My morning coffee read today was Paul Venezia’s “The cloud hazard no one talks about,” at InfoWorld (hat tip to David Linthicum’s Twitter feed: @DavidLinthicum).
Paul’s article makes the case that while “the cloud” (whatever that is) is great for getting rid of capital equipment, it ends up spreading around all your data, which means that “the cloud” is only as good as the network you have to access it. The subtitle of Paul’s article is, “Cloud computing not only distributes resources, it distributes risk — widely.”
Paul’s article is good as far as it goes. Paul describes how you’ll need to have high-speed, reliable connectivity to wherever your data is located (the physical data centers that implement “the cloud”). Paul writes
Sure, the latency between your offices and your cloud provider may be just 10ms or so, but what happens when some jackass with a backhoe in the next state makes that latency infinite? Suddenly you may have hundreds of employees with literally nothing to do. Today, loss of Internet connectivity still allows employees to work on local servers, access files on local storage, or in some cases, continue using virtual desktops served by a virtualization cluster in the backroom. If all of those services are on the other end of a severed fiber link, then everything comes crashing to a halt.
Paul then describes the case for redundant data connections and the associated risks that go along with that. Paul continues:
Just build a better cloud data center, you say? Well, you can outfit a building with all the fire suppression, drainage, and elemental protection devices you want, but if it’s hit with an 8.5-magnitude earthquake, it’ll be a long, long time before that facility gets back on its feet. In fact, it may never recover. Sure, cloud providers have disaster recovery plans, but rarely do they consider the wholesale destruction of an entire facility, and it’s not economically feasible to provide 1-to-1 cold- or warm-site resources for every customer. Whether the downtime is measured in days, weeks, or months is dictated solely by the breadth of the disaster and the recovery plan of the cloud provider.
“So what,” I hear you saying, “That all sounds like good advice.” As I said, it is good advice… as far as it goes. The problem is, there is no real justification for not moving to the cloud in here. My question to Paul is, “And what’s the alternative?” I have seen this thinking before, and I have started to call it the “Their stuff is more risky than our stuff” myth. It’s a mental crutch that we all use. If “we” built it, then we know it must be good. If “they” built it, then maybe it is or maybe it isn’t. We don’t know, so we assume the worst.
Look at it this way. If you’re mid-to-large enterprise, you are going to be responsible for thinking through all the things in Paul’s article one way or another. You probably have operations in at least three locations, possible in multiple continents, with multiple data centers spread out all over the place. You’re already worrying about a guy with a backhoe in the next state and natural disasters because most of your data is not in the next room away from your employees.
So, who do you think will do a better job of thinking through disaster recovery plans, you or “the cloud guys?”
I’ll give you a hint — there is no right answer to the question. My point is not to say, “The cloud guys are better at this than you are, so leave it all to them.” My point is to say that your internal guys are not necessarily better than “the cloud guys,” and if you somehow think that having it all in-house means that it will get done correctly, you have just fallen victim to the “their stuff is more risky than our stuff myth.”
Trust me, there are clouds residing in data centers that are built and operated far better than yours is, with better connectivity, better backup plans, and run with better discipline. Talk to my friends over at SwitchNAP, for instance, and I guarantee that you’ll be blown away.
So, what should you do?
In my opinion, you should utilize the cloud for everything that makes sense. And have some long talks about all the issues Paul raises with the various providers (network, cloud, etc.), until the point where you are satisfied with the answers. Ultimately, if you’re the guy signing the contract, it’s your responsibility to ensure that you did the due diligence that is required. But don’t fall victim to the myth that stuff outside your four walls is riskier than stuff inside your four walls. It isn’t. Odds are that your corporate mission statement is not “Build the world’s best, most reliable computing facility.” But that might be the mission statement of your cloud provider.
Latest Tweets
[...] I discussed the myth that “their stuff is more risky than our stuff.” A couple weeks ago, I saw this article in eWeek, “Cloud Security Remains Top Business [...]