Home / Blogs

Clouded by a Convenient Illusion

In a relatively short time, the phrase “in the cloud” has become a term of art when talking about the internet. A quick Google search shows nearly a million uses of the phrase in the past month, a 3x increase from the same period in 2009. But, what does it actually mean to have your web site, your software, your data, or anything else “in the cloud?”

“In the cloud” is derived from “cloud computing,” which in turn is just a new term for distributed computing, where data-crunching tasks are spread across a variety of different physical processing units. This was common in mainframes in the 1960s, and later the idea of distributing processing across cheap PCs running Linux became popular in the 1990s.

The nineties also saw the advent of computation distributed across computers of different types, belonging to different people:

SETI@home, uses volunteered computers to search for patterns in transmissions from space; Scott Draves’ Electric Sheep has participating computers render complex, beautiful abstract animations, some of which have won awards.

Where it seems to have changed is with the creation of what you might call “clouds for hire”: Amazon Web Services offers both computing and storage platforms, as does Rackspace Cloud Computing and a handful of others. These have become popular ways to operate new web services and similar offerings, cheaper and easier (some say) than dealing with physical hardware yourself.

The botnets used in nearly all forms of cybercrime today, which are made up of tens of thousands of virus-infected computers (unbeknownst to the computers’ owners) are a less palatable example of distributed computing.

These botnets in particular illustrate that the concept of the cloud as a magical place where data goes in and data comes out on demand, nothing to think about, nothing to worry about, with no responsibilities of your own…it’s a convenient mental image, but in nearly all cases it’s simply wrong.

The Amazon cloud is actually a series of computers owned by Amazon, physically located in facilities they own or lease. The Rackspace cloud is similarly owned by Rackspace. These computers and facilities are subject to security breaches, backhoe attenuation—and legal jurisdiction.

the cloud is magic
swift, robust, reliable
except for rackspace

hungry programmer Charity Majors, complaining on Twitter during an apparent Rackspace outage

Along with physical locations and ethernet cables, the various computers that make up those clouds also have IP addresses. When your cloud-based process communicates with the rest of the internet—to send email, perhaps—the remote server that it’s talking to sees that IP address as the source of the transmission. But as Reddit and others have been discovering, that IP address is in most cases shared with everyone else who uses the cloud—possibly including spammers, or other bad guys. A virtual server “in the cloud” can even be infected by a virus and become part of a botnet.

As the popularity of cloud-based services has grown, so has the apparent applicability of the phrase “in the cloud.” It now appears to refer to any processing or storage which takes place outside of your own desktop, laptop, or mobile device. I’ve heard people talk about keeping their email and calendar and contacts “in the cloud” when all they’re actually doing is letting Google Apps or Apple’s .MAC service host it.

Are you all just saying Cloud when you mean Internet? Have I lost it?

—software developer Jim Van Fleet, on Twitter

This use of the phrase seems to be predicated entirely on the concept of the cloud as a place where you have given up all responsibility for your data. These companies will take care of you (except when their Terms of Service say they don’t have to.) Not everyone wants to operate their own mail server, or write their own calendar synchronization application; hosted email and other “software as a service” offerings absolutely can make sense, so long as you’re aware and comfortable with the idea that you’ve given up a large measure of control.

And that’s the important thing to consider before relying on an Amazon-style distributed computing cloud, or using web services like Google Apps. How much control do you need over security, privacy, uptime? How can you be certain you’re complying with all relevant laws when you don’t know which jurisdiction your process is running in? Who else is sending email from that same IP address? What will happen when the federales show up with a subpoena?

All of these things are well-understood for traditional computing, and even for colocation situations, but industry understanding and best practices around cloud computing are still emerging—hampered by the ever-widening, increasingly cloudy meaning of “in the cloud.”

When it comes to sending email, I’d have to strongly advise against using clouds. Even if it makes sense to host your web site and run your processes from the cloud, use an ESP or a reliable relay service to send the email.

Above all else, don’t be swayed by the illusion of the cloud. You can’t touch it, but someone is still held responsible. You can’t see it, but someone can still be subpoenaed. Someone can trip over a power cord, or go out of business, or get bought by your competitor. Whether you trust that someone is up to you.

is the cloud down? I can’t log in, and my keyboard is wet.

—an anonymous smartass

By J.D. Falk, Internet Standards and Governance

Filed Under


I don't think you get the point here Phillip Hallam-Baker  –  Jul 28, 2010 12:36 AM

‘The cloud’ comes from people drawing up network architecture diagrams and drawing a circle round the bits that THEY do not want to have to think about.

