By Paula Klein, TechWeb

CIOs seem to “get” the strategic benefits of cloud computing — agility, better resource utilization and more flexible budgeting. At the same time, questions persist about when to leverage corporate data centers and when to use public options for application hosting and development.

For some IT executives, the indecision stems from security concerns and a distrust of public service providers; for others, corporate culture, data access and costs are the biggest hang-ups. Either way, there seems to be some stall in the marketplace.

Private clouds, especially at large organizations, have gained the most momentum. Many businesses view private clouds, which are run behind the firewall, as familiar territory and easy to “sell” to corporate stakeholders. In late 2009, 60 percent of executives claimed to use a private cloud, often in tandem with public clouds, according to a study conducted by the Accenture Institute for High Performance last year. By 2012, the total using private clouds will rise to 77 percent, according to the Accenture report. The research company surveyed 669 executives in nine countries (Australia, Brazil, China, France, Germany, Japan, Singapore, U.K. and U.S.) and more than 20 industries.

Joseph Puglisi, vice president and CIO at EMCOR Group, and a founding member of the Cloud Computing Consortium at Stevens Institute in New Jersey, says private, internally hosted clouds offer a certain comfort level right now. “Large businesses have long managed apps like 401(k) or payroll outside the enterprise,” he says, so they are comfortable with service providers hosting nonessential applications. The same due diligence applied to outsourcing partners should be used for service providers, he says.

Divesting ‘Commodity Services’

However, Puglisi expects public cloud acceptance to increase quickly in the next year or so. From his perspective, CIOs will not lose control or clout because of hosted services, as some have feared. In fact, “It’s a great benefit to push these commodity services, such as e-mail, out of the data center so IT can truly accelerate the business and solve business problems,” Puglisi says. Hosted e-mail is a prime example of a function that can be offloaded, according to Puglisi and others. “Resources and capital budgets are really freed up,” he says. Steve Fletcher, CIO of Utah, also sees e-mail as a perfect application to host in the public cloud.

Jack Shaw, president of Breakthrough Business Technologies, who consults about cloud implementation, among other topics, cautions CIOs not to think in either/or terms with regard to private and public cloud models; both should be carefully considered and both may be used concurrently, he says. “Clearly, more businesses will start with private models and then move to public,” Shaw notes, but the decision should be based on several factors.

It also appears that the notion of cloud security as a barrier to deployment is losing steam. Although security was the Number One concern listed by respondents in the Accenture survey, cloud use is on the rise, says Allan Alter, research fellow and co-author of the report. Three-quarters of the respondents expressed concern about security, especially in industries such as health care and financial services. And yet, Alter says, security apprehension is “not a cloud killer.” In some countries, it is not much of an inhibitor, he says. Most businesses are moving ahead with cloud plans despite concerns.

Minimizing Security Concerns

To Puglisi, security is the “Achilles’ Heel of cloud computing.” Puglisi maintains that people, not systems, are to blame for most security breaches and that full protection — including intrusion detection tools, virus protection, intellectual property monitoring, log scanning and so on — is prohibitively expensive for all but the largest global sites. Additionally, if employees or hackers want to leak information or passwords, the risks are just as great on internal networks as they are with a public provider. For all of these reasons, Puglisi contends that the large cloud service providers offer as much — or probably better — security as most businesses. “They have the scale, the motivation and the resources that few can match,” he says. Eventually, security will become “a non-issue,” in his view.

Consultant Shaw agrees that “CIOs should be experimenting with public clouds,” especially for noncritical applications. “We’ll get to a point five years from now where concerns will go away.” IT hosting models will become “make-or-buy” decisions like any other projects, he says.

In the public sector, the commitment of state and federal governments to cloud models is high even though security and privacy have always been big concerns. Chris C. Kemp, chief technology officer for IT at NASA in Mountain View, Calif., views private clouds as an immediate solution for organizations that face security, performance and other dilemmas. At the same time, he says that resistance to change is restraining many government agencies as well as private businesses from more aggressive cloud adoption.

Utah CIO Fletcher, who is the immediate past president of the National Association of State CIOs, says requirements for government agencies to comply with regulations such as the Federal Information Security Management Act (FISMA) are slowing deployment, too. NASA’s Kemp hopes that the newly released Federal Risk and Authorization Management Program (FedRAMP) will address the specific security requirements of the cloud even better than FISMA has.

Of course, private clouds are not used only for hosting applications; many businesses use their virtualized data centers to host infrastructure, storage and even application development for business partners, Accenture’s Alter notes. Rapid scaling, server utilization and self-service are among the many benefits he cites.

Nevertheless, Alter says not everyone can or should build private clouds. Obviously, a start-up without legacy equipments wouldn’t be a candidate, nor would many small businesses. For them, the benefits of public clouds include energy savings, lower costs and faster time to market. By contrast, a business with 5,000 to 10,000 servers should consolidate, virtualize and optimize its infrastructure to reduce server sprawl and maintenance costs. Enterprises understand these distinctions, he says, and cost analyses are under way. “Confusion is definitely easing.”

 Cloud Checklist

Jack Shaw, blogger and president of Breakthrough Business Technologies, offers CIOs this checklist of questions to consider when making cloud computing decisions:

  1. Do you have a large data center and legacy applications that would have to be migrated to a new environment? Have you virtualized and consolidated servers and applications? If so, a private cloud may make the most sense.
  2. Can you leverage these investments by offering cloud services inside your firewall or as a shared service to a small “supply chain” of customers, vendors or other trading partners? This type of hybrid or community cloud will offer benefits and potential income.
  3. Are you a start-up or a small business without a data center that would benefit by using public providers?
  4. As we move to private, community and public cloud infrastructures, it becomes very difficult to define the “edge” of your data for security purposes. Peripheral security, therefore, becomes impractical. Instead you must ask: How sensitive is my data? Who should have access to it, and what can they do with it? Once you define that, you can manage user identities and access, whether in a private or public cloud environment.
  5. Are you a global or highly regulated enterprise? If so, make sure your SLAs specify where the data will reside and who will have access to it so that you can comply with various local laws and/or federal regulations. Once that’s done, you’re on your way!