Unchecked usage can kill cost benefits of cloud services

The touted cost savings associated with cloud services didn't pan out for Ernie Neuman, not because the savings weren't real, but because the use of the service got out of hand.

When he worked in IT for the Cole & Weber advertising firm in Seattle two and a half years ago, Neuman enlisted cloud services from a provider called Tier3, but had to bail because the costs quickly overran the budget, a victim of what he calls cloud sprawl - the uncontrolled growth of virtual servers as developers set them up at will, then abandoned them to work on other servers without shutting down the servers they no longer need.

Whereas he expected the developers to use up to 25 virtual servers, the actual number hit 70 or so. "The bills were out of control compared with what the business planned to spend," he says.

CLOUD SECURITY: Interop: Cloud services take a beating in debate over security 

He tried modifying policies around use of the virtual servers so they could be used only from 7 a.m. to 7 p.m. But that didn't work either because inevitably deadlines had to be met that required violating the new policy.

Ultimately, the business built its own VMware cloud that supports up to 100 virtual servers.

Since then Neumann has moved on to being IT director for Big Fish Games, which makes computer and online games, and where he has given cloud service another shot, but with similar results.

Big Fish again hired server capacity from Amazon to launch an experimental Facebook game. "Then the game was very successful," he says. "It was great to be in the cloud because it could scale so quickly, but the costs got out of control."

So again he pulled the content from the cloud and hosted the game in-house, a move that paid for itself in three months with the savings from not having to pay the cloud bill, he says. "Performance issues didn't drive the change," he says, but the experience has jaded him a bit. "Now we're cloud averse. We don't even talk about it."

In order to return to the cloud, he says Big Fish would need to be working on a specific project that would benefit from a cloud service.

Earlier, when he was still at Cole & Weber, Neuman ran into a different problem with cloud provider Teremark (now part of Verizon) that was related more to the relatively young service provider growing so fast that it couldn't effectively manage its services. As a result the advertising agency brought all its SQL deployment - which had been virtualized in the Teremark cloud - in-house on physical servers.

Other lessons he learned include examining service-level agreements (SLA) carefully, because he finds the ones he's run into don't actually agree to much. "You can have a big outage and it's not far off the SLA," he says. If a provider offers 99% uptime that equates to 7 1/2 hours per month of down time. "That's a day," he says.

Overall, he's suspicious of cloud security because he doesn't really get to examine it. "I think it's inherently insecure because I don't control it," he says.

Providers say, for example, that they are SAS 70 compliant in network defenses, but he worries about threats from employees of the provider. "Just like everyone else, their biggest threat is internal," he says.

Until reliable cloud security standards are established, he would avoid putting critical applications there unless he got to examine the provider's security. "I would pretty much have to know everything about what they do," he says.

Even then there are uncertainties. For instance, if data is housed in a particular data center, but the provider expands or data is replicated to another data center in the cloud provider's network, how will he know the second site is as secure?

Tier 3, the provider he used for a SQL virtual deployment, was good about explaining and documenting its security, he says, but still it wanted customers to take some responsibility. "Their stance was you need to take measures yourself," he says.

He says the IT department tries to be as flexible as possible to support projects, but the reality is that the costs of cloud services are difficult to project accurately. "It's really an unknown," he says. "If you use it for six months and it costs the same as buying physical hardware, then you have to switch."

Read more about data center in Network World's Data Center section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenancesecurityhardware systemsData Centercloud computinginternetVMware

More about Amazon Web ServicesFacebookInteropRSASASTier 3VerizonVerizonVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place