That is not the same as believing that nobody should think about them or that the quality of service does not matter. What they are saying is that they want someone else to be thinking about availability and uptime and security and power and racking and everything else.

The idea that having someone else managing your server is unacceptable is ridiculous. What are you going to do, live in the server room and guard it yourself? Because unless you are prepared to do that you are going to be putting your trust in someone else. And maybe your ability to spot which employee has picked up a drug habit and which one has gone screwball after his wife left is not as good as an outsource provider can do the job for you.

For 90% of all the companies in the US, good, competent IT talent is going to be the exception, rather than the rule. They are doctors, lawyers, small retailers, verminators, architects and welders. They know that they want high reliability and security but they have no idea how to achieve that. And they don’t care. Nor should they. When the outsource market is mature the surviving players will all be able to deliver far more reliably than these companies can do IT for themselves.

The issues for the rest are more complex. The idea that an enterprise that has already built out a data center of the right size is going to realize huge savings by ‘going to the cloud’ is ridiculous. But there are plenty of beltway bandits trying that scam on the federal government.

If you have security needs, outsourcing is very likely to work for you. Because getting a SAS70 or equivalent is a really tedious and expensive process. Building out high security data centers is expensive. In fact I expect that ‘cloud computing’ providers are going to find that they are spending considerably more time and effort taking care of their customer’s data than the customers would themselves. The reason for this is simple, there are very few people in any company that have really sensitive information belonging to the company itself and much of that is only sensitive till the press release. Now consider the consequences of disclosing confidential customer-owned data. There is no instance in which a breach is not a very, very serious issue. Only some corporate data is sensitive but all customer data is.

Clearly there are going to be instances where the cloud is not the right fit. But the idea that it is never the right fit is simply wrong.

The one part of the cloud story that I do not accept is the idea that it is going to automatically save vast amounts of money and that this is the main reason to do it. I have watched many ‘outsourcing’ efforts in menial jobs. Cost savings are invariably cited as the incentive, but they very rarely materialize unless the previous system was grossly miss-managed. The costs may go down in the short term but they go up again over time. The real advantage from out-sourcing those jobs comes from senior management being able to let another company worry about those matters and focus on the issues that are going to really drive their bottom line. Chances are that the procedure for sanitizing the bathroom stalls is not going to be one of them.

Twitter could never have grown as fast as they have if they managed their own systems in house. There is simply no way to grow a competent, efficient IT staff and build out datacenters from scratch to meet that kind of growth. Outsourcing to the cloud gave them agility and the ability to precisely match ability to demand. The cloud worked for them and it is going to work for a lot of companies. But that does not mean it is going to be the right choice for every company.

Security is clearly going to be a major factor in making cloud computing decisions, but don’t assume that the security benefit is automatically with the status quo. I have seen people trying to play the security card throughout my career. First time I saw it was when it was ‘obvious’ that mini-computers could never be as secure as mainframes. Then it was ‘obvious’ that Unix could never be as secure as VMS and after that Windows could never be as secure as Unix.

Security is certainly a consideration, but it may be the reason you go to the cloud rather than the reason you stay with the status quo.

Philip, thanks for the comments -- they're J.D. Falk  –  Jul 28, 2010 2:02 AM

Philip, thanks for the comments -- they're probably substantial enough for a new article. I'm sorry if it sounds like I'm against all cloudy stuff. I'm not; I use many such services myself, including publishing on CircleID. The point I'm trying to make (once the article gets around to making a point) is that "the cloud" is not so ephemeral that you can ignore all the real-world concerns of jurisdiction, uptime, etc. This doesn't mean those concerns should stop you from using software as a service where it makes sense to do so, but you still have to think about them -- and I think that the best place to start thinking about them is to bust through the illusion and realize that "the cloud" is actually a set of services operated by companies on your behalf. And I've also drawn whiteboard diagrams with a picture of a cloud, then labeled it "porn and pictures of your cat." It was, and is, a convenient illusion.

The shorter point I originally meant to Phillip Hallam-Baker  –  Jul 28, 2010 2:13 AM

The shorter point I originally meant to make is that the point of putting the services in the cloud is so that the person that puts them there does not have to think about all the details. But the decision has to be that someone else thinks about those issues, and not as many seem to imagine that the issues are not thought about at all. Part of the problem here is that the notion is so fuzzy that it has become like 'object oriented', what was once a fairly precise technical term quickly became marketing b/s. It means what people want it to.

another article J.D. Falk  –  Aug 10, 2010 4:43 PM

Over at Computerworld, Steven J. Vaughan-Nichols (who I remember clearly as being one of the very first clueful reporters covering the internet) makes some similar points, backed with more research:


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com