The main economic appeal of cloud computing relies on its usage-based pricing model, often described as “converting capital expenses (CAPEX) to operating expenses (OPEX). Usage-based pricing is different from renting in that renting a resource involves paying a negotiated fee to have the resource available over a period of time, whether or not the resource is actually used. Usagebased pricing or pay-as-you-go pricing involves metering usage and charging fees based on a finegrained usage basis, independently of the time period over which the usage occurs. With Amazon EC2 for example, it is possible to buy computing resources by the hour and storage by the GB. In addition, hours purchased can be consumed non-uniformly in that 100 server-hours purchased can be used fully on the same day of purchase, the day after or at some later time.
Given the economics of cloud computing and the new business models emerging around the delivery of cloud-based services, new applications can be created and delivered at a radically lower cost compared to conventional approaches. As such, industry analysts and ICT practitioners have agreed upon several major benefit forces that should drive the adoption of the cloud.
Collaboration and Community Computing Benefits
As the globalization trend continues, distributed work has become an everyday reality in large organizations. Many existing on-premises applications were originally designed to support employees in same-time, same-place working styles. By contrast, cloud-based productivity tools (for example, Google Apps, Microsoft Office Live Workspace, Intuit’s QuickBase, Facebook) are inherently collaborative and accessible anywhere, including from home. Community computing and collaboration in the cloud brings benefits that are not easily attainable with local computing, such as the detection of distributed denial of service attacks (DdoS) or spams, as cloud platforms that have a wide visibility on the Internet traffic would detect the onset of an attack more quickly and accurately than any local threat detector.
Cloud Computing Costs
Doing like-for-like comparisons between cloud computing and in-house datacenters to run an enterprise business application is a difficult task because it is easy to neglect many of the indirect and hidden costs incurred by operating a datacenter. In fact, there are many arguments and counterarguments surrounding the total cost of ownership (TCO) of hosting in-house compared with using cloud-based services. This is because each organization has its own capital and operational cost structures and its own break-even point, but IDC in argue that most companies, with relatively standard ICT and Web deployments, will achieve lower TCO by using a managed hosting service than by hosting in self-owned and managed facilities. However, a simple comparison of costs for self-owned versus hosted facilities is typically not possible, even for small companies, due to the large number of indirect and hidden costs20 affecting in-house operations that are overlooked.
In support of this statement, IDC argues that “too many companies inappropriately compare the headline costs of in-house operations and managed services when they evaluate the two side-by-sides, such as the capital cost of servers versus monthly recurring fees. The range of costs necessary to run a decent-quality hosting operation in-house is wider than many companies appreciate, and in house cost cutting can be illusory, creating more in risk than it saves in cost.”
To help out with this issue, Amazon developed in the “Economics of the AWS cloud vs. Owned ICT Infrastructure” a comparative analysis of several direct and indirect costs entailed by owning the facility versus using the AWS cloud that will be used hereafter. In this Section, I will strive to sum up all the direct and indirect costs that apply to operating a self-owned datacenter and how they compare to using cloud-based managed services. This outline will be used hereafter as a calculation basis for TCO of the reference use case.
Operating a self-owned datacenter incurs a number of tangible asset's capital or lease costs and other landlord fees, as well as personnel costs that broadly divide into three categories:
· Datacenter facility costs that include: building maintenance and upkeep, fit-out costs, technical space maintenance and refurbishment, two or more fiber ducts and fiber services to the building, power plant, backup power generators, fuel storage, chillers, physical security systems (access control, CCTV, security presence, etc.), fire suppression, racks, cabling, and so on. To be included are business continuity redundancy for most of these components, and insurance for all of them.
· Computing equipments costs that include: depreciation, planned life-cycle replacement, unplanned replacement, backup/hot swap, spare parts inventory (onsite or with supplier), power and cooling costs, software licenses, system monitoring, system security (IDS, email security, DDoS mitigation, etc.)
· Personnel costs that include: salaries and related overheads of facilities and security staff to operate the physical datacenter as well as of ICT staff to manage the technical environment; cover for staff absence; attrition costs; training; staff facilities.
