In OSS world the cloud is quite often pointed as problematic. Still, many organisations rely on it, and most companies tend to “move to cloud”. But what is the cloud anyway, what are the driving forces behind that movement, and why some organisations are so critical about it? Let’s have non-historically accurate but functionnally acceptable high-view of how “moving to the cloud” became trendy.
What is the cloud anyway?
Depending on whether you talk to, people don’t think the cloud means the same thing:
- Non-tech people will tell you the cloud is where they store their files (e.g. iCloud)
- In the corporate world, people who take decision for the information system of the whole company will tell you the cloud is “AWS”, “Azure” or “Google Cloud Platform”
- Project managers will tell you they pick low hanging fruits by doing a “lift and shift” of their on-premises application to the cloud
- DevOps will tell you they “transform and rebuild to leverage the services the cloud provider offer”
- Some vendors will tell you they provide a cloud solution “as a Service”
They are all right! The cloud is not well defined and can correspond to all of those definitions. The one thing that is common to every definition is the intent: the cloud is about offloading infrastructure, support, and sometimes even services to a third-party.
Clear blue sky
Large companies have needed to get computers to automate some of their workflow for at least 30 years. The companies relied on personal computers given to their employees, but also needed special computers that can be access from the whole company, and even sometimes from outside of the company: those are servers.
Servers can be fragile and require to be stored under certain conditions (of temperature notably) and to be plugged together in a network. The large rooms where the servers can run at the optimal temperature are called datacenters. Physical hardware is stored in racks, and then plugged in a specific way to the company’s network.
This means the company whose core business is not to work with computers needs to:
- Buy or rent land for the datacenter
- Get a datacenter built, or buy an existing
- Hire people to keep the datacenter safe from a physical perspective
- Hire people to handle the procurement of new servers
- Hire people to rack the servers and plug them correctly to the network
- Hire people to maintain the software on the server up to date and make sure the service is running
The reality is even more complex, because most organisations (should) have Disaster Recovery Plans to get back on their feet quickly even if a disaster happens. Those plans rely heavily on redundance of datacenters and servers themselves, so the company can keep running if something happened to the primary datacenter.
All of those operations add a significant overhead to a organisation’s regular activities, especially when its core activity is not to work with computers. When it became possible to create several virtual servers on a single physical server, procurement became more flexible for companies. Third-party companies also tackled the “datacenter” problem and created something new to solve it.
What if instead of needing to buy their own datacenters, companies could rely on existing ones and share services? Datacenters are not a competitive advantages for most companies, they will all get the same level of service as other companies working in the same field.
Offloading the management of a physical datacenter to a third-party allows a organisation to focus more on its core activities. Mutualizing the costs of maintenance of a physical datacenter can even bring a competitive advantage over those who don’t do it: by doing economies of scale the service costs less than it does when an organisation manages everything by itself.
A hosting provider is effectively providing Infrastructure as a Service (IaaS), which is the most basic form of cloud computing. When you rent the infrastructure and before you deploy your business application, you still need to properly configure the virtual servers' operating system and keep it up to date.
This frees the company from having to buy or rent land for the datacenter, build the datacenter, doing the civil engineering activities around it, doing all the physical security and hardware procurement activities.
On the other hand, the procurement teams needs to be aware of how to buy the new services. Most companies will also want a private link (MPLS or VPN) to the partner’s datacenter. Infrastructure teams are still necessary, but they have much less load to compose with.
Many people who “self-host” their services actually rent a Virtual Private Server (VPS) in a datacenter. They are in a way already relying on the cloud, but still need to manage the operating system and software maintenance for the services they self-host.
Since the operating system and software maintenance is not necessarily a competitive advantage, can this be provided as a service too?
A nice place for my application
When a company relies on an application to work, all it needs is for the application to run. Properly configuring, updating, and above all monitoring an operating system are very tedious and time-consuming tasks. They don’t bring any added value to the service but are simple chores that need to be done so the applicaton keeps running.
Some cloud providers offer services so you can get your application running and all the server management complexity is hidden from you. From your perspective, it’s serverless, as in “I don’t manage the server”, not as in “there is no server involved”. This type of service is another form of cloud, called Platform as a Service (PaaS).
At this stage if you don’t already have some in your team, you will need DevOps to operate these: those are people who are able to bridge between development and cloud services for more flexible deployments. You need less people to monitor security flaws of the infrastructure, CVEs in the OS etc, but you still need to do it at the application level if you build your application.
This works well to host an application you develop or customise, but do you even need to host yourself the application of a vendor?
It’s not even my application
When contracting with a vendor, organisations very often buy a subscription to get premium support too. This allows the organisation to contact the vendor in case of problem, to hold them responsible if they do not answer in a given period of time, and to ask for a compensation for it.
In most cases, organisations are not really interested in hosting the application themselves at all: they are mostly looking for the service the application offers.
Some vendors offer to do the hosting, configuration and to manage the technical aspects of the application themselves. The customers then subscribe to a service and not to support: this is Software as a Service
Should I even operate it?
Some companies are already trying to go a step further: since I’m only interested in the service, should I even have a team of employees to operate it for me?
While it can make sense in theory to delegate some activities to an external team, from my experience in practice it often ends up costing a lot more than if the company had employees to do it.
It’s also important to not externalise all the knowledge of an activity, but to at least keep internal employees with a good understanding of the processes and data manipulated, so it can be interfaced with other systems
So the cloud is all good?
The cloud has many traps. Organisations externalise not only the service but also the data: they need to contractually define with the provider how they can retrieve their data in case of problem, under which format, and under which maximum delay.
If the service provided is not standardised, be it at the infrastructure level (e.g. Amazon Elastic BeanStalk) or at the application level (e.g. a cloud identity provider such as Okta) then the organisation is exposed to vendor lock-in. Becoming dependant of a service means the negociating power becomes limited. The organisation is exposed to seeing surges in prices.
No IaaS/PaaS/SaaS provider will accept to sign a contract at a fixed rate forever: organisations relying on it are exposed to a significant rise of pricing if they don’t contractually cap it. This can only be capped for a few years.
There is another problem that has not been addressed in this article: the concentration of (commercial) power can be dangerous from a social perspective. The largest cloud providers, those who offer the most advanced services, are mostly american ones: they are subject to the Patriot and Cloud act. Those are laws allowing american intelligence to have a look at data even if the service is provided and hosted on non-american ground. This is the open door to mass scale surveilance and abuse.