Clear thinking on cloud services

Do your homework before selecting a cloud service provider, advise experts on the subject.

"Be cautious, but be open minded," says Rick Franckowiak, director for systems engineering at the Pharmaceutical Research & Development IT organization at Johnson & Johnson. Focus on the full impact of your decision, including cost of ownership and the processes behind the cloud service. "Consider the tradeoffs," he says.

Conversely, and yet similarly, here's guidance from a service provider: "Cloud computing is a fantastic innovation," says Brian Boruff, VP for cloud computing at systems integration consultancy Computer Sciences Corp (CSC). "But be careful."

You want the benefits of the cloud in highly trusted way, and options within that boundary, he says. "The cloud is potentially disruptive. It changes the dynamic of who owns the capital, leading to business concerns."

Franckowiak is one year into an evaluation of cloud services based on a few use cases he developed, applications focused on peak-demand computing and scientific applications. "These are not high-risk applications involving sensitive data," he says. Technical considerations must certainly be evaluated in selecting a cloud service provider, he says, but the evaluation should also encompass how to manage security and data, as well as business-case understanding.

Franckowiak notes that some biopharma companies are looking only for commodity-based hosting. "That's valid, but it's not what we were looking for," he says. "We wanted to extend our current grid architecture [see previous coverage], focusing on large volumes of data in addition to the peak demand computing. We may get a need to run scientific modeling applications--requiring as much as 2000 compute nodes that we can make parallel-or we may need capacity for a couple of days and then shut it down."

He advises that cloud shoppers scrutinize services that address both their peak demand needs and their high-volume computing requirements for next-generation sequencing infrastructure. "Take a look forward," he says.

"We have a draft framework," he says. "We're now getting back together with the pharma companies [collaborators] we've been working with." They include Eli Lilly and Merck.

Boruff of service provider CSC says that the top issues among his pharma clients and prospects are security in the cloud, agility, and cost.

"Look at data security, data protection, data ownership," he says. "Life sciences companies have regulatory compliance laws governing certain kinds of information--that used in FDA approvals and HIPAA compliance, for example--that can't leave the country. Some cloud vendors, even large ones, can't guarantee that. Life sciences companies have to inspect providers to make sure they comply with regulatory laws."

Security is no issue to skimp on in terms of cloud-service research. "Ask a lot of questions," says Boruff. "Where is your data stored; how do you know who's using it?"

In spite of the current emphasis on cloud security, Boruff says that concerns are not overblown. "You can be thrown in jail and fined for not following regulatory laws. And we're moving into a world--given the current economy and the recent financial crisis--in which more regulations are coming."

Franckowiak concurs regarding the importance of security. "It's way up on the list. It's the number one issue I hear from most people, both Johnson & Johnson management and some of the researchers."

But he adds that "the perception is bigger than the reality. It's not like the Wild West; not as open as perceived by some. There are some frameworks out there, and vendors understand that security limitations could limit their business."

Still, he's developing internal security policies, rules and guidelines so people understand. "We're now taking low-risk opportunities to cut our teeth, but that will change over time." He also says that buyers need to look at machine-level encryption. Internal J&J people go through checklists so they don't open up the company to the potential for a security breach.

In addition to security, agility is another one of the top cloud-evaluation criteria. "The question is whether you can rent storage and computing," says Boruff. That's right at the heart of Franckowiak's peak demand computing issue.

To illustrate agility, Boruff recalls an Eli Lilly calculation that demonstrates the disruptive nature of cloud computing relative to traditional on-premises IT infrastructure, in a peak demand situation: Capital acquisition of a new server can take seven and a half weeks through corporate channels, according to Eli Lilly; a 64-node Linux cluster, 12 weeks. Comparable cloud computing service acquisition times: three minutes and five minutes, respectively.

Franckowiak agrees about the need for agility. "It's not that easy for us to increase scale now-due to the lead time needed for infrastructure capital spending-and then scale down," he says. "In the past, we believed we would have ever-increasing compute demand and meet it with capital acquisitions, but business conditions can drive down that demand so you no longer need it. You're left with assets you don't need. It's an ever-changing environment."