The Cloud Conversation You’ll (hopefully) Never Have

The scene - Five years in the future, a boardroom of a mid-sized company with a large web presence. The VPs are assembled to hear the CIO report on the progress of the cloud computing initiative. *

Jeff Digglesby, CIO of NeverSold, strode into the boardroom with the gathered VPs and C-Level executives, oozing confidence. He skipped the small talk and went straight to the business at hand. Probably because the business at hand was good news.

He clicked to the first "meat" slide of his presentation. "As you all know, after years of effort and a lot of expenditures, our data centers are now 100% cloud platforms. Applications are scaled up and scaled down as needed, resources allocated across the network as our customers require. I am happy to report 100% uptime in those two months and no application rejected connections from lack of resources. In short, ladies and gentlemen, we have achieved IT nirvana." He paused and scanned the crowd.

After a smattering of applause, he went on. "What you probably don't know is that during peak times we utilize 65% of our available resources and during off-peak times a mere 20%. These numbers are in line with pre-cloud percentages, and give us room to grow. They are, however, appalling as a resource allocation scheme goes." He paused again.

"Let me see if I understand," the CEO said, "we're only using 20% of our servers during off time?"

Convene table by Steelcase

Jeff Digglesby waved a hand, "No, we're using 20% of the total CPU cycles. Similar numbers for network bandwidth and memory on machines. But it is spread across an array of machines to guarantee agility when demand ramps up."

The CEO nodded thoughtfully, and Jeff Digglesby continued. "I have worked out a plan with finance and my chief cloud architect that will resolve this utilization issue. Resolve it, reduce IT expenditures, and make IT a profit center, all at the same time..." He waited to let that sink in, smiling now that he had their undivided attention.

"We intend to lease out space in our cloud." He said simply.

The VP of product development said "You mean like a cloud provider?"

"Exactly! We've run  the numbers, and we can nearly wipe out our IT expenditures, utilize more of our systems, and even turn a small profit, all by selling some VMs on our under-utilized machines!" Jeff crowed.

Andy, the CISO, asked quietly "And these... hosted... applications, they will resolve to our building?"

"Yes, the application owners will own the IPs of course, now that IPv6 is finally taking off, but a traceroute would have to come to our building, that's where they would be hosted," Jeff replied a little miffed at such a simple question.

Andy sat up straighter and started annunciating very clearly. Everyone knew that when the CISO annunciated, he was communicating warning. "How would you guarantee that nothing these "hosted" applications served up was... undesirable?"

Jeff smiled, this wasn't going to be so bad after all... "We will have Terms of Service of course, and if they violate them we'll shut down their server and keep their money."

Andy made a face. "And how will you monitor them to know they've broken their terms of service?"

Jeff waved negligently, "We'll have monitoring systems to watch what they're serving up. Programmed to detect all the usual suspects."

Ted, the VP of Customer Service chimed in, "What about usage? Won't these servers interfere with throughput in peak times?"

Jeff smiled again, he had anticipated this question. "We'll only lease out 10% of our resources, leaving us a 10% for growth and anomaly traffic."

Andy stepped right in again, he was still carefully annunciating, "And how will you protect our internal systems from one of these machines getting infected with a self-replicating Trojan or Virus?"

Jeff smiled and made that shooing wave again. "We will throw up virtual firewalls on creation of new VMs, with a preprogrammed set of rules to protect our systems."

Andy looked at him for a long moment. "No physical firewalls between us and these customers - who are potentially hackers and phishers?"

Jeff puffed up his chest. "The problem here, Andy, appears to be that you fail to understand the nature of the cloud. We cannot physically isolate these servers, or it would impact our agility. virtual firewalls are a better solution."

Andy simply said "Assuming we're sharing space with potential miscreants."

Jeff nodded. "Assuming that is so, though our detection systems should catch them pretty quickly."

Andy looked about the room, then let out an explosive breath. "You are aware that we're in the business of making children's toys, right?" He asked exasperatedly.

Jeff grew red. "Yes. I am. You are aware that I've been here six years, have gone downtown, worked the line, and know very well who our customers are and what our product is?"

Andy nodded. "Just making sure before I say that I'm sorry, but you are daft."

The room was filled with energy, everyone staring at Andy, some amused, some horrified.

Jeff stood up straighter. "Attack the person and not the idea?" He asked hautily.

"Let's double-check your idea." Andy began ticking points off on his fingers "You want to lease space shared with our servers to people - and who or what they are you do not know, whose IP addresses will resolve to our shared datacenters, that you hope to catch if they serve up pornography or attack internally against our customer's information, or get infected, using virtual firewalls that are 'spun up' with automatic protection, and counting on Terms of Service to keep ne'er-do-wells at bay. But you won’t be able to stop them until they’ve already proven they’re miscreants?"

Jeff stood mute, merely nodding once.

"You are daft." Andy repeated. "The risk involved in what you suggest far outweighs the benefit. If this company decides to follow this route, I will have to tender my resignation."

The CEO nodded, "He's right, Jeff. We're in the business of selling toys, anything that might besmirch our name or compromise customer data had better generate a lot of money. How about you stick to running our IT in the stellar way you have, and we'll forget this presentation ever occurred."

Everyone got up and started filing out of the room, casting strange glances at the CIO.

*The people depicted in this story are fictional. Any semblance to real people is coincidental. No really.

Of course this conversation will not likely happen, most CIOs are highly intelligent people, and would evaluate such a proposal carefully before presenting it to others... But a similar conversation with different VPs playing different parts might be going on in your organization right now. Maybe even as ridiculously overstated as this fictional story is – but I hope not.

I have heard (more than once) people make claims like "no one has any excuse to keep a physical datacenter any more" relating to cloud. The above conversation should give you some insight into fighting such mentality should it crop up. Some of the people making these claims are smart cookies, which makes it harder to stand firm and insist that it meet your organization’s needs. But insist you must.

Simply put, some applications are cloud-ready as soon as your organization is ready to use the cloud, but others need more protection than the cloud currently offers... And you need to approach the problem like any other, this is another tool in the IT toolbox, not a complete replacement of the IT function. Your organization has spent years (some decades at this point) and large sums of money to protect your datacenter and the applications/information it houses, make sure you're not giving that protection up on a critical app before you sign the contract for cloud. (or as Lori said today… Don’t throw the baby out with the bath water)

Think about the why for using cloud, then look at the environment in relation to your normal datacenter hosted applications, and make sure you're meeting your organization's goals. Next, consider what your organization would do to a partner who had a malevolent employee that hacked your systems through a secure connection. Would you keep them? Would you tighten up the connection's security? A cloud provider is a partner that exposes itself to more risk than most, just because of the nature of their business. Try to keep that in perspective.

Only then should you go forth and make the most of the cloud. Don’t say no one warned you.

    

AddThis Feed Button Bookmark and Share

Published May 10, 2010
Version 1.0
No CommentsBe the first to comment