organizations ensure their business is protected and not exposed to threats to information security, integrity, availability and confidentiality." No argument there from me at all.

But, security isn’t the only thing you need to be concerned about if you’re going to list out cloud computing sins. And why stop at seven? (Historical and liturgical tradition aside, of course.)

So, after talking about some additions to the list with folks on Twitter, here are a few more sins that I’ve heard suggested that I think are worthy of adding to the list:

Cloudwashing (from @Staten7) – Describing something as a cloud offering that is not. Vendors get beaten up for this all the time. And they often deserve it. In his research at Forrester, James Staten points out that enterprises do this, too. So, this can apply to vendors and to enterprises who believe they’ve checked the cloud box by just doing a little virtualization work.

Defensive posture (also from @Staten7) – I think this is one of the reasons an enterprise cloudwashes their own internal efforts. They are not looking at cloud computing for the agility or cost benefits, but instead are working to meet someone’s internal goal of “moving to cloud.” They’re trying to cross cloud off the list while trying to avoid breaking their own existing processes, technology, or organizational silos. Or by saying they’ve already done as much as they need to do. Pretty selfish, if you ask me. Which is a sin all its own, right?

Needless complexity (from @mccrory) – The cloud is supposed to be clean, simple, and dead easy. Yet, there are cloud offerings that end up being just as complicated as the more traditional route of sourcing and operating IT. That’s sort of missing the point, I think.

Too many separate security projects (from @jpmorgenthal) – Back on the security topic, JP Morgenthal tweeted this: “I’m a big supporter of security investments but I believe there are too many separate cloud security efforts.” What are the issues? For starters, the right hand needs to know what the left hand is doing. And those different efforts need to be at the right level, area of focus, and have the right buy-in. Folks like Chris Hoff at Cisco and our own security experts here at CA Technologies can help you sort through this in more detail.

Worshipping false idols (from @AndiMann) – Well, this sounds a bit more like a commandment than a deadly sin, but I’m not going to split hairs at this point. This directive from on high can cover two topics, in fact: don’t get all hung up on cloud computing definitions to the exclusion of a useful approach. And, secondly, ignore silly rhetoric from vendors going on and on about “false clouds.” Yes, salesforce.com, I’m talking about you.

So there you go. Five newly minted Deadly Cloud Sins to go along with the 7 Cloud Security Sins from the ISF. All those sins, and I still didn’t figure a way to wrap in gluttony. That was always a favorite of mine.

What’s the bottom line here? Aside from a little bombast, there’s some good advice to be had in all this. Avoid these approaches and you have a fighting chance at cloud computing salvation. Ignore them and your users will be drawing pictures of you with little devil horns and pitchforks on them. That last scenario is never a path to success in my book.

Any additional sins you will admit to? There are plenty more cloud computing sins that could be added to this list, that’s for sure. Share any glaring ones that you think absolutely have to be here. Even if you’re the one that committed them. After all, confession is good for the soul.

Right place, right time, right cloud partners

A lot of pundits have picked 2011 as the year that cloud computing goes from “hey, that sounds like a good idea” to “yikes, we need to get this project off the ground” for many enterprise IT shops.

Sure, many of those same IT shops are having strong words right now with their business counterparts arguing over what they’ve been doing in the cloud behind their backs, but at some point it will be time to let bygones be bygones. And time to really get to work. Together.

Recently, CRN provided a couple lists of important cloud providers and platforms for 2011. And, even the government is being helpful. In a sign that things are progressing nicely, the government entity that’s been tracking cloud computing since the early days is maturing its models.

Time to Go Beyond the 3-Layer IaaS, PaaS, SaaS Cake

Several cloud-savvy folks, including Chris Hoff and Christian Reilly, pointed folks to the National Institute of Standards and Technology (NIST) website, where the organization has posted work-in-progress drafts of some new items, namely a cloud computing reference architecture. NIST had done a nice job on giving cloud discussions a strong definitional reference point a few years back (we use that definition as our main reference point here at CA Technologies, for example), and it’s time to move to the next stage.

My colleague Andi Mann did a nice analysis of what NIST is up to and what it means. He does have some points to quibble over, but he posted that “despite some clear flaws, I think this is a great document. More than just a series of definitions,” said Andi, “far less than a ‘true’ technical reference architecture, it is advisory and high-level, but practical and usable.”

The Right Time for Management to Take Center Stage

One of the things that has been frustrating about the cloud market to date is the ad hoc, shoot-from-the-hip approach. It’s great for testing the waters and there is, indeed, an important role for “good enough” computing, but as enterprises get more serious about cloud, they need to make sure they are thinking about something near and dear to my heart: management.

Andi points out that this is one of the really good things about this new NIST cloud reference architecture. “I am particularly excited that such a powerful voice in cloud computing is finally highlighting the primary importance of management in their cloud documentation. Almost half this document is focused in cloud management,” writes Andi. “NIST clearly believes a cloud computing environment needs mature management discipline.” Or, as he calls it, “grown-up management.”

Andi’s post goes on to discuss other aspects of the NIST architecture proposal, too, like service management, security, and the role of an independent “cloud auditor.” Worth a read.

Time to Find a Strong Ecosystem to Turn to

At around the same time, CRN chose to publish a couple lists of organizations that enterprises can turn to in their efforts to get some of the aforementioned cloud projects off the ground. And, yes, CA was mentioned on both lists. However, more interesting is who else is on the list with us.

Among the Top 20 Cloud Computing Infrastructure Vendors were folks like AWS, GoGrid, Eucalyptus, Joyent, Randy Bias' Cloudscaling, and Reuven Cohen's Enomaly were two of our partners: ENKI and Layered Tech. Both organizations provide cloud services based on CA 3Tera AppLogic.

· ENKI was noted for its managed cloud computing play that offers scalable virtual private data centers with performance and reliability at their core.

· CRN highlighted how Layered Tech offers managed dedicated hosting, on-demand grid/virtualization computing and Web services, helping business get into the cloud with secure IT infrastructure hosted in top-tier data centers.

The list also included Rackspace and Bluelock, two Nimsoft customers. The aforementioned ENKI is also a Nimsoft customer.

· CRN said that "with Rackspace's Cloud Servers infrastructure play, the top cloud dog of Texas is rivaling the major players with its select-a-size, customizable IaaS" backed by "fanatical support."

· Bluelock, said the write-up, offers VMware capabilities and its data cetners are secure and SAS-70 Type II certified.

As for CA, we were mentioned on the infrastructure vendor list and also as part of the Top 20 Cloud Computing Platforms for 2011, which described CA 3Tera AppLogic as “a turnkey application-centric cloud platform.”

We’re trying hard to make sure that a big part of what enterprises will find when they consider cloud-related solutions from CA Technologies are partners with technology and expertise to help them along the way, both on-premise and as a service. It’s good to see that those ecosystem partners are getting noticed.

And just in time, too. After all, 2011 is a quarter over already. Only 9 more months until we get to check back in with all those pundits to see if we all delivered on their cloud predictions.

And all those cloud projects.

This blog is cross-posted at CA Cloud Storm Chasers.