The Cloud, Security and IT Skills

Seeing as everyone is writing about Cloud Computing lately, I thought I’d rehash some of my concerns about this ‘new’  technology. New in parenthesis because the idea is actually quite old, coming from the time-sharing Unix systems of the 60’s and 70’s. Cloud obviously takes this to a new level ( supposedly with non-stop availability ) but the basic premise stays the same.

Another reason for the parenthesis is that commercial companies continually need to invent new markets ( based on old ideas ) so they can expand their profit coverage. The main driver for commercial companies is profit, and little else. While we would like to see some companies as being benevolent, patriotic and altruistic, the fact is if they don’t bring the bacon home, the board is going to get someone else who can. Excuse the cynicism but that’s the bottom line to doing business these days.

Cloud is not new. Cloud is simply a repackaging of of existing technologies with a new spin and some new clothes. Cloud is the latest buzz-word for commercial exploitation of open and closed technologies that have been around for some time ( remember Autonomic Computing from IBM? ). Another example is centralised terminal-based computing? Think VDI and Terminal Services. Boy, the computer industry loves to rehash.

So far, the execution has been less than stellar. Two of the prime drivers for Cloud computing is application availability and reliability – something that has been distinctly lacking from major cloud vendors. Microsoft have had their fair share of outages on their BPOS platform, Amazon’s EC2 has had a problem or 2, and Google’s services have their ups and downs. If the main drivers for cloud already have this poor showing, then the future of cloud is murky, and someone will need to do a lot more to convince me to put my data and apps in the great ether.

Security is another area of concern. There have been a number of reports of Amazon’s EC2 being used to hack ( reverse engineer to be polite ) encryption and wifi protocols, amongst other things. For very little cost, one can purchase quite a lot of computing time to perform all sorts of compute-intensive activities. And certainly there are those out there who have it in mind to poke at the security of your online apps ( and sensitive data ).

And while you’re handing over the keys to your corporate app and data to a third party, this does not negate the responsibility you have to those apps and data. When ( not if ) your cloud vendor has a failure, your directors will come knocking at your door, not your cloudie. And read that fine print very carefully, because your cloudie has an out to the advertised 100% availability that initially caught your eye.

DNS registrars and Certificate Authorities are an old example of cloud computing ( in this case the narrow definition for DNS hosting and 3rd party secure certificate generation ). CAs, supposedly progenitors of our secure online activities, are falling like dominoes lately. DigitNotar, the Dutch CA, has just been taken over by the Dutch government due to their mismanagement of a potentially very dangerous situation and RSA’s SecureToken system was hacked earlier this year. These are just a small example of the many breaches that occur almost weekly.

So if the security people we trust, to ensure our security, can’t get it right, then what chance do the cloud vendors have?

A few years ago, everyone went outsourced with their IT support. That turned out to be a complete and utter mess ( I was in London when the whole Tower of Cards came tumbling down ). Now we’re chomping at the bit to give another part of business away because someone ( read commercial vendor ) said so. Why are we so quick to abdicate our responsibilities? Because that’s all cloud computing is – giving control of our systems to someone else.

If cloud computing is providing ‘IT as a service’, why can’t we effectively do this ourselves? There are a number of reasons:

• lack of skills to implement new technologies
• lack of time to correctly test and evaluate new technologies
• perceived cost of in-house IT services and support
• ‘build your own universe and don’t let anyone touch it’ syndrome amongst IT staff in SME and large corporates
• lack of due diligence by management
• lack of buy-in by management

With these hurdles to cross when running your own IT systems, no wonder some companies think it’s better to hand their systems over to a 3rd party. But cloud has its own set of issues:

• security
• legal and regulatory requirements for physical isolation
• availability
• bandwidth constraints
• recourse in the event of outages

Don’t get me wrong, Cloud Computing has its place. But as history has taught us, handing the keys to your house to someone else, is not always the best idea. Just because it appears to be someone else’s responsibility if you host with an on-line service, doesn’t mean it’s not an issue. The problem of data integrity and application availability is not solved with an on-line service, it’s simply moved elsewhere. If you’re going Cloud, do it for the right reasons. Not because someone said so or because it’s the latest buzz-word.