Cloudy with a chance of rain

THE hype surrounding “cloud computing” has become deafening of late. Your correspondent suspects the evangelists, promoters and others hoping to cash in on the computing-services-in-the-sky movement are getting nervous about the way corporate customers, big and small, have not exactly rushed to embrace the new data-processing paradigm.

Perhaps that is because they have heard it all before. A couple of years ago, the fashionable term for it was “software as a service”. Before that, it was part and parcel of “grid computing”. Sure, each of the previous approaches brought a somewhat different set of technologies to bear, but the objective was broadly the same: to make it possible to buy data processing and storage from a service provider like electricity. Being flexible, extensible and virtual, customers would use as much or as little of the utility as they needed—and pay only for what they consumed. Despite the promise of cheaper processing, though, the vast majority of information-technology departments have continued to buy and maintain their own servers, data-storage units and network gear—preferring to keep their data on the premises rather than have it processed elsewhere.

Given the straitened times, you would have thought that cash-strapped companies would be jumping at the chance to outsource their computing operations to the Amazons, Googles, Salesforces and Microsofts of the world. Along with others, such providers have been vying to offer their customers access to data-processing and storage capacity, plus all the usual business software running on their own servers, via the internet or more private connections. Such “pay as you go” computing would give hard-pressed IT departments breathing space, while releasing resources for new projects—and, in the process, swap precious capital expenditure for a more easily managed operating cost.

Yet there have been few takers. What is holding IT managers back is fear about security. It was bad enough when online threats came in the form of worms and viruses causing a company's computer network to crash or files to become corrupted. Such instances could be costly, but reasonably quick to recover from. But things have got much worse. The threat today is not simply about vandalism but outright theft of confidential information, such as credit-card numbers, social-security details, financial data, marketing plans and trade secrets. Cybercrime is on the march as online predators deploy armies of “botnets”—robotic networks of computers, hijacked without their owners' consent or even knowledge—to plunder corporate and consumer data for financial gain.

When company data are stored on the premises, IT departments have various weapons at their disposal for “defence in depth”—firewalls, signature-based anti-virus software, and “white lists” of people granted access to various files and applications on the company's network. But in the cloud, a company has no control over the security measures adopted. In short, users no longer own the moats, the walls, the doors or the windows to their data.

Complicating matters further, providers of cloud computing do not allocate actual servers or separate processors to each customer. To keep costs down, all a customer can expect is a “virtual machine”—a slice of a computer with its own operating system that is partitioned off by software from other customers' slices. As a user's needs expand or contact over time, slices are added or vacated—and, in the latter case, handed over for other customers to use.

This sharing of processing and storage space in the cloud raises questions about how thoroughly a previous customer's data are destroyed before the slice is reallocated to some other organisation. Normally, assured destruction means degaussing magnetic media or shredding optical disks. With virtual machines running autonomously in the cloud, that is out of the question. So, what happens when data stored on a virtual machine get compromised? Will the customer ever know? Will the provider take responsibility? That is a serious concern for companies, given the laws now in place for notifying victims of data breaches, as well as for auditing financial results for compliance reasons or e-discovery.

As companies have delved more deeply into cloud computing, their concerns have only multiplied. The most recent survey by CIO Magazine indicates that worries about the security of cloud-based computing, loss of control over data, and return on investment were all up substantially over the previous year. Although 60% of CIO's 800 or so respondents were thinking seriously about cloud computing, only 8% had committed themselves to implementing it. Meanwhile, 29% claimed to have no interest in doing so whatsoever.

Clearly, the providers have not been particularly adept at articulating what the cloud is good for and what it is not. Ultimately, the sensitivity of the data will determine whether an application is suitable for processing in the cloud. Services that need to be highly secure (like credit-card processing) or involve a lot input and output (enterprise resource planning, for instance) should probably remain on a company's dedicated hardware. But applications that have a public face (such as websites, blogs or e-mail) or change their size unpredictably (say, special offers or development projects) would seem reasonable candidates for the cloud.

Though security remains a problem, there is still little question that cloud computing will one day become the norm. It is the next step in the evolutionary progress of computing from the mainframe of the 1960s, to the client-server or the 1980s, to the web-based application of the 2000s, each of which had, and continues to have, its own set of security problems. It is also a natural step in the evolution of services—from the physical to the virtual—that has characterised much of society's progress.

Take the monetary system. In his address to the annual RSA Conference on computer security held in San Francisco on March 2nd, Art Coviello, president of EMC's security division, noted how civilisation started with barter, then invented coins to make money more portable—even though people still had to carry their wealth around with them physically. The first step in the virtualisation of wealth came with the introduction of paper money. These promissory notes, with no intrinsic value, forced people to deal with the concept of attestation—certifying that something is genuine. And with that, the advent of financial instruments such as stocks, bonds and mutual funds created ways of sharing wealth—so that when one person wasn't using it, another could.

Today, virtual money dominates the money supply. In much the same way, virtual processing will one day dominate the computing supply. Unfortunately for cloud computing, that day is still along way off. Around 2020, would be your correspondent's guess.