Security in the Cloud and other (unscripted) musings from leading industry experts

Posted on July 13, 2010


In yesterday’s post “Calculating Digital Capital and what it means to traditional ERP vendors” I had referenced an article by DK Matai that appeared in the July 12th edition of the Huffington Post.

Titled “Digital Capital and Cloud Computing’s Asymmetric Risks,” I focused predominantly on the Digital Capital aspect of Matai’s musings as it related to traditional ERP vendors.  Today, we will focus on the Asymmetric Risks as the author called it, as well as other key attributes associated with computing in the clouds.

What is an Asymmetric Risk?  Of even greater (and more practical) interest is how do these purported risks impact an organization on a practical level.  According to Matai, its “manifestation” can take many forms including “a brand name built up over a century or more” that may “lose credibility within a day” because the “personal data of a million customer profiles with names, addresses, family member details, purchasing habits, has fallen into the wrong hands.”

This to me is reminiscent of my interview with acclaimed author of Surviving Cyber War Richard Stiennon, who was named “one of the 50 most powerful people in Networking” by Network World Magazine.  Stiennon and I talked about the nature of the risks that are faced in the virtual world, the level of attacks that are already happening everyday in the here and now, as well as who must ultimately assume the lead in both policing and preventing security breaches.  For those who may not as of yet had the opportunity to tune into the May 7th interview “Surviving Cyber War” with Richard Stiennon, you can access the broadcast on-demand through the following PI Window LINK.

So while Matai presents an insightful overview of said risks, the majority of his observations were limited to a conceptual 10,000 foot level view.  In short while the article is both engaging and effective in terms of getting you to think about the various elements of cloud computing, it did not provide the substantive, real-world detail of an in depth perspective.

Fortunately, the subject matter is one in which there is no real absence of interest or dialogue.  So when I received an e-mail from IACCM’s CEO Tim Cummins asking if I had any “insight to leading thinkers on cloud computing and the public sector,” I thought that this presented the perfect opportunity to delve much deeper into a topic that warrants attention beyond the realms of security alone.

To start, the first person that immediately came to mind was actually a fellow panelist with Tim during our Washington Roundtable discussion on Transparency in Government Procurement.  By the way, to obtain your complimentary copy of the Transparency in Government Procurement white paper, simply activate your free subscription to the new Essential Connections Blog through the following LINK.

I am of course talking about Karen Evans.  Evans, who I had referenced in yesterday’s post, was the CIO for the U.S. Federal Government and oversaw the development of over $70B spent by the federal government in Information Technology and associated services.

Her accomplishments included Homeland Security Presidential Directive 12 regarding authentication; IPv6, Information Sharing Initiatives, Cyber Security, privacy to address the interests of the citizens and government to improve government services through the use of technology and leveraging the federal government buying power and requirements with the establishment of the SmartBUY program.

Suffice to say, you can understand why I had suggested that Karen would be the ideal initial point of contact for Tim relating to his query.

Over the days following the “re-introduction,” both Tim and Karen exchanged several e-mails and as I read each one with great interest I thought that this type of unscripted dialogue would serve a useful purpose in terms of delivering both an experienced and tangible perspective on cloud computing in general and what security in the clouds really means.

Karen Evans

Hi Jon and Tim

What do you want to know?  Cloud implementation is very big here in the States.  Congress just held a hearing on it . . . because of security etc etc. . .

Tim Cummins

As you know, there has been a lot of talk about what can be achieved (with cloud computing in the government sector), but the examples of large-scale implementations are few.  Given the current state of (government) finances, “cloud” is viewed as an area that may offer substantial efficiencies, yet clearly they are not painless or risk-free.  Hence I believe that the major interest is in finding points of contact where there may be mutual interest in discussion, at both planning and implementation levels.

Karen Evans

As you, a lot of vendors are saying they are moving to the cloud . . . Actually this is what the US has been moving towards with the lines of business approach and then consolidation . . . and now the cloud.  The issue is the cloud.  There are pockets of implementation.  NASA runs a cloud service

Security is the big issue here as well.

Tim Cummins

In general, the challenges seem to be:

  • individual providers of core software (SAP, Oracle, Microsoft) are struggling with the dramatic shift in the economic model of cloud versus traditional license.  They would probably also prefer to keep direct control of the customer and are therefore threatened by the development of “consolidators” who would then be the customer interface
  • the consolidators are in many ways struggling to define their added-value.  Unless they will take added liability for security, performance etc, their only added value would be in reducing the number of separate interfaces – but that is not exactly a high value/margin business and scarcely a compelling value proposition
  • customers are often enthused by possibilities, but they are in fact dramatic.  Shut down data centers?  Eliminate help desks? Terminate licenses? And then on top of that are the security concerns, not just over data etc but also regarding reliability of service, continued access, etc

And behind all that, there are growing concerns about IBM’s virtual monopoly of the mainframe market – which is quite ironic, when you recall that IBM almost went bust because of its old mainframe strategy which was suddenly surrounded by the departmental computers and the PCs . . .

Karen Evans

OK . . . but I would somewhat disagree with point number one (above):

  1. “struggling” with the dramatic shift
  2. maybe even agree with the “direct control of the customer” . . .
  3. but not sure on “threatened by the development of “consolidators” who would then be the customer interface

Number 3 is our “integrators” abd I would submit they are more concerned . . . once you get the cloud then, you don’t need the integrators as much because much of their work is already done by the cloud itself . . .

Tim Cummins

We may be agreeing here, not sure!

The big providers never have liked integrators much, they certainly prefer to maintain a direct interface, which outsourcing sometimes challenged.  So now with cloud, they would prefer if they can avoid either existing or new integration . . .

And for those who would like to integrate (e.g. the big outsourcers) I agree with your comment; it is very hard for them to define quite what value they bring to the equation, unless it is in terms of increased responsibility for performance, including in areas like data security.  But that is very risky for them, because it is hard to see how they can reduce exposure . . .

If all they can offer is the simplification of a single point of contact and perhaps some discount because they negotiated a tougher deal, then I guess companies like Amazon will indeed become the new integrators, at least in the SME and consumer markets.

Karen Evans

I think we are (in agreement):-)

Closing Commentary

Beside providing very real-world contemplations of what computing in the cloud actually means – including concerns with security, the above e-mail exchange between these two thought leaders presents an accurate picture of both the possibilities and the challenges associated with moving to the virtual world of the Internet.

One point that I found interesting, that is certain to stimulate some discussion is the reference to the SAPs, Oracles and Microsofts, and their struggle with the “dramatic shift in the economic model of cloud versus traditional license.”  This, as well as the other related points gives further credence to Evan’s statement that “computing in the clouds is really just “optimizing the use of infrastructure” and is therefore a commodity versus being an actual service.”

The real question is how will these former industry giants like an SAP or Oracle make a viable transition to a cloud model without going through the pain of the cultural DNA transformation of an Ariba?