The Purely Public Cloud Deployment: The Perceived Risk

In this post series, I will raise some basic questions and will delve deeply into this topic to debate the common resistance to what I call “pure cloud deployment”.
Let’s begin with a leading question: Can’t the hybrid economy model live within the public cloud? From the enormous number of conversations with top cloud thought leaders, CIOs, startups, and the like, it seems that the answer is YES. 
The Pure Public Cloud

I started my journey in the technology world only 10 years ago. I started establishing an online cloud and SaaS solution for the SMB, and 6 years later I was exposed to the great wonderful world of enterprise IT factory. I experienced and documented the challenge of moving the multi-million dollar IT shop to AWS cloud. I also supported and kept records on projects of enterprises and ISVs that moved resources from their on-premise applications to the Amazon cloud, beginning with their initial integration and continual maintenance all the way to the education and implementation of the cloud pay-as-you-go and on-demand models. In my journey, I saw how Salesforce grows like crazy and how its ecosystem mushrooms along with it. I’ve closely followed Amazon’s every step of building the AWS cloud, which, without a doubt, has been a revolution from IT markets.
“Did you hear about the Netflix down time last Christmas?” That is one of the most common questions I hear when it comes to discussing using only the public cloud (the Netflix case). There is never a question about the loss Netflix suffered from around 20 hours of downtime.

“By 2012 the (Netflix) cloud capacity has grown to be order-of-magnitude 10,000 instances, ten times the capacity of the datacenter, running in nine AWS Availability zones (effectively separate datacenters) on the US East and West coast, and in Europe. A handful of DevOps engineers working for Carl Quinn (@cquinn – well known from the Java Posse podcast) are coding and running the build tools and bakery, and updating the base AMI from time to time.” Read More by @adrianco

If Netflix had more control on their cloud, could they do better or at least bring their services back online faster? In the case of “better control”, is it plausible that they could build a scale and manage such an amazing capacity of resources? For this, we have to consider the benefits vs. risks.

“With a hybrid cloud, you as the user get to control the balance between CAPEX and OPEX. With a public cloud (like AWS), the entire expense is OPEX.” @martenmickos (via email)

Isn’t it more attractive for today’s IT leader’s total expenses and steady capacity to be OPEX? It is more logical for a budget to go out when it has a confirmed, direct ROI and won’t suffer from precarious planning.  This brings us back to the reason why past traditional projects failed.

“What you can never have to 100% in a public cloud is control. If you need full control, you must operate your own cloud. I mean financial control, technical control, access control, data control, compliance control, roadmap control, control over rules and governance, and so on. That’s why I think there will always be a need for private clouds.” @martenmickos (via email)

This list of features for control is very important and each needs to be considered separately. It seems like the private cloud is all about the IT FUD level, which makes sense since losing data or having downtime are serious factors when deciding a cloud enterprise or IT strategy.

Risk Perception

Risk perception is the subjective judgment about the characteristics and severity of risk. The perception of risk is decreased if the risk is chosen voluntarily. Even though the risks might be similar, the voluntarily chosen risk is accepted far more often than the imposed one. Accordingly, people tend to accept risks that are voluntarily (on-premise IT) chosen even if those risks are approximately 1000 times more risky than accepted involuntary risks (public cloud). Wikipedia
Don’t you think that AWS, or any of the public cloud’s leading trio can take responsibility while improving and providing better services over time? Isn’t it more strategic?  It seems like Amazon’s $600M contract with the CIA made them become more fond of with the phrase, “Private Cloud”, it just wasn’t necessarily how they, themselves relate to it.

“I asked AWS if it’s currently building private clouds for customers and if it’s building data centers outside of the U.S. designed for use by government agencies…  It notes that GovCloud and FinQloud are examples of “community clouds” that AWS may build for groups or organizations that have specific requirements.” Read More by @ngohring

Controllability

Similar to the voluntary choice aspect mentioned above, outages or data loss risks that are perceived to be under one`s control are also greater accepted than those controlled by the public cloud vendors (involuntary choice). Typical human behavior tends not to enter “out of control” situations because there is a lack of security under such circumstances. Veteran IT leaders have already experienced a situation that created a feeling of powerlessness and helplessness, and would not want to live through it again. Although they recognize the cloud, these leaders still “suffer” from the impression that as long as their administrators maintain control they can remedy the potential risk.

“What strikes me when I read of the cloud contracting deals, and proposed private clouds is just how little those who are defining the specifications for “private cloud” seem to understand about why the business segment moved so decisively to AWS.
IT on the other hand does not excel at this, and in my opinion this variance experienced by business customers when working with Corporate IT is what pushes them “to the Cloud” against any logical argument Corporate IT can make that they would have “more control” in the datacenter.” @BrianMcCallion on a comment on @gigabarb post, Amazon winner in a federal cloud scrum

However, that perceived control over the IT environment isn’t necessarily real control. Social psychological studies have shown that we tend to overestimate our capability to control a situation. Research shows that personal risk is perceived as being far lower than risk for people in general. This is statistically impossible and reflects an unrealistic optimism. No IT leader can deliver an “outage free data center” and most chances that the public cloud vendors can do better under.
There is more to risk perception and controllability than what I have noted in this post, including, “the greater people perceive a benefit, the greater tolerance can be built for risk”. The benefits that an enterprise IT can gain from using the public cloud are important in order to actually eliminate traditional IT risks. If IT really understands the values of the cloud and doesn’t view it as, “just another hosting platform”, they are capable of understanding that while it is very important, security deployment will always come second.
Having said that, do you really think that you understand what is “private cloud”? Is it a better investment to build your enterprise cloud from the ground up?

Related posts