Speaking of Clouds

The cloud computing community has been buzzing about a recent study by the McKinsey group which claims that cloud hosting (i.e. EC2-style IaaS) is not cost-effective for medium and large scale enterprises. I was planning on reviewing it myself, but now I see that my former colleague James Hamilton has posted an excellent analysis. Here’s one of his most damning paragraphs:

Page 25 of study shows a “disguised client example“ where the example company had 1,704 people working in IT before the move to cloud services and still required 1,448 after the move. I’m very skeptical that any company with 1,704 people working in IT – clearly a large company – would move to cloud computing in one, single discrete step. It’s close to impossible and would be foolhardy. Consequently, I suspect the data either represents a partial move to the cloud or is only a paper exercise. If the former, the data is incomplete and, if the later, the data is speculative. The story is clouded further by including in the headcount inventory desktop support, real estate, telecommunications and many other responsibilities that wouldn’t be impacted by the move to cloud services. Adding extraneous costs in large numbers dilutes the savings realized by this disguised customer. Overall, this slide doesn’t appear informative.

James is too kind, I think. Any organization large enough to have an IT staff of 1,704 that moved their entire IT activities to “cloud services” today would be foolhardy at best and criminally negligent at worst. There are many aspects of IT, ranging from governance and compliance to identity and access control, for which we are just working out the implications, consequences, and practices necessary to make cloud hosting a viable proposition. As James Urquhart wrote a couple of days ago…

… the FBI raided at least two Texas data centers last week, serving search and seizure warrants for computing equipment, including servers, routers and storage. The FBI was seeking equipment that may have been involved in fraudulent business practices by a handful of small VoIP vendors.

The problem is that they didn’t just grab the systems belonging to the VoIP vendors, but grabbed hundreds of servers serving a wide variety of businesses, the vast majority of which had never dealt with or even heard of the companies under investigation, according to Threat Level. Companies interviewed complained of losing millions of dollars in lost revenue and equipment with no warning whatsoever.

So how much of their IT operations might McKinsey’s “disguised client” have moved into the cloud? Based on most of the patterns I’ve seen, it is likely to be highly scalable batch workloads: stuff like video rendering, log file analysis, and data mining. But these are the kinds of tasks which involve relatively light operational load wherever they are run – in-house or in the cloud. So even if the level of raw processing or storage moved into the cloud was fairly large, it was unlikely to make a noticeable dent in the IT staffing.

In the real (non-McKinsey) world, there are three patterns which we need to compare:

1. traditional IT with siloed resource allocation
2. “private cloud” with internally hosted IaaS
3. “public cloud” with remotely hosted IaaS

Until we fully understand all of the issues related to remote hosting of business-critical data, the responsible thing for large enterprises to do is to migrate towards a mixture of (2) and (3). Simply adopting (2) should afford significant efficiencies over (1); shifting “safe” workloads from (2) to (3) should provide even greater savings.

UPDATE: Tim Bray also skewers McKinsey:

I’ve Seen This Movie Before · This is one of the times when being a greybeard is helpful. You see, I look at those bullet points, and I remember the IT establishment raising precisely those concerns, almost word-for-word, in the face of other New Things. For example: ¶

• Personal Computers
• Unix
• The Internet
• Relational Databases

The list goes on. In every case, the new technology couldn’t compete with the existing data center’s TCO (“Total Cost of Ownership”). And there were grave concerns about security and reliability concerns. And oh, those “business perceptions of increased IT flexibility and effectiveness”, so hard to combat manage.