With the increasing maturation of cloud vendors and the expanding suite of services they provide, it is no surprise that the adoption of cloud computing is on a meteoric rise. Recent surveys indicate that more than 75% of companies adopting cloud services utilize more than one cloud vendor in their enterprise. This multi-cloud approach can emerge for a variety of reasons both intentional and not so intentional. Regardless of the reason for utilizing multiple cloud vendors, there are some important factors to consider before distributing applications across vendors. This is especially important for companies just getting started with cloud computing. Using a single vendor for all cloud computing needs has several advantages.
Disaster Recovery & Business Continuity
A common argument for a company using multiple cloud vendors is to prevent vendor lock-in and reduce the impact from a data center outage. While this can be a frightening prospect to some who consider it putting all of their proverbial eggs in one basket, it can be misleading to make that conclusion. We are no longer living in a time when choosing a hosting provider means an application is deployed into a dedicated set of server space in one data center and a failure of one internet link brings the whole operation to a halt. The major cloud providers are globally distributed and the choice to scale out or scale up is sometimes just a matter of a few button clicks to set up a duplicate infrastructure on the other side of the world. While shifting workloads from one vendor to another may provide a path to business continuity, the ability to switch from one another is not as easy as it appears.
Application Design and PaaS
Designing and building applications to the lowest common denominator across vendors increases the complexity of the application development and may result in writing more code than necessary. With the wide availability of cloud services, the strategic advantage is no longer just hosting applications in the cloud, but utilizing the integrated capabilities of a cloud provider fully. For example, if we have an opportunity to build an application that fits perfectly with Microsoft BizTalk Services, Azure Event Grid and Azure Active Directory, there would have to be a pretty compelling reason not to use those services and opt for writing custom code for the sake of portability. Those PaaS offerings don't reside in any other vendor than Microsoft Azure, but there is no way anyone would want to recreate the complexity of those PaaS offerings to avoid vendor lock-in. This solution is not able to be migrated to another cloud vendor, but when designed and built for distribution across one or more regional data centers, the application can be robust enough to handle a fail over into another region.
Security and Monitoring
This is probably stating the obvious, but keeping electronic resources secure is difficult. The threats that all organizations face daily are real and the complexity is advancing at an alarming rate. One of the core tenets in securing anything is to reduce the attack surface area. The bigger you are, the more places you can get hit. It is no surprise that each vendor likes to apply security a little differently. While this is to be expected, it also creates a nightmare scenario for operations staff that are tasked with keeping the enterprise secure. The more services, applications and resources that get spread across multiple clouds, the harder it is to maintain a consistent, secure set of policies to make sure everything is safe. Auditing and reporting threats must be in real time or even better, predictive to stay ahead of those who are out to create havoc. While there are third party services and tools that can be used to simplify some of these tasks, it is a daily struggle that cannot be overlooked or underestimated at the effort needed to keep everything running smoothly.
A big concern to most organizations is identity management. Most enterprises use a directory solution to store users, groups, and roles. Adding new employees and deactivating accounts are common tasks. It is extremely important to ensure that the right people have access to the right resources - the last thing an organization needs to do is make this a more arduous process than it already is. Taking this one step further, many employees are looking for ways to avoid typing their passwords fifty times a day. Solutions such as multi-factor authentication and single sign-on are common features and no longer a nice to have. If security mechanisms are scattered across clouds, this becomes brittle to implement and could expose your organization to a potential security risk.
Another area to consider when using multiple vendors is the complex task of application deployments and DevOps. Deploying a single application into the cloud is hard enough to configure and automate the CI/CD pipelines. Even if the application is deployed using containers, each of the major cloud vendors has a slightly different implementation and set of features available. The result is that system administrators would need to manage different sets of automation scripts depending on the cloud vendors that are being utilized. Monitoring the health of an application with or without a container service will be different across vendors thus further complicating the process of automated deployments.
Hiring and maintaining a staff of cloud subject matter experts is more difficult when multiple cloud providers are involved. Typically, each vendor has different techniques for performing similar tasks and staff members would need to be aware of the subtle differences. These subtle differences often result in a skills gap or having roles on your team that are difficult to fill. Due to the rate of change in cloud computing, employers need to be prepared to support their staff with consistent training opportunities and ways to stay abreast of the new features and services vendors release monthly. All of the top cloud vendors have updated certification criteria and exams within the past year indicating that cloud skills that are more than one year old risk becoming outdated if not continually nurtured. Keeping up with the changes within a single cloud vendor is a full-time task. Without a large enough staff, trying to manage changes across multiple vendors' service offerings can be nearly impossible.
At some point, someone must pay for the services and computing cycles that are used. Using a single vendor allows for faster cost analysis as the compute, storage and data throughout can be directly reviewed and related to other runtime analytics. This also provides more concrete results when calculating ROI and developing budgets for scaling out, scaling up or deriving estimations for the cost of developing similar applications. Based on the topics discussed in this article, cherry picking services from multiple cloud vendors based on price alone is counterproductive as the cost of business continuity, application development, security, DevOps and recruiting will also increase the overall cost of the application over time. These costs are far more problematic to account for and hide the increased cost of operations.
Multi-cloud is not necessarily an end goal, especially for an organization that is just starting to use cloud computing. When undertaking a cloud engagement, I advise clients to look at the implementation options in the following order: single cloud vendor, hybrid configuration integrating on-premises resources and a single cloud vendor, multiple cloud vendors. The initial analysis should focus on the features needed from a cloud provider to support the organization and their applications along with the maturity of the organization to be able to support hosting applications in the cloud. Cloud vendor lock-in should not be the primary consideration that drives companies to go out of their way to try to use multiple vendors. Using a single vendor to start with is a good way to determine why using more than one vendor should be considered. If an organization has applications that can never fail or have an occasional outage and they are not able to host applications in multiple regions, then utilizing a hybrid model or having a multi-cloud strategy as part of disaster recovery or business continuity would be something that should be considered early in the analysis and discovery phase, but only used when all risks have been weighed against benefits.