Dale Vile, Open Reasoning

Some back to front thinking in evidence?

One of the most frequent concerns about cloud is security. Andy Buss
and I were discussing this the other day as part of a research scoping exercise. We are currently designing a study to look at the risk related aspects of Software as a Service (SaaS).

Something we always try to avoid in our research and analysis is falling into trap of generalising too much. In this case, it was important to acknowledge that businesses vary significantly in terms of their risk sensitivity, e.g. based on the degree to which they are regulated, the amount of confidential or personal information they handle, their operational dependency on IT, and their general risk awareness. Attitudes to security therefore range from extreme paranoia at one end to total complacency on the other. And even within a given organisation, some systems and data will be regarded as highly sensitive, and others will not.

The logic then goes that categorisation of applications based on their risk profile is a good place to start when considering which requirements lend themselves more to cloud based deployment from a security perspective.

So far so good, but then the conversation with Andy got really interesting.

The unspoken working assumption to this point was that application profiling would allow organisations to identify low risk candidates for initial cloud activity. To put it another way, if you’re concerned about the hosted services model representing a security risk, then gain some initial experience with less sensitive applications for which security is less of a consideration.

The trouble is that for many small and mid-sized businesses, it could be argued that such advice would be flawed. Whatever the current perception, the reality is that a reputable service provider will almost certainly be able to manage application access and information security better than the majority of smaller businesses (and arguably many larger ones), so data and transactions would probably be a lot more secure in a third party hosting environment. The reasoning here is not rocket science, even though it may not be obvious to many. Service providers have the economy of scale to justify investment in top-notch technology and skills in a way that SMBs, with the best will in the world, could only dream of.

As responsible analysts, perhaps we should therefore be turning the logic on its head and advising at least some organisations to prioritise putting their most sensitive rather than least sensitive applications and data sets in the cloud first. While the original opposite view might be intuitively appropriate, that would be simply pandering to ignorance and ill-considered prejudices.

As this point, I can almost hear the abuse being directed at whatever medium you are reading this on – “Bloody naïve ivory tower analysts that have never done a real day’s work in the real world giving us bloody stupid advice about putting our most sensitive data into the hands of ‘fly-by-night’ cloud upstarts? They should get themselves a proper job and stop writing such crap”.

Then again, maybe this line of reasoning has got you thinking, which to be honest, is all I am trying to achieve.

In the real world, of course, it’s not legitimate to provide sweeping advice like the above. But neither does it make sense for those in IT to make sweeping generalisations about whether cloud services are or aren’t a good idea, on security or any other grounds. The point is that it needs some thinking about, and sometimes the most obvious conclusion can prove to be incorrect in many scenarios.

It’s for these kinds of reasons that one of my other colleagues, Tony Lock, and I put together a paper entitled “Applied Cloud Computing: A practical guide to identifying the potential in your environment”.
In many respects, this was a reaction to all of the generalised opinion we hear on both sides of the house, as both the evangelists and the sceptics are guilty of the same crime in this respect.

The reality is that it’s all about context, and what’s appropriate or meaningful in one situation could be a total non-starter in others. Then there are those grey areas where it’s difficult to call it either way. With this in mind, after almost a quarter of a century in IT, I am still waiting for an example of a technology or approach that is universally right or wrong regardless of the circumstances.

Meanwhile, if you are interested in a more practical treatment of cloud computing, including some down to earth thoughts about security, integration, management and the general impact on the IT department, you can download the abovementioned paper from here.

Share

Comments

Leave a Reply