Responsibility in the public cloud is a story of several misunderstandings. Advisory sessions and conversations with different companies interested in public cloud unveil the certainty that the classical outsourcing concept is still widely spread among IT decision makers. Public cloud providers are being seen as full service providers. That complicates negotiations at eye level and blocks the quick adoption of public cloud services. „Shared Responsibility“ is the keyword that needs to be internalized. This research note clarifies the wrong assumptions and describes the concept.
Self Responsibility: The Big Misunderstanding
In the past 10 years, for the sake of convenience cloud computing was often defined as “Outsourcing 2.0”. What should have led to a better understanding on the user side, however, did public cloud providers a disservice. With the understanding in mind – an external service provider takes over responsibility for (partly all) IT operations – IT decision makers developed the expectations that public cloud providers are full service providers. The IT department just coordinates and controls the external service provider.
What is true for a software-as-a-service (SaaS) provider as a vendor of low-hanging fruits is completely different at platform-as-a-service (PaaS) and in particular at infrastructure-as-a-services (IaaS) level. SaaS providers are delivering ready developed and ready-to-use applications. The complexity, for example with solutions from Salesforce and SAP, comes with the configuration, customization and, if necessary, the integration with other SaaS providers. So, the SaaS provider is responsible for the deployment and the entire operations of the software, and the necessary infrastructure/ platform. The customer is consuming the application. PaaS providers are deploying environments for the development and operations of applications. Via APIs, the customer gets access to the platform and can develop and operate its own applications and provide those to his own customers. Thus, the provider is responsible for the deployment and the operations of the infrastructure and the platform. The customer is 100 percent responsible for his application but doesn’t have any influence on the platform or the infrastructure. IaaS providers only take responsibility at infrastructure level. Everything that is happening at higher levels is in the customer’s area of responsibility.
Thus, it is wrong to see public cloud providers such as Amazon Web Services, Microsoft Azure or VMware (vCloud Air) as full service providers who take whole responsibility for the entire stack – from infrastructure up to application level. Self responsibility is required instead!
Shared Responsibility: This is how IaaS Management works in the Public Cloud
A decisive public cloud detail that contrasts this deployment model clearly from outsourcing is the self -service. Depending on their DNA, the providers are only taking responsibility for specific areas. The customer is responsible for the rest.
In the public cloud, furthermore, it is about sharing responsibilities – referred to as Shared Responsibility. The provider and its customer divide the field of duties among themselves. In doing so, the customer’s self-responsibility plays a major role. In the context of IaaS utilization, the provider is responsible for the operations and security of the physical environment. He is taking care of:
- Setup and maintenance of the entire data center infrastructure.
- Deployment of compute power, storage, network and managed services (like databases) and other microservices.
- Provisioning the virtualization layer customers are using to demand virtual resources at any time.
- Deployment of services and tools customers can use to manage their areas of responsibility.
The customer is responsible for the operations and security of the logical environment. This includes:
- Setup of the virtual infrastructure.
- Installation of operating systems.
- Configuration of networks and firewall settings.
- Operations of own applications and self-developed (micro)services.
A very important part is security. The customer is 100 percent responsible for securing his own environment. This includes:
- Security of operating systems, applications and own services.
- Encryption of data, data connections as well as ensuring the integrity of systems based on authentication mechanisms as well as identity and access controls at system and application level.
Thus, the customer is responsible for the operations and security of his own infrastructure environment and the systems, applications, services, as well as stored data on top of it. However, providers like Amazon Web Services, Microsoft Azure or VMware vCloud Air provide comprehensive tools and services customers can use e.g. to encrypt their data as well as ensure identity and access controls. In addition, enablement services (microservices) exist that customers can adopt to develop own applications more quickly and easily.
By doing this, the customer is all alone in its area of responsibility and thus has to take self-responsibility. However, constantly growing partner networks are helping customers to set up virtual infrastructures in a secure way and run applications and workloads on top of public clouds.
@CIO: Public Cloud means stopping with Antiquated Traditions
In addition to requiring an understanding of the shared responsibility concept, using public cloud infrastructure also makes imperative the rethinking of the infrastructure design as well as the architecture of the corresponding applications and services.
During the way to public cloud infrastructure, the self-service initially looks simple. However, the devil is in the detail and hides in the complexity that is not obvious at first. That is why CIOs should focus on the following topics from the start:
- Understand the respective provider portfolio and the characteristics of the platform/ infrastructure. This sounds easy. However, public cloud infrastructure environments are developing at enormous speed. For this purpose, it is necessary to know the range of functions and the availability of all services on the infrastructure platform and train the employees on a rolling basis to exploit the full potential.
- Focus on a greenfield approach including a microservice architecture. Public cloud infrastructures are following completely different architecture and design concepts as compared to those taught and implemented just some years ago. Instead of developing monolithic applications, cloud infrastructure is set on so called microservice architecture to develop independent, loose coupled and individually scalable applications that are integrated to create an entire application. This ensures better scalability and leads to a higher availability of the entire application.
- Consider „design for failure“. „Everything fails, all the time“ (Werner Vogels, CTO Amazon.com). The design of a cloud application has to follow the rules and characteristics of cloud computing and consider high availability. In doing so, one has to make sure to avoid a single point of failure and know that something can go wrong at any time. Thus, the goal is to create an application that works anytime even if the provider’s underlying physical infrastructure starts having issues. Therefore, the providers offer the necessary tools and services.
- Use existing best practices and operational excellence guidelines for the virtual environment. Leading cloud users like Netflix impressively show how to handle self-responsibility, respectively shared responsibility, in the public cloud. In doing so, Netflix has developed its „Simian Army“. This is a huge set of tools and services they are using to ensure the highly-available operations of the virtual Netflix infrastructure on top of the cloud of the Amazon Web Services. Zalando makes similar steps by developing his own STUPS.io framework.
- Consider managed public cloud providers. The complexity of the public cloud shouldn’t be underestimated. This applies for setting up the necessary virtual infrastructure, the development of applications as well as for the operations and the holistic implementation of all security mechanisms. More and more system integrators like Direkt Guppe, TecRacer or Beck et al. Services specialize in the operations of public clouds. In addition, former web hosting providers and MSPs like Rackspace (whose Fanatical Support is now available for Microsoft Azure) transform to managed public cloud providers. And many more will follow!
The growing number of cloud migration projects at big medium-size companies and enterprises indicate that public cloud infrastructure platforms are becoming the new norm, while old architecture, design and security concepts are being replaced. After public clouds have been ignored over several years, this deployment model now also makes its way on the digital infrastructure agenda of IT decision makers. However, only CIOs with a changing mindset taking the shared responsibility concept for granted will successfully make use of the public cloud.