Cloud Feed

Nobody Ever Got Fired For Buying Amazon

Short Version

1. Those who point to serious information security issues with cloud computing are on average correct;
2. There are other flavors of business risk which work on average in the cloud’s favor, and the past history and current state of Cloud Computing strongly suggests that this technology is fast becoming a foundational enterprise tool;
3. Re a particular adoptee’s business risk, the devil is in the details, rather than in Industry Best Practice and averages.

Novella Version

FIll in the blank - “______________ is an enterprise fad/hype/niche because of security, audit, availabilty, and other enterprise risk concerns”:

1. Unix
2. TCP/IP
3. Personal Computers
4. Windows
5. Java
6. Linux
7. Open Source
8. Managed Security Services
9. VOIP

Over and over again in enterprise IT, conservative voices cry “Nay! Too risky!”, and a year or five later, the cry becomes “why would anyone do it the old way?!” and absolutely no one will be able to point to the exact moment when we went from 0 to 1. I’ve personally suffered thru this for items 1, 2, 4, 5, 6, 7, 8 and now for VOIP, SAAS and Cloud Computing.

I’ve seen the process take years, and I’ve even seen it compacted into 6 months. I vividly recall having my co-worker, an Ernst and Young senior manager, tell me over lunch at the Latin House in downtown Miami in 1997, “You know, you keep talking about this Internet thing. I think it might be big one day, but it’ll be in 20 years or so.” He was sitting directly across from me as I enjoyed the Pollo Milanesa with the fried plantains, black beans and rice and an ice tea. 6 months later Doug had transferred out of the financial audit IT general controls team to the nascent e-commerce practice to serve as their lead ecommerce guru. For my part, I was already in the Internet Security group, and I knew as simple fact that only a foolish company would outsource its firewalls. Two yeas later I left Ernst and Young to - you guessed it - build outsourced firewalls for thousands of customers of Exodus Communications. Exodus peaked at a $30 billion market cap by prying enterprise IT services (46 data centers worth) out of the hands of companies that were in the habit of saying they’d never let go of such things. Exodus is gone, but the world it helped create stands. Nowadays, auditors tend not to blink when you tell them that your firewalls, and most of the rest of your security, are run by some vague group of people in other corporations in other parts of the globe. There perhaps should be more blinking, but there tends not to be, except when something melts.

Of course, there are fads and fading hypefests amidst these amber waves of technology disruption, but given:

• the sheer volume of VC money, startups, enterprise adoption and enterprise interest in the cloud;
• the similiarities of the current hype to past waves of data center consolidation via outsourcing;
• the steady cycles of virtualizing lower layers of technology, going back at least as far as the days when the old guard cried foul that anyone would be foolish enough to program in something so wasteful as assembly language,

I’m beginning to see cloud adoption as fait accompli.

In the olden days, the saying was “Nobody ever got fired for buying IBM.” Conservative enterprise types bought IBM when they didn’t know what else to do, and it usually worked well enough. That gave way to the company that disrupted IBM, and many of us have seen companies buy Microsoft products simply because MSFT has been the dominant player. A new round of disruption is happening, and some time in the next decade, this whole conversation will seem foolish, and conservative enterprise types will likely hold dearly to what is currently viewed as a foolish fad.

As someone said more succinctly on the Google Cloud Computing mailing list yesterday:

‘I believe that within 10 years we will look back and say, “can you believe that companies
used to have to build their own data center.”‘

It’s highly probable that cloud computing, and adjuncts like SAAS and PAAS, will steadily become The New Way of Doing Things for a large segment of enterprise IT. And when disruption and adoption spirals out and up in steadily broader circles, the cold fact is auditors and security types often have less power to guardrail business decisions. That’s ironic, since enterprise risk tends to be rising during such disruptive times, until the new technologies mature. If you’re in enterprise risk management, your mission is to not let you and your company become roadkill during the latest wave of technology disruption.

An analogy - if you have a lot of experience with ocean swimming or surfing, you’ll know that when you get caught in a riptide, you don’t fight the current. Rather, you go with it, because you’ll probably come out perfectly fine a quarter mile down the beach. Now, I’m trying to make a point about IT, not swimming, so the analogy proves nothing, but it’s perhaps worth a thousand words.

If you fight the riptide, your odds of drowning go up significantly. If you go with the current, your odds are best, and quite good, but you could still get really unlucky and get dragged into a nasty little coral reef.

