Ranum's Rants: Cloud Forum Roundtable

I recently attended the San Francisco IANS Security Forum, where Hart Rossman and I facilitated several of the roundtable sessions. I thought I'd summarize a few of the "take-aways" and useful comments from each.

Cloud Computing and Outsourcing was a lively session (as you can imagine!) with a great deal of cross-discussion. "Cross-discussion" means "yelling back and forth" only it's friendly. There were a few points that stuck in all of our minds as useful. Namely:

• Cloud Computing is going to happen. In fact, if you think it hasn't happened, it just means you're out of the loop.
• Cloud Computing can be seen as the business units' final revenge on IT (and security) for saying "no" one time too many, taking too long, or costing too much. The degree to which your organization's IT is dysfunctional will directly affect the degree to which business units defect to the cloud.
• Cloud Computing can be seen as the business units' revenge on legal wrangling for outsourcing. Anyone who has ever negotiated an outsourcing contract can tell horror stories about dealing with the big IT shops. Cloud Computing's "this is the deal; take it or leave it" agreement is very appealing.
• Cloud Computing should be thought of as a business re-engineering exercise. Several participants in the forum had gone through a cloudifying process for services (several had ditched Exchange for Google) and were pretty happy with the results. The trick is to make sure that everyone (executive management, business units, IT, etc) knows that "everything is going to change" and is behind that program.
• Cases where Cloud Computing has garnered huge savings are in the cases where either:
  • A new capability is being added and there is no legacy base of expectations/data/code to deal with
  • An existing capability is moved to the cloud as part of completely re-engineering it
• People were vastly less concerned about "what if someone looks at our data?" type questions than any of us expected. Why? Because, seriously, those same questions apply whether your data is in-house, outsourced, or in the cloud. One roundtable attendee said "cloud or outsourcing don't solve or create new security problems they just let you move them around and get varying choices in terms of expense and expectations."
• There was a universal sense that Cloud Computing is great for a business or project that is just starting out, since there's no expense for translating a legacy mechanism to a new one and it can be up and running very quickly.
• Make sure you track expected costs and expected benefits. Don't let someone say "it'll save us millions" and not get it in writing as part of a plan with a hard timeline. That way, if there are overruns or unforseen problems, you can compare the expected results to the actual ones and see if it was a good idea in retrospect. One of the roundtable attendees told a funny story about a business unit that was claiming gigantic expected savings from a cloud project, and, when asked for a written plan which defended those estimates, produced one that scaled the estimated savings back to 1/10 what they originally were. This was dubbed "The Amazing Shrinking Cloud Savings" story.
• There will be new types of failures that haven't been thought of, yet. Those will be the ones that bite more than "someone is looking at my data!"

The last of those bullet points is worth a bit of extra discussion. When we started talking about putting sensitive data into the cloud, several people commented, "well, if you encrypted it, it'd be OK." And everyone around the table nodded and we moved on to the next point. I let that go on for a while and then stopped everyone and said, "OK - did you see what happened? You assumed that the solution that would work for traditional computing would completely solve the problem for the new environment. But the new environment comes with new problems. It's not just a question of 'someone looking at my data' because you now have questions like: 'what if someone deletes my dataset?' Even if it's encrypted - you're in serious trouble. There are new forms of attack." Following that, we spent a cheerful half hour thinking of new forms of attack. Our conclusion was that Cloud Computing will certainly have a few completely unforseen "gotchas" that will spell disaster for the people who get sliced by the cutting edge. There is no opportunity without risk, though, so just treat those inevitable "oopsies" as the counter-balance to the cost-savings and time-to-market and decide if they are worthwhile.