Jen Boden is in the same boat as most IT directors. She's got a decade's worth of operations built up around her needs; some homegrown, some not. There's a mix and match of technologies and processes she needs to deliver to her users at a large global enterprise, including the usual suspects: financial systems, human resources, desktops, servers and storage, CRM and sales.
Like other IT professionals, Boden applauds the promise of cloud computing as an on-demand, scalable, affordable IT infrastructure she can get without much investment. Also like her colleagues, Boden is moving deliberately and conservatively to take advantage of the cloud, waiting for features like "virtual private cloud" and industry-standard security guarantees.
We engage [AWS] just like any other enterprise customer.
Jen Boden, director of IT for Amazon.com
The only difference is that Boden works for the world's largest cloud provider, Amazon.com. She's the director of IT services for the retail giant, although she has nothing to do with the main website operations (which went down last Wednesday, costing Amazon millions in revenue) or Amazon Web Services (AWS), which delivers cloud computing and other online services.
"My customers are internal Amazon employees," Boden said, speaking at an Amazon event in New York City. The company is a fairly standard example of a large enterprise when it comes to IT -- a mixed Windows/Linux shop with a widespread use of Microsoft desktop products, she said.
Amazon uses Oracle E-Business Suite Financials software for reporting and business process needs. It also uses Appian for business process management and BMC for systems management. The effort to turn her company's IT from internal resources to AWS was a multi-year effort, and part of the push was to see the reported benefits of cloud, like lower operating and investment costs, better flexibility and reliability, and partly to "drink our own champagne," as she put it.
She prefers the champagne analogy to the more common "eating your own dog food" mantra, used by Microsoft and other companies to illustrate that they are using their own products. Boden stressed that the move was mostly a business decision, not a publicity mandate.
"No one is making us do this," she said. This is not a case of Amazon CEO Jeff Bezos coming down and ordering IT into the cloud, she joked, adding that she has too much responsibility to make a decision on her IT infrastructure based on political or marketing considerations. Still, Boden said she desperately wanted to move with the times.
"We have engineers on the back-end who deal with hardware tickets when capacity gets near [to full]. I don't want them dealing with that, ever," she said. Amazon engineers can be more productive if front-line response issues were removed, but the move took a great deal of planning, she noted.
Kicking off the IT-to-cloud move at Amazon
It all started with server consolidation and virtualization, something Boden said she had already been doing and was already mostly completed. She said most enterprises looking at cloud should see virtualization within their own infrastructure as the first priority; once that is done, there is more flexibility in where and how applications could be deployed and served.
Boden said her organization is in the preliminary stages of moving into AWS -- she started with some simple, homegrown applications, such as a list maintained for HR, which her team moved to AWS successfully. Larger sections of IT operations will move later with the financials likely to be last, since they are the most sensitive to security and compliance needs. Planning began last year, and the whole process might take another year and a half.
Boden said she had to go to AWS like any other customer to sign up and use the cloud, without special treatment. That put her in the familiar position of evaluating a third-party vendor.
"It's really no different than any risk assessment that you'd do on any high-profile application review," she said. "We engage them just like any other enterprise customer."
The million-dollar cloud security question
One primary concern was security. Boden said she was only able to give really serious consideration to moving critical parts of the organization into AWS after the launch of Amazon's Virtual Private Cloud (VPC) service last fall. VPC allows users to deploy instances in Amazon's Elastic Compute Cloud (EC2) that are cut off from the public Internet. Amazon has advertised VPC, and a recently completed SAS 70 Type II security audit, as touchstones for enterprises.
The IT staff had to adjust their attitude slightly to get a real handle on cloud security, she said. Since moving to a cloud provider means giving up a good deal of direct control over infrastructure, Boden noted, security has to be understood at the application level, not just the operations level.
"We had to change our focus from asking 'How is AWS safe?' to 'How are our applications going to be secure in the cloud?'" she said.
Applications subject to external audits, like Sarbanes-Oxley (SOX) regulated financial applications, pose another challenge, but she has been negotiating and explaining to auditors how and why they can consider AWS compliant, and she thinks she's over the hump. She said that having her SOX-compliant application fully virtualized and certified made the negotiating easier; the move into AWS VPC, when it came time, would be pretty smooth.
"I don't think it's a barrier at this point," she said.
Carl Brooks is the Technology Writer at SearchCloudComputing.com. Contact him at firstname.lastname@example.org.
Dig deeper on AWS compliance, governance, privacy and regulations