As someone whose day job is to manage corporate risk, my role has become a notch more difficult in the near and mid terms because of the disruption of cloud and SAAS. But saying “this shouldn’t happen if you view it only in terms of information security risk” is often - on average - orthogonal to “will it happen?” That’s because there are multiple axes of risk. Consider options of:

1. spend $400,000 capex on a new in-house replacement for that aging integration server over in the Widgets Department, which causes integrity issues upstream in a core IT system, and it’ll take you 18 months to install, during which time you’ll have to live with the integrity risk;
2. spend $280,000 opex on an external replacement that can be rolled out in 4 months, albeit with 20% fewer non-showstopper security features?

Which version is better for the business? Which version is better for the business’ security?

Businesses have multiple risks to manage, and moreso nowadays if you’ve seen the economic news. If you have to convince the decision makers that A Bad Thing Might Happen If They Don’t Listen To You, you’re going to have to get very specific and work within their risk framework, rather than pull out the usual enterprise suspects. Otherwise, you’ll lose your audience.

Right or wrong, the drive towards the cloud is still happening. The business drivers are too strong on average, and business executives have a lot of other risks to manage right now, at a time when the whole world’s economic projections have dropped by, oh, depending on who you read, about a third.

For enterprise decision makers, meaningful security risk discussions need to boil down to:

1) business-specific malign circumstances

2) with reasonably specific probabilities, and

3) specific corresponding controls provided by vendors and IT, and

4) a corresponding set of risk choices for the business.

This is hard to do even for good security teams in supportive environments. Meanwhile, the business tends to move merrily along.

Skip ahead if you’ve heard the following laundry list before, but:

- reassess what’s truly important to managing your organization’s risk. Are you just quoting from the handy Book of Best Practices, or have you identified very specific business risks with solutions you can sell to decision makers? You’re going to have to pick your battles carefully;

- are you plugged in to all those pesky departments with the big budgets which are most likely to go shopping for outside services and dump them off in IT’s lap of risk on short notice?

- have you been working with Legal, Risk Management, Compliance and The Business to define enterprise showstopper requirements which you’ll try to negotiate into every vendor partnership?

- do you have technology showstoppers defined in an accepted Enterprise Architecture Standard?

- are you ceaselessly lobbying the vendors - in vendor selection, contract negotiation, implementation, trade shows, cloud camps, blogs, etc, to upgrade their enterprise security, audit, monitoring, BCP/DR and compliance offerings?

- are you aware of the business’ strategic IT roadmap and proactively seeking out relevant vendors with good security features in their offerings, and proactively pushing those vendors towards your business buyers?

“Yes, Miss Business Line Vice President, Cloudocalypse sounds like a neat vendor partner. This cloud stuff is great. By the way, it says here they don’t support federated identity or LDAP, so that means if you choose this app in its current state of development, it’ll stick out like a sore thumb as the one major app not integrated into that enterprise SSO suite that everybody loves because everybody hates passwords. Why don’t I set up a call with Vendor’s tech team. I’m sure its on their roadmap. They said they’re serious about being our partner.”

Notice I didn’t mention “access control” or “policy” or “compliance” or “audit.”

These tend not to be fun conversations to have, for all parties concerned, but they’re the right conversations to have.

PS In the interest of reasonable disclosure, I own stock in AMZN. But I bought it in 1997, when I thought their whole bright future was shipping pounds of books from state to state, so make of my conflict of interest what you will. Also, I’ve been tempted to write “…For Buying Google” instead of “Amazon”, but “The Earth’s Biggest Book Store” is more of an acknowledged leadership position in clouderati circles, and I own stock in Google too, so what’s a blogger to do? I would have really liked to have written “For Buying Sun” - I’ve always had a soft spot for them - and they did put the dot in dotcom. But they forgot to get paid for it (well, Andy Bechtolsheim did angel fund Google, so that’s a fine last laugh at least for him).

PSS To all you wonderful cloud, SAAS and *AAS vendors, this is cool stuff you’re doing. But your enterprise features, the environmentals outside of your elevator pitch, the things that make us enterprise standard-bearer types all warm and fuzzy, are lacking. There’s work to be done, starting with identity and access management, and security assertion contracts, monitoring and reporting. I don’t just want to hear your sales critter say, “We’re HIPAA compliant.”

PSSS To all you wonderful old school enterprise vendors, this is cool stuff you’re doing. But your enterprise features, the environmentals outside of your elevator pitch, the things that make us enterprise standard-bearer types all warm and fuzzy, are lacking. There’s work to be done, starting with identity and access management, and security assertion contracts, monitoring and reporting. I don’t just want to hear your sales critter say, “We’re HIPAA compliant.”