Recently I sat down with Steve Kwan, Trend Micro’s Senior Director of SaaS Operations, to discuss the challenges he faces as he moves Trend’s datacenter operations into the cloud. Steve has a great deal of experience with both traditional and virtualized datacenters. Most recently he helped guide product strategy for 3Leaf Systems, a developer of ASIC and software technologies for the dynamic datacenter, and prior to that he guided Citrix’s largest Web 2.0 customers as they established and expanded datacenters.
Below Steve discusses his top three challenges to cloud deployment and how he is managing them…
Today public cloud vendors cannot wholly guarantee the security of their customers’ data in the cloud and as a result that responsibility falls to the customer. In addition, when a customer decommissions public cloud resources, they have no way to validate whether their data has truly been deleted; they have only the word of the cloud vendor. Finally, if a customer is using multiple vendors to satisfy SaaS, PaaS and IaaS needs, any security weakness in SaaS could trickle down to PaaS and IaaS platforms (as could any weakness in PaaS to IaaS). Security is one reason we decided to focus on a private cloud in the near term.
I couldn’t agree more with Trend’s view of security as an enabler rather than a hindrance. The goal of any security solution for the cloud has got to be to facilitate the job of IT. There are emerging cloud security solutions (such as encryption) which hold promise. In the meantime the cloud vendors themselves are offering what they call the “private public cloud” or the “dedicated public cloud.” In this hybrid model customers get dedicated VMs so there is no risk of bleeding VMs between customers. The cost is higher than the cost of using the traditional public cloud, but it’s worth it if you’re concerned about security. For this reason, we can expect to see a proliferation of hybrid clouds dedicated to enterprises.
We have many terabytes of data that must be securely moved to the cloud which requires large bandwidth and resources. It’s a challenge, but it’s worth it for the efficiencies we’ll gain elsewhere. However, should we need to move this data from in the cloud for any reason, migrating this data could be completely dependent on the data format used by the application and the infrastructure of the new cloud provider. Since today’s providers offer very little in the way of data interoperability, we would have to pull down the data then upload to another vendor’s cloud should we decide to change vendors. Our amount of data would again require more bandwidth and time. I do expect data portability to improve as more enterprises move to the cloud and demand interoperability standards.
Trend like many enterprises has small teams of R&D folks who have been experimenting with the cloud on an ad hoc basis. The reality of the cloud is that any employee with a credit card can rent time on a public platform such as Amazon’s EC2. While this provides reduced cost and flexibility, it can create unnecessary risk. Rather than outright prohibiting your employees from using the public cloud, put policies in place that make use of the public cloud safer. For example, encourage employees to utilize a private public model or, even better, lease a VM at EC2 specifically for corporate use. In this arrangement you have the ability to oversee compliance and they get access to the cloud.
Another reason we’re moving to the private cloud first is that it’s more efficient to re-commission existing resources for the private cloud rather than completely reconfigure our teams to support a public cloud deployment. That being said, for a successful cloud deployment, it’s imperative to create a core team with representatives from hardware, storage, networking and applications groups. Working together you’ll be able to have a better understanding of the impact to resources, applications, and other requirements such as tech support. Web 2.0 companies understand this concept more than traditional enterprises. Because the majority of their products and services are web-based, they’ve been forced to take this integrated approach to IT operations.