Lawyer Bait

The views expressed herein solely represent the author’s personal views and opinions and not of anyone else - person or organization.

Wednesday, January 11, 2012

Cloud Security - Is cloud the industry Monorail?

For those of you not familiar with the Simpsons animated TV series, the title of the entry comes from Episode 413 - Marge vs. the Monorail. It became a widely used reference for ideas that could not stand up to logic, but became real when people's passions overtook their logic. In a nutshell - After Mr. Burns is caught storing his excess nuclear waste inside Springfield Park’s trees, he is ordered to pay the town $3 million. The town is originally set to agree to fix Main Street, but the charismatic Lyle Lanley interrupts and convinces the town to use the money to buy one of his monorails. Of course it doesn't work as advertised and there is a major safety issue that ends up threatening the town.

So what does this have to do with cloud?

Cloud is the latest IT buzzword that is having massive dollars thrown at it in an effort to provide all sorts of things, flexibility, elasticity, new paradigms of computing, the list goes on. What cloud didn't do early on was provide sufficient security, and so a new moniker was thrown out - the Private Cloud. That was the veneer on security for the cloud. Then cloud evolved again to hybrid cloud where you could mix and match Private Cloud and Public cloud based on the data that was involved. Ta da! We fixed it. Or so we thought.

Look, I get cloud. I love the idea of cloud. I think we will see the development and creation of even more paradigms that evolve over time but let's not forget the basic tenets of moving things outside the castle walls:

1. You are buying an SLA (Service Level Agreement). You are not buying a Cloud.
2. You are buying Risk. You are not buying a solution
3. Your Cloud will only do what it is designed to do. If your processes suck, the will suck in the Cloud too

When I read articles about outages - especially cloud outages - I look a lot deeper at what happened. Customers seem baffled (a.k.a. pissed off) that the cloud went down. I ask, well, did you design it to include the movement of data, workload, storage, and ultimately were you willing to pay for a level of redundancy you THOUGHT was included but wasn't? Remember you bought the SLA. You paid for the risk you were willing to accept. You made the call. The cloud did what it was supposed to. Failed when the site when down.

In all of the articles I have read, I have not seen any coverage of the type or tier of facility the Cloud is housed in? I'll bet I could offer Cloud served from the island of Jamaica for pennies and I would get laughed at. However if I offered cloud for pennies - my sales people's phone would ring off the hook. What's the difference? Disclosure. Assessing risk. And not assuming that the Cloud is what you THINK it is.

The Cloud is what you design and pay for. Whether it's in Jamaica in the back room of a Rum Bar or in a Tier IV facility in Silver Spring MD. The rules that are in the real world still apply in the Cloud world.

If it's highly valuable, treat it that way, and design it accordingly. Don't buy a monorail, no matter who is selling it.