Building a desk

I was talking with colleagues recently about the various types of cloud services and realized that it's not exactly easy to articulate the types - after all, it's all cloud, right?  During the discussion, I hit on the following analogy: let's say you want a desk.  You have three basic options:

1.   Buy the desk pre-built, selecting basic items such as color and finish
2.   Buy a kit to build the desk, using pre-defined options for the top, legs, and other components
3.   Buy the raw materials and build the desk from scratch to your specifications

In the cloud, option 1 is equivalent to Software-as-a-Service, or SaaS.  What you want is basically ready to go, and you can make minor configuration changes to better suit your needs.  You will probably also pay less for use of such a standardized service.

Option 2 is analogous to Platform-as-a-Service, or PaaS.  You're given a larger range of options to develop a more customized experience within the provider's range of options.  For instance, you may have only 1-2 options for programming language, database platforms, or integration with other applications.  You'll also pay more for the service because of the necessary development effort, but it may be worth it to gain the functionality you need.

Option 3 is equivalent to Infrastructure-as-a-Service, or IaaS.  Starting with "raw materials" such as CPU, RAM, disk, and network bandwidth, you can build a complete server farm in the cloud.  You have full control over the operating system, security, data, and applications in your IaaS environment to configure and customize to your fullest advantage.  However, you'll need not only developers but systems and network administrators to manage the environment, raising the cost yet again.

Ultimately, your needs (and those of your company) should determine which cloud service type is best for any given service.  Because the cloud ecosystem is rapidly changing, what works today may be unnecessarily complex tomorrow.  As long as your data and applications remain portable (by using standard protocols and languages), you should be able to continually move to the best service for your specific (and evolving) requirements.

Privacy in the cloud: an oxymoron?

Eric Schmidt has repeatedly asserted that the notion of privacy is coming to an end and that people need to simply change their ways.  While I've long believed privacy on the Internet is incredibly hard to maintain, the issue of privacy - particularly as it relates to personal and corporate data protection - needs to be considered by anyone using a cloud-based service.

What is being posted on the Internet?

I'm consistently amazed at what people are willing to post online, even amid the clamor for privacy on the Internet.  While some have locked down their Facebook/LinkedIn/Twitter accounts, many people continue to upload and post information about themselves that could be damaging at some future point in time.  Moreover, that feeling of freedom in the personal realm easily transfers into the corporate arena.  I remember having to be more careful than usual with whom I share information with to avoid it going up on Twitter 5 minutes later because some people just want to share everything.

It's critical that companies have not only policies, but also training (with examples) on responsible corporate data stewardship.  If people don't internalize when it's appropriate to share information, they're more likely to inadvertently disclose that information.

Is it really more secure when it's on your computer(s)?

I've talked to different people who are uncomfortable using the cloud for data storage because "I want to control and know who can access my data".  After many years in IT, I'm confident that even when a company owns all its IT assets, people don't know who has access to what data.  Permissions get added, but never removed.  Poor processes and procedures lead to people long gone from an organization still having access to data.  IT people the end-users have never met, like sysadmins, DBAs, and programmers, often have access to data because of inherited administrative privileges.  Often, this adds up to a lot of people.

In addition, according to the Digital Forensics Association, almost half of all data breach incidents in the past five years occurred because of laptop theft.  Of those, about 1/3 are stolen from the place of business.  In the financial industry, penetration into the corporate data center by an outsider accounted for the vast majority of incidents and records disclosed.

What does this all mean? 

To start, end-users and admins alike need to be well-versed in how to protect IT assets and data from being taken by an outsider.  Organizations also need to make sure to include physical security as part of the overall data protection strategy to help protect against theft.  IT then should enact measures to log and audit all data access, including itself.

Most importantly, organizations need to determine how best to protect data at rest and in motion and understand their own capacity to execute on those requirements.  IT and business leaders needs to take an honest look at the company and identify both what data is truly critical and what investment they're willing to make to mitigate the risk of a breach.  It may be that a cloud provider, who must ensure customer data is unavailable both to its administrators and to other customers, has invested more in security than your company has and can offer a more secure and cost-effective solution.  Decision-makers who are still locked into the narrow "if I can see the server, I know where my data is" view without training end-users and understanding all available data protection options are costing their companies in more ways than one.