Security, SLAs and compliance issues rain on corporate clouds

Ongoing concerns about data security, service level agreements (SLAs) and compliance are preventing many companies from utilising public, private and hybrid cloud computing services, though performance bottlenecks can be addressed using wide area network (WAN) optimisation technology in some cases.

Swedish multinational Lantmännen Group is an agricultural co-operative that provides a wide range of food, bio-energy and agricultural products to companies across the globe, including the UK where it sells petfood and baking products under the Doggy and Unibake brands.

The company has built a computing infrastructure reckoned to be the largest enterprise private cloud in the world delivering over 5,000 applications as cloud services to staff at 550 sites in 20 countries. These include email, SharePoint and enterprise resource planning (ERP) apps available as software as a service (SaaS), with platform as a service (PaaS) for its software developers.

“We started by building a local [private] cloud and then looked to see what public cloud service providers we could start working with,” said Lantmännen chief security officer, Dennis Jansson. “We started by standardising applications and went over to consolidating and centralising everything [servers, storage and applications].”

Application performance bottlenecks were solved using wide area network (WAN) technology from Riverbed, who installed Steelhead appliances at 90 locations to minimise network traffic and improve response times. These have, so far, reduced the volume of Lantmännen’s mission critical application traffic by 80 per cent, yielding cost savings of around $6.5m (£3.9m) per year by avoiding expensive capacity upgrades and improving network performance.

“Return on investment (ROI) came within a year and we expect to achieve cost savings of around $60m (£36m) by year five [of deployment], said Jansson.
While WAN optimisation may have solved the performance problem which commonly prevents many corporations from moving applications and services to either private or public cloud provision, security and SLAs remain fundamental concerns.

A survey published this month [10/11/09] by analyst firm Infonetics found that 60 per cent of companies planning to roll out software as a service (SaaS) considered strength of security to be a key factor in their decision.

And as Lantmännen starts to consider integrating its private cloud with public cloud options on offer from the likes of Amazon and Orange, thereby creating what is known as a hybrid cloud, compliance with data protection regulation become an issue, because different laws in different companies demand that certain data has to be stored.

“The last issue is security, because all our services today go through a security management process,” he said. “And when we look at SLAs, we want to see contracts that tell us where data is stored – not necessarily just an SLA for uptime, but one that shows us we are compliant,” said Jansson.

Cloud computing service providers recognise the need to reassure their business customers about security and SLAs, and say that hybrid clouds, which integrate private cloud environments with some elements of public cloud services, are the way to address those concerns.

“We have been working on performance for a long time now but SLAs are a very big barrier – I have heard nothing but talk of application SLA requests,” said Jean Crichter, solutions director for business acceleration at Orange Business Services, which provides cloud computing services to enterprise customers. “They want SLAs confirming that the application is up, available, giving suitable response times and helping end users reach productivity levels.”

“There might be applications that companies want to keep in their own data centre, because of tight coupling or security concerns,” added Joe Weinman, vice president of strategy and business development at telecommunications company AT &T, which has been providing cloud services to corporate customers for a couple of years now, having also sold utility computing, managed servers and co-location facilities in the past.

“But the optimal architecture from an economic standpoint is one that combinesboth the enterprise data centre and some data and applications in that with cloud services like virtual cloud storage from public providers.”

These issues are certainly affecting many IT directors’ willingness to move applications and services into the cloud, say experts. And in many cases the underlying infrastructure services on offer from providers do not differ significantly from what was on offer before.

Ben Woo, research vice president at analyst firm IDC, believes private cloud implementations are essentially an extension of the established co-location market, where corporates lease storage, compute cycles and applications from service providers in a similar way to previous grid and utility computing business models.

“We are seeing both vendor push and user pull – lots of companies are trying to understand the cloud and the benefits it can bring to their business – but the UK and Europe is about 6 to 12 months behind the US on this,” he said.