The on-demand computing model in itself is a dilemma. With the on-demand utility model, enterprises often gain a self-service interface so users can self-provision an application, or extra storage from an Infrastructure as a Service provider. This empowers users and speeds up projects.
The flip side: Such services may be too easy to consume. Burton Group Inc. analyst Drue Reeves, shared a story of a CIO receiving bills for 25 different people in his company with 25 different accounts with cloud services providers. Is finance aware of this, or will it be in for a sticker shock?
Lack of governance can thus be a problem. The finance department may have to address users simply putting services on a credit card, and there's also the issue of signing up for services without following corporate-mandated procedures and policies for security and data privacy. Does the information being put in the cloud by these rogue users contain sensitive data? Does the cloud provider have any regulatory compliance responsibility, and if not, then is it your problem?
There are several other big what-ifs regarding providers. For example, do they have service-level agreements (SLAs)? Can you get an SLA that covers security parameters, data privacy, reliability/availability and uptime, data and infrastructure transparency?
"You can't see behind the [cloud providers'] service interface so you don't know what their storage capabilities really are, what their infrastructure really is ... so how can you make SLA guarantees [to users]?" said Anne Thomas-Manes, an analyst at Midvale, Utah-based Burton Group.
Furthermore, would the provider be able to respond to an e-discovery request? "Is that on the SLA, and is that information classified, easily accessible and protected?" she asked.
For some companies, a lack of an SLA is not an issue. For CNS Response Inc., a psychopharmacology lab service that provides a test for doctors to match the appropriate drug to a behavioral problem, not having an SLA with Saleforce.com Inc. was a moot point.
"We were already experiencing a lot of downtime before we went to Saleforce.com, so we knew what they could provide would be better, and it has been," said Mark Desrosiers, senior vice president, commercialization at Costa Mesa, Calif.-based CNS. And, in fact, it has helped: CNS cut the delivery time of test results from two to four days down to 11 minutes on average.
But is this good enough for a large enterprise? That question remains, and experts said it will be up to customers to push vendors to provide appropriate SLAs.
In fact, a big message at the show was pushing vendors to do such things as:
Have open application programming interfaces (APIs). There is an inability to monitor and manage APIs on many levels. Customers cannot see where their data resides at their cloud provider, and more importantly, there is no application or service management layer to gain visibility into the performance and management of the application.
"There has to be a management layer so customers can see what and where their assets are for the cloud, what systems are used by which applications," Reeves said. "Just think of the cloud as your own data center."
Create fair licensing schemes. Enterprises should be pushing cloud providers to move away from licensing based on physical hardware and compute resources to licenses based on virtual CPUs, managed or installed instances and user seats, said Burton Group analyst Chris Wolf.
Which brings up another significant what-if: What happens to your data in a legal entanglement?
What if you miss paying a bill, or decide not to pay a bill for various reasons, like dissatisfaction with the service? Do you lose your data? Is access to your data put on hold?
There are a lot of questions as to who ultimately owns the data for e-discovery purposes, or if you decide to switch providers. Will you have to start all over if you didn't put the code in escrow, for example?
Cloud computing touts many benefits, but Burton experts said enterprises need to be aware of the what-ifs: What does this really mean for my bottom line, how do I govern this, who really has access to my data and what do the cloud computing providers really have to offer?