This is only a subset of the costs a company necessarily incurs in operating its own hosting operations. While many companies, depending on the scale of their operations, make do without some of these components, they are typically incurring risk in return for the cost saving (for example, by cutting back on redundancy, or not deploying a DDoS capability, or under-resourcing the operation in staff terms). A company that uses a managed hosting service will still pay these costs, but the maim assumption about cloud computing's cost-saving opportunities discussed so far is that these costs are shared across all customers of the service provider and, through the economies of scale the hosting provider can achieve, the customer will pay only a fraction of the amount for the in-house operations equivalent.
Conclusion
I think that for most organizations, outsourcing to the cloud should reduce risks and hence costs. The cost elements outlined above all present risk as well as cost to an organization in terms of service disruption resulting in lost orders. Many companies operate internal ICT SLAs, but in the face of a major disruption affecting operations, internal SLAs are effectively worthless. An SLA from an external service provider would typically not cover the cost of lost business or customer dissatisfaction, but can go some way to mitigating the financial impact. More significantly, if stringent enough, the disruption should act as a major incentive for the service provider to fix problems quickly and well. A strong SLA does not nullify risks, but will reduce the financial impact by ensuring quick problem resolution and a level of loss buffering.
Cloud computing is still at an early stage. Therefore, to a significant extent, its technological and business models are as yet unproven. Cloud computing is not necessarily for everyone, nor for any type of application. It is probable though that data security and privacy compliance concerns will prevent a rapid adoption of public cloud solutions in heavy regulated industries, and in many global companies that operate in multiple jurisdictions as stated by Gartner in (Logan 2009). That is why, a company considering moving applications to the cloud must be conscious of their security policies and regulation compliance constraints. Beyond that, I believe that issues around data security and privacy risks in the cloud have been overly emphasized. It is also the opinion of several field experts, who talked at the Kuppinger Cole37 and Cloud Slam 2010 virtual conferences on cloud computing and security I had the opportunity to attend.
There seems to be a consensus around the idea that cloud computing is not inherently insecure or even less secure than traditional ICT. The cloud way may even be more secure than many poorly managed information systems where traditional ICT is incapable of providing the same level of expertise and control on their production systems for reasons as diverse as insufficient staff, limited budget for training and hiring top-of-the-line security experts. As a matter of fact, internal ICT teams can hardly compete with the budget and level of expertise carried out by the big cloud computing vendors to effectively secure their infrastructure from a physical and logical standpoint. In addition, it should be well understood that companies are always responsible —irrespective of whether their data resides in the cloud or not—vis a vis their legal obligations. Therefore, what a company needs to determine is whether or not it can protect, produce and consume sensitive data in the cloud with the same level of security and regulatory compliance as it does internally. Companies wishing to use cloud-based services should ascertain that their provider can meet their requirements and, if so, at what costs if any. Meeting security and compliance requirements can be onerous and expensive for both parties. Litigious relations are often a direct result of not properly addressing the responsibilities of all parties in the contract. Therefore, any hosting business relationships should clearly state what jurisdiction applies to the hosting contract. Cloud hosting providers should honor the security and compliance requirements of their customers, and provide transparent answers to inquiries around those questions.
It should be clearly stated that the responsibility to deal lawfully with corporate data, whether it be in the cloud or not, is not the responsibility of the cloud provider. It is always the responsibility of the company to protect the data it produces, no matter where data is located. In other words, the processes used to deal with the legal complexity of managing data should not be different in the cloud than in a self-owned datacenter. A company must know what it is doing in the cloud by first creating its security and regulatory compliance processes internally, and then ensuring that they can be carried equally by the provider or themselves to the cloud.
Finally, CEOs and CIOs need to understand that cloud computing requires new policies and new controls because it may give rise to new ICT risks that can have an operational and even strategic impact on the enterprise's efficiency and effectiveness. Adopting cloud computing to externalize computing resources poses the question of ascertaining opportunities versus operational and strategic risks.