Q&A: What CIOs Must Understand about Public and Private Clouds and PaaS
What should a CIO consider when moving to Paas? What criteria should the CIO use, and what misconceptions about the cloud must be overcome?
After "the cloud" caught on, IT faced yet another decision: public or private (or a mix of both). To understand the issues and the key criteria for choosing among the options, we asked Bart Copeland, CEO of ActiveState for his insight as well as what CIOs need to know about platform-as-a-service.
Enterprise Strategies: What benefits does a public cloud offer to enterprise customers? What are the drawbacks/downsides?
Bart Copeland: Public cloud delivers elastic software services for enterprise customers. It promises scalability, efficiency, and the convenience that comes with outsourcing your IT department's work.
Enterprise customers will notice public cloud's short-term efficiencies. Without cloud virtualization, scaling apps to meet growing business needs requires resource, time, and hardware investment. In the cloud, that scalable capacity accommodation is yours for the taking (and the right price).
Before committing to public cloud, two key concerns must be addressed:
- Does your public cloud provider infrastructure support the development languages in which your enterprise's apps are coded? If not, expect to recode those legacy applications.
- Will your public cloud grow with you? What happens if you need to switch clouds? How expensive are switching costs? Will you be locked in to your cloud vendor?
Why should an enterprise CIO consider a private cloud solution?
Private cloud is the self-hosted equivalent of public cloud, with infrastructure and applications served from on-premise hardware. Private clouds can also be served via dedicated, single-tenant hosting with a vendor. In either case, you know where your bits are.
Public-cloud proponents pitch scalability and convenience, but the enterprise CIO must look beyond such short-term benefits: The public cloud scales with data, but not necessarily with business growth, and that's why an enterprise CIO must consider private cloud solutions.
What's the security model?
Public cloud vendors achieve their own operating efficiencies with multi-tenancy. Your apps share a big public cloud sandbox with others, and that can make an individual app vulnerable. A successful data attack on one application can compromise all applications within that multi-tenant space. In a private cloud environment, you have control over data, applications, the sandbox, and the firewall.
Who governs your data?
Some foreign governments impose strict data sovereignty laws on international corporations doing business in (or managing data passing through) their jurisdiction. That's fine if your enterprise's public cloud provider has data centers in all the countries in which you want to do business, but not particularly realistic if you have multiple subsidiaries. With private cloud, you can maintain your data in the geographies in which you do business.
What are your support needs?
When it comes to the public cloud, your enterprise is one among many customers. Public cloud is outsourced IT, and when something goes wrong, you'll have to trust in a third party to rectify the problem. When you bring control of the cloud on-premise with a private cloud, you can rely on your own trusted IT resources. If we're talking enterprise disaster recovery, would you prefer help from Ned, your trusted DevOps guy down the hall, or would you prefer to call tech support?
How does PaaS fit into the public and private cloud models? How is PaaS the same and different for each cloud model?
PaaS comes in two flavors: public and private. Public PaaS runs on public infrastructure (such as Amazon AWS) and manages multiple applications within a single shared-tenancy environment. It's up to you, the enterprise CIO, to deploy applications to that PaaS sandbox.
Like public PaaS, private PaaS is a middleware layer for managing cloud data, applications, and services. A good private PaaS solution offers an additional layer of security, protecting individual applications within a shared cloud environment.
Private PaaS is a fundamental component of private cloud, and enables easier, faster, and more secure app deployment than its public counterpart. In a private PaaS model, your IT department becomes the platform provider, with framework and data storage management completely under your control. Contrast that with the do-it-yourself model of public PaaS, with its one-size-fits-all approach to provisioning and tenancy.
What considerations should that enterprise CIO take into account when assessing public PaaS vs. private PaaS?
The choice between public and private PaaS comes down to flexibility, security, and control.
The public PaaS model runs on predetermined infrastructure stacks, and delivers the same (rapidly commoditizing) service level to all tenants. That may be enough for some businesses, but it's not enough for growing enterprises. Public PaaS limits you to your provider's infrastructure and all the operating constraints that come with it.
A good private PaaS protects individual apps within its sandbox (whether on a public cloud or hosted on-premise in a private cloud). Public PaaS, however, carries a lowest-common-denominator risk: If the weakest application in a multi-tenant environment is compromised, other applications can potentially be breached. With "individually wrapped" private PaaS applications, there's no hack-once-compromise-all reward.
Control of applications, business operations, and sensitive data resides with whomever controls the cloud. Public PaaS is an outsourced solution. Private PaaS puts control of cloud development, deployment, and management where it belongs, in the hands of enterprise IT, which can bring peace to CIOs.
What are the biggest misconceptions a CIO have about PaaS?
One common misconception CIOs hold is that public cloud is cheaper than private cloud, but for the growing real-world enterprise, it's not true. Public cloud may offer initial efficiencies, but factor in security risk costs, potential capacity overage penalties, legacy-app customization, and relinquished control. The public cloud isn't such a bargain. (A 2011 study by the Aberdeen Group found that enterprises deploying a private cloud saved approximately 12 percent annually over those deploying to a public cloud.)
Enterprise cloud computing requires a PaaS layer. Some enterprise CIOs hold off on making PaaS decisions, however, choosing to focus attention on establishing a private infrastructure-as-a-service "IaaS" foundation first. That's not a bad thing, but most organizations would be better served by addressing both IaaS and PaaS in initial strategic planning. Waiting on PaaS now can limit choices (development language, app portability, etc.) later.
We are in the early days of cloud technology, and many enterprise CIOs are cautious to commit to PaaS solutions. Public PaaS providers aren't making it easy, forcing CIOs to commit to specific stacks, development platforms, and even data services. However, there are flexible PaaS solutions available, and enterprise CIOs should assess PaaS technologies for how they support their growing organization's business objectives and not just for how shiny they may appear at first glance.
What are the biggest mistakes organizations make in evaluating PaaS solutions? What best practices can you recommend to avoid these problems?
Leaping before looking. Cloud computing will help an organization run better, but jumping on a cloud bandwagon based on the lure of short-term cost savings can lead to pain in the long run (vendor lock-in, inappropriate security, relinquished control, non-compliance risk, and so on).
Enterprise CIOs looking to the cloud can adopt several cloud deployment best practices:
- Establish disciplined, unemotional decision criteria to evaluate cloud solutions. Set minimum-bar metrics for level of control, uptime, service delivery, and security.
- Research data governance mandates in the jurisdictions in which your enterprise does business—and plans to do business in the future -- and ensure your cloud (whether public or private) can support your compliance needs.
- Don't limit your thinking to cost reduction as the only driver for PaaS. If you choose a private cloud, you have to manage scale yourself, but you can always rent out excess capacity. With an extra server, you might even be able to turn your IT cost center into a profit center.
What role does ActiveState play in this discussion?
ActiveState makes Stackato, an application platform for creating a private PaaS. Essentially, Stackato is "private PaaS in a box," enabling enterprise users to develop and deploy PaaS with convenience, flexibility, and control. We support multiple languages, infrastructure, and operating models and can support any development language, run on any stack, and provide a secure middleware management layer for any cloud (private, public, or hybrid).
With Stackato, developers get the freedom to simulate a production environment on a local machine, and code, test, and launch an app to any cloud. DevOps gets control, with new levels of "containerized" security, auto-configured provisioning, and better compliance. CIOs get ROI, with reduced time to market, no vendor lock-in, and the potential to turn an IT cost center into a profit center.