The cloud awaits... but is your enterprise ready for the jump? I have worked with a number of companies that explored the cloud as an option for their infrastructure, and recently I worked for two that are cloud service providers themselves. So I have often had conversations in the past few years along the lines of: “Is the cloud suitable for my business?” A good way to find out if you …
shouldn't that be...
If you really, really, really must have a cloud then create one of your own.
Having recently had the experience of waiting for 2 days while the so called fibre link to the cloud provider was repaired. If it was fibre, it was more like a length of wet sisal if you ask me. No there was no backup link... This was some 5500 miles east of silicon roundabout.
{for those who don't know} Sisal is a coarse string/rope made out of the fibres of the 'Agave sisalana' plant.
I take on board everything you say about the security of the data centre.
But the difference is that if you host your applications in your own data centre, the security is entirely within your control. How good you make it is up to you.
If it is in a service providers, you trust that their security is as good as they say and as good as your contract with them. It's that same trust question that you sensibly query when it comes to availability.
Similarly, you trust that the barriers they construct between your service and all of the other services running in the data centre, and you trust that they will not move the data/service outside of the region you've specified. It's almost certainly good enough, but if that trust breaks down, what is the comeback you've got from the provider. Check the penalty clauses in the contract.
You've also missed out a vital question. What happens if the service provider has a state change, if they get bought, or, heaven forbid, fold (like 2e2). You need to consider where and how to move your service and all it's data, and also whether there is a residual risk in your data being left in various stages of protection on equipment that includes the backup solution that may be bought in toto, or appear on the broker market.
Encryption may seem like an obvious solution, but if your service actually processes data rather than just serves it out, there will be the means to decrypt the data present on the systems that you may no longer have any control over.
This should be a valid concern. I know many have looked at this as a joke, but from what I understand, the US courts have ruled that an email provider can be searched as they have access to the data. It is no different than a secretary reading a physical memo before giving to the executive. They now have read and can be called to testify as to what they read. Does this hold true to data residing on a service provider? If you look at the security policy of mobile phone providers, they place a stipulation they are allowed to monitor for illegal activities. Guess what that means, you have signed up for government searches up front. So while this was likely a joke comment, it does hold some weight and should be considered.
Move my in house applications from a mainframe to a VAX ... never!
Move my in house applications from a VAX to a UNIX box ... never!
Move from terminals to PCs ... never!
Move my in house applications from a UNIX box to a Windows server ... never!
Move my in house applications from my network to the cloud ... never!
Worried about a 2e2 (who were more of a traditional outsourcer than a cloud provider) then use two providers and replicate your stuff.
Worried about trust? Well, as a sysadmin someone is trusting you. Why are you trustworthy? What SLA do you personally give to your company? Are you close to a breakdown? If you don't perform, how many years salary do you have to pay back to your business?
There is nothing new in the cloud. It's all simply about realising the economies and flexibility of working at scale.
Yes, we start with mainframes and end with clouds - kinda full circle really. Change for the sake of change (and $$$). Centralised computing with dumb terminals (and users) at the end.
"There is nothing new in the cloud. It's all simply about realising the economies and flexibility of working at scale."
Remember that if/when they make you redundant for the latest fad sometime in the future.
OK. 2e2 were an outsourcer, but it is not the viability of the provider nor the moving of the service that I was mainly commenting on, it is the copies of the data that will be out of your control that I was trying to indicate.
2e2 were an example. It is unlikely that Amazon or Microsoft would go out of business, but could IBM choose to ditch their cloud services in five years time if it does not return the projected revenue, or some of the smaller players decide that the margins are just too slim?
It always puzzles me how you keep any dynamic application that is hosted by two separate cloud providers in sync with each other. Do you pay to have dedicated bandwidth between the suppliers with some geographical lock in? Do you have explicit cables laid between them? Virtual circuits or VPNs through established teleco infrastructure or the Internet? Or do you run it as a distributed application with both installations processing data.
All these questions can be answered, I'm sure, but how many people really think things through to this depth before deciding to go down the cloud route. I'm sure that there are customers who are already there who are considering their DR strategy for a cloud provider failure with some trepidation.
Whilst I don't mind being called a bit of a dinosaur, I have lived through the Mainframe->VAX/UNIX->Windows/Linux transitions that have happened, and what this has taught me is that the latest cool-aid that is being served up by the marketing boys is never as simple or cost effective as the projections. Let's just call it the result of experience!
I too have worked through (most) of those phases and qualify as a dinosaur myself. We've still got mainframes, UNIX systems, Windows servers and very probably DEC VAXs (although I haven't seen one in a while) and will have for a long time to come. What experience has taught me is that a great many new things have a lot of value as an additional tool, not a replacement one. I see farms of virtual machines, both in their private and public forms (Infrastructure, Platform and Software as a service) as pretty awesome things to add to my armoury.
Risk assessment, DR planning, performance management and the rest of it are perennial problems whatever mix of platforms you choose, and it is in these areas that experience counts most of all. You have known the heart stopping bowel moving panic and you have learned from it!
"Worried about a 2e2 (who were more of a traditional outsourcer than a cloud provider) then use two providers and replicate your stuff."
I find it simpler to consider all cloud providers to be outsourcing...
IaaS = I have outsourced hardware maintenance
PaaS = I have outsourced operational IT for this service/application
SaaS = I have outsourced IT for this service/application
The missing link is DR…. DRaaS anyone?
Also, I would definitely +1 the view that you should treat security, as well as availability, as a matter of trust.
From a sysadmin standpoint, there are solutions out there that will encrypt the data even from the root or admin user and only allow access to the individuals that need the data. This encryption would apply throughout the lifecycle of the data from creation to archive. The sad part is almost no company implements this type of solution until it is too late.
I've been reading the site for a little while now but registered (pun intended) to thank Dave for this high-level article. As a recent Bachelor of IT graduate, I feel as though this article may provide very helpful interview question answers (and, most likely, be useful more generally).
Thanks in advance also to the inevitable posters who will disagree with Dave's postion(s) - your experience will also be beneficial.
And I am glad that they are, but physical access is hardly the problem.
The problem is the NSA, or other shady organisations or even criminal ones, with the ability to worm their way into said secure data centers without ever showing up at the front door and, once in, cherry-picking whatever fits their fancy. How are you going to find out that your data has been taken ? It might be because you lose an important deal to NSA's corporate spying program. It may be because your customers start getting targetted ads and leave you. In any case, it will likely be far too late to do anything about it.
Frankly, in this day and age using the old "iron door" argument as a reference for security is a tad ridiculous.
Also, the Patriot Act trumps everything, at least for now, and I believe applies to any US (Cloud) company and data they host anywhere. i.e. the US Gov can in theory gain access to confidential corporate data.
Regarding InfoSec trust - it is essential to ensure the vendor applies the same level of diligence that you apply to your own data (otherwise, why bother yourself?). I have worked across a multitude of enterprises, and have NEVER seen the correct diligence applied to vendors except where I have done it myself. Further, cloud vendors themselves are quite often guilty of misleading CIOs etc by stating things like 'our DCs have SAS70 certification' - no they don't, there is no such thing as SAS70 certification. "SAS70 is not intended to purport that a service organization has achieved an objectified defined standard for a system".
The only way to ensure such diligence is to get your requirements in the contract, audit them regularly, make them fill in a security questionnaire, and monitor them. Good luck trying to get a global Cloud provider to agree to this. The closest you might get is for them to show you an ISO:27001 certificate.
That said, most enterprises have many lower level services which don't process confidential data and therefore could be ripe for 'clouding'. Just be careful with your crown jewels.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
