Head in the Clouds, Feet on the Ground.

If there’s one topic that’s apt to get security professionals uptight – and provoke stand-up rows in the office – then it’s cloud computing. Tony Lock from FreeformDynamics recently conducted a poll on the subject in a workshop for The Register.
 
The big issue is, of course, loss of control. If you trust your information to someone else’s servers, then you have to trust their security procedures and technical measures to look after it. That makes a lot of IT professionals uneasy, for very understandable reasons. But just like outsourcing anything, there is good and bad. All businesses outsource some things – things like cleaning, deliveries and physical security (burglar alarms, etc.) – for three reasons:
 

  • It’s not their speciality. They make widgets. And they have the staff they need to make, deliver, develop and support those widgets. Other people can do non-widget related activities better than they can;
  • They don’t need the overhead, time commitment and complexity that employing all these extra people demands. Yes, they could hire their own cleaner, but it’s a lot simpler to get on the phone and let a cleaning agency take care of that;
  • It’s a lot more cost-effective that way. Our widget company could invest in a worldwide fleet of planes, vans and delivery-people but that would be ludicrously expensive when they can phone a courier company and have them delivered for a few pounds a day.

 
So three very good reasons for outsourcing: better service, simplicity and cost. These lines of reasoning can easily be applied to IT. Outsourced IT can be better, simpler and cheaper. Yay, let’s go for it, say those hotheads in accounting.
 
Where this sort of analogy starts to fall down, however is in the risk assessment. If the cleaner doesn’t turn up, then it’s no big deal. If they don’t turn up on a regular basis, you fire the agency and get a new one. There might be a few more biscuit crumbs and sandwich remnants for the new cleaner to deal with, but no harm done, by and large.
 
If your outsourced IT services turn out to be useless, on the other hand, then the consequences could be pretty brutal. Your information could be exposed; you could lose access at a crucial moment or they could manage to lose the lot. You don’t want that to happen, because it could make you bankrupt or put you in prison.
 
But people don’t like risk-assessment, of course. It’s boring. It puts paid to a lot of exciting new things. It reminds you of your mum when you were five.
 
I hate to say it, though, but your mum was probably right.

3 thoughts on “Head in the Clouds, Feet on the Ground.

  1. Paul Allen

    Rick How do you detect someone watching all your internet traffic. I ask because my traffic is behaving strangely. Most programs detect me as being in canada and Im UK based, I don’t use a proxy and the time zone is set correctly and its on all machines this behaviour. They are all using different avs one is trend maximum security. I’ve scanned for malware with ever malware finding software you can imagine and nothing, I even reinstalled the machines and still I get weird behaviour from pages that look real but are not the real page different to the way they should look to slow internet for no reason even thought the through put is great and the machines are fine, I also get told certain pages don’t exists in the dns look up but they used to work this happens using whatever dns I change to, so that leads me to think that its someone watching the traffic for devious purposes. How do I go about catching them? I am using a proxy to write this and would prefer it wasn’t published. I’m up a creek with out a paddle and no one to turn to any help would be fantastic
    Thank you
    Paul Allen

    Reply
  2. E.Coil

    Props for the practical parallelism there (and, yeah, we need more of that “practical sense” to bridge technicalities across normal users) and for raising an issue here that, I think, most people would not readily think of at first. The human factor, again, is spotlighted, but we’re not talking about the end users any more.

    As boring and cumbersome risk-assessment is, it has to be done–and someone (someoneS?) has to be responsible for it, else cloud computing would already be another failure waiting to be realized.

    Reply
  3. Pingback: Tweets that mention Head in the Clouds, Feet on the Ground. » CounterMeasures -- Topsy.com

Leave a Reply

Your email address will not be published. Required fields are marked *

*