The top two reasons respondents gave for moving away from cloud service providers were the Amazon EC2 outage and the Dropbox security breach, according to CompTIA, which conducted the survey of 900 IT and business professionals and IT firms in June with research firm Research Now.

Difficulty integrating on-premise systems with systems in the cloud was another reason given for the shift back in-house, as was the realization by some of the companies that they could build their own private cloud.

“Adoption of the cloud model continues to grow, but there are different nuances,” said Todd Thibodeaux, CompTIA president and CEO. “I think some of these companies recognize that a hybrid [cloud] approach meets a variety of their needs, and some realize that they have the infrastructure in place to have a private or hybrid cloud.”

Overall, more people are using the cloud in more ways — whether with an IaaS, PaaS or SaaS provider, or through a public, private or hybrid model — and these far outnumber the people who are moving things out of the cloud, Thibodeaux said. The CompTIA study found that more than half of the respondents plan to increase their investment in cloud computing by 10% or more in the next 12 months.

If anything, the survey data shows that cloud adoption has moved to a point of maturity in which customers are surer of their needs and more confident that the public cloud model is the right vehicle to meet many of those needs. This is a far cry from a year ago when the leading question was still “What is the cloud?”

In fact, the cloud crosses the globe as a unifying strategic initiative, unlike any other technology Thibodeaux has seen in his decades in the industry, he said.

Our understanding of the cloud has matured, but we are far from nailing down best practices, the main reason being that the cloud has too many moving parts — not to mention players.

“WikiLeaks was not a public cloud scandal,” said a director at a financial services firm. Furthermore, so-called “experts” are turning acceptable use into a faux security risk that requires the assistance of — what else — consulting services, he said.

An IT manager said I hadn’t dug deep enough into the forensics of a public cloud gone bad.
“I think you’re ignoring a basic point,” he wrote. “Amazon and a few others pulled the plug on WikiLeaks under severe governmental pressure. The talk of ‘contravening the terms of service’ was pure hogwash. Amazon and the others knew pretty well what Wiki was doing; it gave them a lot of business and everyone was happy … till the government stepped in. If the government machinery decides to nab you (or me), no matter how law-abiding you are, it will find some excuse and some archaic law, invoke that and … zap.”

Is it 1984, 27 years later?

The financial services director is aghast that this “unprecedented concept — to prevent the Feds from coming in and shutting down the cloud!!!” illogically “builds fear into the service provider background check process which exists for very different reasons.”

Who’s right? You tell me.

The IT manager who suspects the government’s influence on private enterprise said his question about risk in the public cloud is this: “What is the security that I can get for the continuous use of the platform without the platform owner using some specious excuse to drop me? ‘Continued and Guaranteed Service’ is now a risk item that has to be examined seriously,” he said.

Would nefarious use of the same public cloud on which your data resides come back to bite you, or is segregation and encryption enough to protect your data? It is unlikely that the government would shut down all of Amazon Web Services for the misdeeds of a few — especially, as Drue Reeves, a Gartner analyst has pointed out, AWS may be too big to fail. Like the financial institutions that recovered with the help of bailouts, large public clouds are becoming cornerstones of the economy, he said.

But it is possible to have data residing on a cloud that suffers a distributed denial-of-service (DDoS) attack in retribution for another customer being dumped. That’s exactly what happened on December 8, when “hacktivists” launched a DDoS attacks against Amazon.com and several financial institutions including Visa, PayPal and MasterCard for their decisions to stop processing payments to WikiLeaks.

What other risks are there? How about hackers using high-performance cloud services on Amazon to break passwords on wireless networks? We’ll hear more about that when security expert Thomas Roth delivers a talk at the Black Hat conference in Washington, D.C., next week.

Regarding the financial services director’s concerns, I plan to follow up with a story on SearchCIO.com next week about best practices for mitigating risk in the public cloud.

What’s your experience? Email me at Laura Smith, Features Writer.

Formulating a cloud strategy is on the minds of many IT executives — it’s the priority for 2011, according to analysts at Gartner Inc. in Stamford, Conn., ahead of virtualization and mobile computing.

“My concern is that it may be cheaper initially, but more expensive over the long run,” said my confidante en queue, who added that his cloud strategy to date has been to “move the grey to the cloud — not the most exciting applications, but the ones where it makes sense.”

Email, for example, and other “nondifferentiators” are the most likely candidates for public cloud services, according to Tom Bittman, a vice president and distinguished analyst at Gartner: “the things that everybody does, very separate from the business.” By 2012, 10% of enterprise email seats will be in the cloud, he said. The focus for nondifferentiated services is to “build an interface, very standardized between cloud and on-premises.”

