The media, as well as the market at large, have latched onto the term "cloud computing" with a vengeance. Admittedly, the basic premise of "data center on demand" is pretty sexy. But be warned: all may not be as it seems. The vision and concept of cloud computing and the on-demand data center have been around in one shape or another for decades. The vision has always been sought after but remained just out of reach. Virtualization has made this real, bringing the vision almost into our grasp. The key word here is "almost."
Those looking to include cloud computing in their architecture need to address the issue of how they can most effectively complement existing architectures. One of the biggest challenges for IT planners and strategists is that the term "cloud" is being used today to describe everything from the traditional software as a service (SAAS) delivery model to infrastructure outsourcing to infrastructure renting. It's the buzzword du jour with which everyone seems to be trying to associate.
For the purposes of this article, I will ignore the renamed traditional service delivery models and narrow the definition of a cloud to its most basic: an amorphous infrastructure owned and operated by someone else that accepts and runs workloads created by its customers.
Thinking about a cloud in this way, the first and most obvious question becomes: "Can all my applications actually run in such an environment?" If the answer to that question is no, then you must ask, "What subset of my data and applications could safely run there?"
Clearly, there are some applications that you would probably never want out of your control, including those you need in order to pass an audit (for example, to comply with the Sarbanes-Oxley Act, the Payment Card Industry Data Security Standard or the Gramm-Leach-Bliley Act). A cloud translates into the physical at some point in space but, today, you cannot audit its security, file systems and access controls with absolute certainty.
Today's cloud tools barely manage provisioning and some level of mobility management. Plus, security and audit capabilities are still a long way off, as well as the ability to move the same virtual machine in and out of cloud infrastructures while tracking and tracing its movement and access. Let's face it: most auditing groups still haven't even come to grips with the impact of virtualization on basic enterprise data center auditing, let alone cloud governance.