This is the first part of a two-part story about the ways some major cloud providers are reacting to customers'...
lingering concerns about the cloud computing model.
As the old saying goes, "The customer is king." But does that hold true when the customer is dealing with a cloud provider? In the relatively new realm of enterprise cloud computing, the answer is both yes and no. Executives from four top cloud providers -- Microsoft, Amazon.com, Rackspace and Salesforce.com -- sat down at the recent Gartner Catalyst conference in San Diego to answer questions about what they want customers to know about cloud computing and about what customers should -- and shouldn't -- expect from cloud providers.
Do cloud providers offer better security?
Even as more enterprises experience increased levels of comfort with cloud computing, security remains a top concern. After all, the customer's business is at stake -- and so is the cloud provider's reputation. It's expected that questions will be raised about security at the start of any cloud adoption conversation, but Peter Coffee, vice president and head of platform research at Salesforce.com Inc., said he'd like the conversation to begin on a level playing field.
There is a fusion happening; in some ways, there is an opportunity to have greater security with a cloud system, but it's an opportunity, it's not necessarily inherent today.
Microsoft's general manager for Windows Azure
Discussions about the National Security Agency's (NSA) integrated access management security methodologies start with who owns the information, who's the custodian of the information and who has access to it, Coffee said. In his opinion, conversations between cloud providers and potential customer would do well to follow this model.
"[The NSA] gets way down that list before they ever start talking about technology, and I find the most productive security conversations we have with customers begin with talking about the value of the process, the sensitivity of the data, the regulatory requirements they have to meet," Coffee said.
Starting a conversation that puts cloud solutions on an equal footing with on-premises solutions can be more beneficial, agreed Bill Hilf, Microsoft's general manager for Windows Azure. One challenge is that many of the existing controls, mechanisms and compliance programs don't necessarily map to many of the new, distributed architectures of the cloud, he said. "In many ways it's like reading 1980s stereo instructions for a brand-new device and saying, 'This RCA jack doesn't plug into this HDMI port,'" he added. "The industry is really trying to catch up, to say, how do we map some of these concepts that we've been so comfortable with in IT, to this new type of platform?"
For Charlie Bell, vice president of utility computing for Amazon Web Services (AWS), customers above all should expect, and receive, transparency as a way of feeling comfortable with security. It's understood that customers will have questions about how the cloud changes security and creates and eliminates threats. Along with granular controls, transparency is extremely important, Bell said. The fact that the cloud is self-provisioning can make customers feel there's no room to talk about security, but that's not true and providers need to make sure customers know this, he said.
"I think there's a tension now because you see the cloud as self-service and you see this price sheet that give you by-the-hour ability to purchase, and you assume that you can't have a deep conversation [with the provider]," Bell said.
John Engates, chief technology officer at Rackspace Hosting, said his company also believes in full transparency. Along with in-person conversations with customers, full transparency helps build trust, he said. "We've actually gone to extreme lengths in terms of transparency. We've taken the code that powers our cloud and open-sourced it, which I think is a very powerful concept because customers can look at what's powering the cloud behind the scenes, and that's very rare to see in a public cloud today," he added.
Although the questions around security are often the same in verbal interactions with customers and on questionnaires, those inquiries are important because they affect how Rackspace interacts with those customers and potential new ones. "We obviously have existing compliance regimes that we hold ourselves up to, but we often pay attention to all the standards that our customers are asking for, and we try to map ourselves to those," Engates said. "But it would be nice to have something that customers can agree on and start to formulate [around that], so they can get comfortable around multiple cloud providers."
And what of the notion that cloud providers can offer better security than anything that a single enterprise can do on-premises? Not exactly, Microsoft's Hilf said. "There is a fusion happening; in some ways, there is an opportunity to have greater security with a cloud system, but it's an opportunity, it's not necessarily inherent today," he said.
How do cloud providers learn from outages?
Outages are an inevitable part of cloud computing. They might be disruptive to the user, but each one can be a learning experience for the cloud provider, not only on how to avoid future problems, but also on how to serve customers better.
Read more about cloud service providers
Top concerns about cloud service providers
Cloud computing brings new era of security
Choosing a cloud disaster-recovery provider
The Leap Year 2012 outage of Azure Service Management functions was a major learning experience for Microsoft, Hilf said. On the technical side, the outage illuminated a cascading series of bugs. But it also highlighted the importance of getting fast, detailed information to customers through its website, as well as its sales force on the ground.
"What we've identified is there's a lifecycle for an incident, everything from preventing it in the testing phase to identifying it, detecting it, and then responding and resolving it," Hilf said. "Understanding that lifecycle and being transparent throughout the process is critical for customers to understand and keep pushing us on the vendor side to be better at it."
Engates opined that outages mature a cloud provider organization, building its ability to respond well to the next outage. With its open source model, Rackspace is able to build what it's learned from outages into the platform, he said. "No one is ever going to hit those [failures] again because we're sharing those resources and those ideas and those concepts into the architecture of the software," he added.
And a little customer education can go a long way. While many customers just want to be able to log in and go, it's beneficial to understand "one layer deeper" than what is used on a daily basis, Salesforce.com’s Coffee said. "The more they know about what's going on under the hood, the more quickly they can help us … we're going to get a much more rapid identification of the fault," he said.
In the second part of this series, the cloud providers address data ownership and service-level agreements.
Let us know what you think about the story; email Karen Goulart, Features Writer.