Mature conversations at the Cloud Leadership Forum

IDC and IDG brought together a couple hundred cloud practitioners and decision makers for 2 days of surprisingly intimate and sophisticated conversations about the benefits and challenges of doing more with public, private, and hybrid cloud computing technology. Appropriately, they called it the "Cloud Leadership Forum."

The breakout session on cloud security, for example, skipped the hype and dove right into an issue at the core of most conversations around cloud adoption -- the tension felt by IT organizations who are being asked to sign up for certain security and performance outcomes that they no longer feel in control over as they move to the public cloud.  

There are no easy answers to resolve this tension, as last week's discussion on cloud security highlighted.  One potential solution is for cloud providers or others in the ecosystem to assume liability for the business outcomes they're supporting, effectively getting into the insurance business.  This is a change of business model for the cloud providers, and will require a different pricing structure -- after all, insurance isn't free.  This may even require a new class of "cloud brokerages" to fill this role, as predicted by Daryl Plummer at Gartner.

In the meantime, most cloud consumers are choosing to "self insure," just as they currently do with most of their on-premise technology.  The key for ongoing enterprise adoption of the cloud is to make enterprise IT as comfortable self-insuring their cloud-based solution as they are self-insuring their on-premise solution today.

The conversation at the Cloud Leadership Forum made clear that we're not there yet for mainstream IT organizations.  Getting to this level of comfort will require some changes from the cloud service providers:

• Visibility:  Enterprises will only be comfortable self-insuring if cloud service providers fully open their kimono about all the things they're doing to ensure security.  Improved standards will help -- there was consensus that today's standards are primarily written by accountants instead of technologists, but that is changing.
• Controls:  Right now, cloud security tends to be one size fits all -- enterprises need more fine grain controls to dial-up /dial-down security to fit the requirements of their industry and the specific use case that they're moving to the cloud.  
• Guidance:  Enterprises need candid guidance from cloud service providers on security best practices, based on their experience across thousands of customers.  For example, who would know better than Google the optimal timing for password changes?

This is exactly the sort of dialog that consumers and providers of cloud services should be engaged in -- and it was encouraging to see that occur in a relatively hype- and FUD-free environment.

I'm thinking of covering a couple of other topics from the conference over the coming weeks:  exploring the emerging category of "business process as a service," discussing the latest attitudes about "private" and "hybrid" clouds, and covering a great case study by the CIO of Shaklee on what it means to be "all-in" when it comes to cloud computing.

Let me know what sounds most interesting! 

Ryan Nichols is the Vice President of Cloudsourcing and Cloud Strategy for Appirio.