The cloud is not a thing; it’s a style of computing like client/server, a way to deliver services, according to experts. And like actual clouds, there are lots of computing varieties, all of which must be considered in an enterprise cloud strategy.

Most organizations are going to have a mix of public cloud and private cloud initiatives. No doubt, “we’re going to see cloud sprawl. … If we saw virtualization sprawl internally, we can’t assume that it won’t happen externally,” Bittman said.

There are good and bad sides to the cloud, but the key to success is focus — the right services, the right requirements, and a service-based orientation.

“There is not a black and white, public and private; in many things, there is grey,” Bittman said.

A cloud strategy doesn’t have to be pure to provide value, for example. A cloud provider might limit access to companies within a particular industry, forming a community cloud. Or an enterprise might use a public cloud but insist that resources be shared only among applications in the company — a new construct becoming known as the “virtual private cloud.”

Throughout 2012, two-thirds of IT organizations will be spending more on cloud computing services, with 20% more spending on public clouds, Gartner analysts predict. The only bad strategy at this point is to have no strategy at all. Users are going to do their own thing, using personal credit cards to take advantage of cloud services beyond the realm of centralized IT. Having executive buy-in makes sense.

The cloud strategy boils down to how you evaluate which applications go into the public cloud, and which stay internal. Now is the time to align data center management with vertical service delivery. The bottom line is that you need to experiment; that leadership is critical to gaining executive buy-in. Focus on the service catalog and portfolio your services.

Like actual clouds, the computing variety is always shifting, showing up in an array of public, private, community and hybrid models. To help you understand the possibilities, SearchCIO.com will be looking in the next few weeks at such key issues as private cloud attributes and public cloud risks.

What cloud experience do you have to share? Email Laura Smith, Features Writer.

But cloud uptime? Now that is an even larger trust issue that CIOs just can’t seem to get past. At least, not the CIOs attending a recent gathering of public cloud services providers sponsored by the trade and investment arm of the British Consulate-General.

The CIOs and cloud services providers came together to hash out what it’s going to take to get enterprises onto the cloud. Security was an issue, of course, with data transparency and knowing who has access to their data among the concerns.

As for performance, one CIO said he would FedEx a terabyte of data to a public cloud provider for fear that the provider’s network couldn’t handle a data transfer of that load. One attendee said performance uncertainties in the cloud could possibly weaken your disaster recovery plan.

The CIOs also didn’t trust that their public cloud providers wouldn’t go out of business. CIOs have a long memory and haven’t forgotten that seemingly well-established hosting providers can go out of business — think Exodus Communications.

In 2000, Exodus was the darling of the hosting industry, with revenue of $818 million, stocks worth $90 a share and 42 colocation facilities — not to mention nearly 5,000 customers, including Microsoft, Yahoo and the New York Stock Exchange. Many of the company’s customers, however, were dot-com startups that failed to pay their hosting bills, pushing Exodus further into debt as it continued to build and acquire more facilities. (Some experts believe that the next wave of winners in outsourcing will be the ones that have large infrastructures that can support the entire services layer, from software to hardware. That would require big investments in infrastructure, like those Exodus made.)

Public cloud providers are not immune — a few bad infrastructure and financial planning decisions could bring the multitenant house of cards down. What happens to customer data then? Just as they asked during the dot-com bomb and downfall of application service providers, CIOs want to know how public cloud providers will deal with porting data and services to another cloud provider, or back in-house.

They don’t want their data to end up as an asset in bankruptcy court.

But this is a nascent industry, and CIOs are willing to wait for public cloud providers to grow up a bit. And as they grow, CIOs would like the providers to keep these other capabilities in mind:

• The ability to work offline, as well as online.
• The ability to manage multiple cloud services and relationships under one umbrella.
• The ability to speed up, not slow down, change management.

CIOs are sending clear messages to public cloud providers. It will be interesting to see how the providers live up to these demands — or maybe private clouds are the way to go?

Let us know what you think about this blog post; email Christina Torode, News Director.

This was VMware’s seventh annual shindig, and the statistics ticked off by Rick Jackson, VMware’s chief marketing officer, indicate that virtualization is growing like a popular religion. In 2004, 1,400 people attended the first VMworld conference, and by last year, the number of attendees had risen to 12,500. This year, the Palo Alto, Calif.-based company’s goal was to lure 14,000 attendees, but it was blown away by the registration of 17,000 professionals from 85 countries looking to take advantage of virtualization technologies. And that’s just a fraction of the 195,000 customers worldwide who are engaged with VMware, he said. Customers are banding together in user groups to help each other adopt the technology that will transform their IT initiatives. To date, 50,000 members are involved in VMware user groups across 145 local chapters in 32 countries. This year, the groups inaugurated a board of directors who created a mission statement. Jackson invited attendees to join a local chapter or start a new one.

