Benefits, Features and Cautions
Cloud computing is a way to pool a large amount of IT resources in a way that allows the provider to leverage scale and efficiencies to drive down prices and provide quicker access to those pooled resources to all users of that cloud service. Although that implies that cloud computing is all about cost savings and ability to use already deployed IT resources quicker, that is not a complete picture. Indeed if customers of cloud services view these services as an improved co-location service, it is likely that many of the more important benefits of cloud computing will go unused and likely the cost will be higher than an efficiently run self-hosted infrastructure.
Distributed Architectures made EasyEnterprise class cloud service providers spend a large amount of resources providing a highly redundant, reliable, scalable and geographically distributed infrastructure to their customers. Users of cloud services can take advantage of these properties without having to spend the resources or obtain the expertise to build and design their own infrastructures in their own datacenters. For Penn, it would be impractical to provide the same level of geographic redundancy that vendors in our preferred portfolio are able to provide. Some vendors describe this as 'Stop spending money on Undifferentiated Heavy Lifting'. So more resources and effort can be spent working on IT problems that do make a difference to our customers and allows us to further the mission of the University.
Scalability is Built-inBecause cloud vendors have large, distributed environments that run some of the largest internet based businesses, they deliver a number of solutions that allow for applications to scale quickly on increased demand. Many cloud vendors serve customers that target an international, internet sized audience that can increase the usage of a solution exponentially. The scalability that these applications require and the problems that need to be solved for these sorts of architectures are now part of the standard solutions the cloud vendor provides and allnew solutions will have that scalability built in from the start. This also means that you do not have to scale your infrastructure for your highest expected demand, instead you can design your solution to scale on demand and only pay for those resources you actually need, rather than planning and paying for resources you may need in 3-5 years, which is the typical depreciation period for capital expenses.
Trade Capital Expense for Operational ExpenseSince the cloud vendors are providing the infrastructure, they are the ones that are providing the capital expenses. By using cloud solutions, you will trade your capital expenses for operational expenses for the resources you consume. Of course, it is vitally important that the solutions that target cloud infrastructure are built in such a way that they use the elasticity the cloud services provide. If your solution is built using traditional architectures that do not scale according to demand and use the cloud solution simply as a co-location provider, you will not realize the savings you might expect. Although, cloud providers use their buying power and scale to design and build IT systems tailored specifically to their services and do not use system resellers to build and deploy their systems, which give them savings beyond what smaller IT organizations can attain. Market surveys have shown that their cost will be higher than self provisioned infrastructures if used for traditionally designed application infrastructures.
Decreased 'Time to Market'Cloud providers use virtualization technology and automation to deliver IT solutions in minutes rather than weeks or months for traditional IT infrastructures that may use a capital approval process and organization specific systems and installations. This allows for solutions to be deployed as soon as they are ready and the planning process for infrastructure deployment is no longer a barrier or significant aspect of IT solution delivery
Fail early, Fail oftenBecause one can deploy IT solutions without capital expense (or even significant operational expense for small efforts), it allows organizations to try out solutions quickly and without incurring ongoing costs that traditional solutions would. Since scalability can be built in from the start, you also do not need to worry about a solution being successful, since the cloud vendor provides 'unlimited' scalability. This means new, innovative ideas can be tried quickly and often without significant up front expenses and failed idea can be thrown away without having committed ongoing expense.
Infrastructure Security vs. Application Security
Cloud vendors have designed infrastructures with security designed in from the ground up. The market leaders in the space have a large and dedicated IT security staff that are dedicated to the security of the infrastructures they provide. Many provide automatic updates and patching of the OS and application infrastructures they provide. This means that users of the solutions get a lot of security 'baked in'. However application security is not provided by the cloud providers, so it is paramount to continue to build applications according the security standards that Penn advocates (http://www.upenn.edu/computing/security/swa/).
Cloud services, by their very nature are provisioned using the internet, therefore solutions that are network latency and bandwidth sensitive may not be appropriate for cloud based deployments. Additionally, some cloud vendors charge for the usage of bandwidth either for the ingress or egress of data, or both. It is important to consider the impact of the network and the location and connectivity of cloud vendors when considering a cloud based solution. It is also important to review encryption requirements when transitioning data to and from the cloud provider, since generally, the data will be traversing a public network and therefore may be inspected by external parties.
Compliance, Privacy, Confidentiality and Legal Considerations
The Penn privacy web site and the Information Security web site have a lot of information on privacy and protecting Penn data. It is important to understand that as a steward of Penn’s data, Penn users of cloud based solutions will need to assess the provider’s adherence to Penn policies and procedures, including e.g. FERPA, HIPAA, etc. There also may be legal and governmental requirements depending on the class of data that is used. Preferably these controls need to be codified in a contract with the vendor. It is also important to understand whether any data used by the solution is under export controls, which would require the cloud vendor to provide US based location restrictions. If the solution is part of Penn’s portfolio of trusted cloud based solutions, the contract will reflect these considerations. Please check with your local LSP or with ISC if you need more information or guidance.