With the Spirit cloud infrastructure project on the launchpad, Savvis’ CTO Bryan Doerr has plenty to say when we ask him whether users are ready to trust the cloud
Cloud computing will eventually triumph, but in its early days complying with regulations may limit its use. Those are the opinions of Bryan Doerr, chief technology officer of Savvis – and they’re admirably frank coming from a company that has bet big time on the cloud.
Savvis is an outsourcing provider, and it’s preparing to launch Project Spirit – a virtual private data centre. Despite this, on a visit to London, Doerr admitted to me that compliance could be an issue for some of its potential customers.
While many focus on the supposed security and reliability risks of cloud computing, I think that they are overstated (and so do others such as Google, obviously). Most in-house IT departments face just the same issues – but the cloud has more difficulty in proving it is secure and meeting industry regulations for data handling (such as the PCI regulations in the retail industry).
That’s why I chaired a seminar on Compliance at BrightTalk’s online web summit about cloud security. You can still listen to it here.
And earlier that day, I raised my doubts with Doerr – who was over to talk about what Spirit will offer.
Spirit – scaling infrastructure at will?
“Cloud is not new technology,” said Doerr (and Savvis has certainly been outsourcing for longer than the “cloud” name has been in vogue). “It’s a new purchasing paradigm: enterprise class virtual data centres with multiple grades of service, and granular control.
Spirit (which is due in beta before the end of the year, and generally available early in 2010) is a close partner deal with two of the major cloud-enabling technologies launched this year. It uses the Nexus switches which underpin Cisco’s Unified Computing System, launched in March, and VMware’s vSphere cloud OS, launched in April.
“We use the Nexus 5000 for scale, and for its integration of SAN and Ethernet, and we also get APIs which are critical for security at the hypervisor level,” said Doerr. “We can follow the best practices of physical dedicated deployments, and bring them into the cloud.”
Spirit will have three tiers, with firewalls and storage, and a lot of support for service level agreements, but Doerr is proudest of the control interface – a drag and drop control panel that lets users build their own virtual data centres in Savvis’ space.
“You use a palette to build out an application deployment architecture on your screen,” he said. “At the time of completion, you push a button and it provisions.”
The system also tells you how much the virtual data centre you just built will cost, though it will depend on how much you use it: “Before you provision, you see your fixed charges and usage based charges – some resources are charged hourly on a usage base, so the final bill depends on your usage level.
At this stage cloud-based infrastructure services are competing amongst themselves – but the major drive is to get in-house IT moved out into the cloud – and Savvis also supports in-house IT departments, hosting their servers in its sites.
Don’t confuse virtualisation with the cloud
Spirit has a Savvis-built user interface, which operates similarly to vSphere, but should be understandable at a higher management level. Despite the similarities with in-house moves, it’s important not to confuse virtualisation with the cloud, Doerr said.
In a nutshell, virtualisation is enabling technology – but it only takes you part of the way to the cloud business model.
“If you have virtualised your own data centre, it is probably still underutilised,” he said. “You can virtualise at the server level, but to get all the benefits, buying services on a massively shared platform is probably the end state.”
Virtualisation needs good tools and skills, he said, and it’s not part of his customers’ core business: “Virtualisation is a challenging task, and an undifferentiated task. Rather than take it all on, the argument is to go outside the company, to someone who has embraced the cost. Even if you do it well, you will never be as efficient as we will be at the multi-tenant level.”
Scaling IT without buying assets is good: “Once you buy hardware you are stuck with it.”
Also there are synergies between different virtualised applications, he said: “Formerly isolated applications are now coupled, in ways that can have ripple effects across the virtual data centre.”
But is it compliant?
But, I finally asked, all that is not worth much if users simply can’t adopt cloud services because they are constrained by their industry’s regulations. For instance, many countries have data protection rules which would make it difficult for a company to use a service which stores data elsewhere.
“We are anticipating this issue,” said Doerr. “We have multiple instances of this platform deployed globally, and three grades of service.”
“For situations where data has a regional compliance requirement, that it must be kept in a particular region, our cloud allows you to pick a specific data centre.”
Customers of Savvis’ high-end service can pick where the data is deployed – although currently the UK is Savvis’ only datacentre in Europe for services like Spirit. With its cheaper low-end service, Savvis will select where the data goes to reduce its own costs.
But the location of the data may be the least of your worries, he warns: “There are lots of other compliance regulations, which go beyond data, to process and control.”
I asked him: are clouds compliant? “There is industry-level debate, and no blanket answer,” he said. So lots of applications – including any bound by the retail induistry’s PCI regulations – can’t be put in the cloud.
The good news is there are other applications: “There are lots of customers who do not have those obligations. And any typical enterprise has a portfolio of hundreds of applications. Cloud could be part of the answer.”
The issue is not black and white, in other words. “At this stage, the cloud is a supplement. Enterprises will always have a mix of services, and we can easily integrate cloud services – using the same tools in our customer interface.”
Ironically enough in the virtual world, that integration is easier if the customer already comes to Savvis for colocation in the same physical data centre: “You could take a cloud-based webhead tier and marry that to database a tier, perhaps by stringing a physical VLAN across the data centre.”
Whatever customers say they think about cloud security and compliance, they always bring the subject up: Customers bring many different levels of understanding to this, and I don’t think we’ve settled on all the key issues,” said Doerr. “But I have not been on a single customer visit where cloud was not the centre piece of the dialogue.”