The theme of this year’s conference was Virtual Roads, Actual Clouds. It’s not about public vs. private, Jackson said: “What people want and need is a hybrid cloud environment.” Last year, VMware built a large private cloud to service its event, but this year, it put its money where its mouth is and built a hybrid cloud using Verizon and Terremark clouds on the East Coast connected via the Internet to a cloud in San Francisco. This platform provisioned 4,000 virtual machines an hour during the conference, for an expected total of 100,000 VMs.

The road to a hybrid cloud is a three-phase journey. In the first phase of virtualization — what VMware calls IT production — customers are averaging savings of 50% to 60% in capital expenditures, according to Jackson. The second phase, referred to as business production, is driven by quality of service with high availability and disaster recovery at a fraction of traditional costs. The average VMware customer is in this phase, he said. The third phase is the optimization of IT production for business consumption, which is the premise of IT as a Service. The goal is to quickly deliver business value. “The value proposition from Phase 3 of the journey significantly dwarfs phases 1 and 2,” Jackson said.

In 2009, IDC reported that the number of applications delivered on virtualized infrastructures exceeded those on physical hosts. “We are at a tipping point in the industry,” said Paul Maritz, VMware president and CEO. The tide is coming whether VMware is there or not, he said, predicting that in 2010, more than 10 million virtualized machines will be deployed, growing at 28% annually. The trend is evident in industries ranging from pharmaceuticals to fashion, and spans the globe from dairy farms in India to large breweries in Eastern Europe, “to Tastykakes in Pennsylvania, which delivers satisfaction on top of a virtualized infrastructure,” Maritz said.

Two notable challenges are the integration of Software as a Service (SaaS) apps and mobile devices that have made their way uninvited into the corporate IT environment. It even happens at VMware: The company is using 15 SaaS apps that do not share single sign-on status. “I didn’t approve a single one of them,” Maritz said. Meanwhile there is an increasing heterogeneity of such devices as iPads that IT will have to support. “Ultimately, IT is going to be left holding the bag. Just as the PC came into the environment uninvited, IT will have to stitch them together in a manageable environment,” he said. What’s needed are automation, management and integrated security to make hybrid clouds a reality. The holy grail of porting data from one cloud to another will depend on faithful, open standards.

Because they are designed to serve the masses, large clouds like Amazon.com’s Elastic Compute Cloud, or EC2, have standard service level agreements that may refund businesses for time lost; but that’s pennies compared to the business that could be lost during an outage. Enterprises want to shift some of the financial risk to public cloud providers, but with increasing interest in cloud services, providers have little incentive to change their business models, according to Drue Reeves, director of research for the Burton Group in Midvale, Utah. The issue was brought home by Eli Lilly’s decision last week to walk away from Amazon Web Services (AWS) after its negotiations failed to push some accountability for network outages, security breaches and other forms of risk to AWS inherent in the cloud. In the article, an AWS spokesperson denied that Eli Lilly was no longer a customer.

At the moment, there isn’t enough jurisprudence to decide who pays for what, Reeves said, so he gathered a panel of lawyers and cyber insurers to comment on what has been deemed the Wild West of computing at the Burton Group’s Catalyst conference in San Diego last week. Heck, Rich Mogull, analyst and CEO of Securosis LLC, a consultancy in Phoenix, even called the public cloud a seedy bar.

“We don’t really have cloud law,” said Tanya Forsheit, founding partner of the Information Law Group in Los Angeles. “It’s going to happen. . . .[S]ome big breach involving a large provider will result in a lawsuit, and we might see principles coming out of that,” she said. Until then, negotiation is the order of the day around liability policies, she added.

Indeed, there have been 1,400 “cyber events” since 2005, according to Drew Bartkiewicz, vice president of cyber and new media liability at The Hartford Financial Services Group, a financial services and insurance company in New York. “If you had an event in 2005, you’re lucky,” he said. “The severity over the last two years is starting to spike. This is an exponentially growing risk.” With so much information flowing around the clouds, supply chains become liability chains, he added. “The question is, who is responsible for information that’s flowing from one cloud to another when a cloud goes down?”

The answer comes down to contracts, and what should be considered a reasonable standard of care, Forsheit said. “Have we reached a point where encryption is the standard?” she asked.

But enterprises aren’t the only ones at risk in the cloud: If the large providers are forced to indemnify businesses, the game will be over, Reeves predicted. The industry needs to figure out how to share the risk in order for the cloud market to mature. “Otherwise, the cloud becomes this limited place where we put noncritical applications and data,” he said. “If we don’t address this issue of liability, we’re stuck.”

SearchCIO.com will be following the issue of liability policies in the cloud. Do you have a story that needs to be told? Contact me at lsmith@techtarget.com.