Today I caught all the sessions from ISACA’s all-day presentation of “Security and Compliance in the Cloud” conference. There were several really great speakers.
First, some general thoughts. If you think about, infrastructure management is a desirable thing to outsource. Often it requires a lot of maintenance, and many of the tasks can be scripted. So why don’t more companies outsource infrastructure? Mainly because it’s complicated, security and also audit concerns are often showstoppers.
So from those challenges, grew a new industry where 3 levels of services (service models) evolved (as defined by NIST):
- IaaS (Infrastructure as a Service) – the provider manages the hardware and network, the client manages the operating system and applications.
- PaaS (Platform as a Service) – the provider offers a development platform, the client develops and deploys platform-specific custom software to run on the provider infrastructure.
- SaaS (Software as a Service) – the provider offers a direct consumer-application that is hosted in the cloud.
Dave Cullinane (he is the Chief Information Security Officer (CISO) and VP at EBay) brought up the announcement of Microsoft Office 365 a couple of months ago, which is a web-based, cloud-hosted version of Office Enterprise Services (every component of office, including Exchange/Outlook and SharePoint) that can be made available, securely to users for ~$24/person. It’s simply not possible for local infrastructure and volume licensing to compete, even approximately, with that. He describes this as the future. Consider the 2/3 of a companies budget is often dedicated to simple “overhead” like patching, hardware failures, staffing, security breaches, etc. Dave said that typically for the cost of a DBAR/Business Continuity budget that most companies have, you can REPLACE your in-house infrastructure with cloud services. Even if that is only 10% correct, you’re talking about savings of millions and millions of dollars each year. The economy-of-scale here is just astronomical!
Another issue is capacity. One of the worst things that can happen to a company, technically, is that they are successful. YouTube averages 25 hours of video that is uploaded, for every minute that passes, every day. Think about the storage capacity. Think about bandwidth!? Ebay talked about 250gbps of bandwidth being steadily consumed during high-volume days. Google enjoys 1 billion… wait, let me write that out: 1,000,000,000 searches per day. First, you need to plan, implement, and then maintain all of that hardware. Then, you have to protect it from outside as well as inside threats. Infrastructure is money-hemorrhage for any company. Again, the things that stop people from outsourcing it is complexity and security – but “the cloud” initiatives are addressing this remarkably well. If they do, why wouldn’t a company transition to cloud-based infrastructure?
So, I tend to agree that cloud infrastructure is absolutely inevitable and it’s already very much a real thing, right now, today! This isn’t speculation about 5-7 years from now, Ebay for example is actively and aggressively moving to use more and more cloud infrastructure, today.
Right now, Amazon EC2 (Elastic Compute Cloud) offers very reasonable pricing, including “pay as you go” offerings. Microsoft of course has it’s Windows Azure (PaaS), SQL Azure which is like a cloud-hosted database instance, and Azure AppFabric which is software that can be installed on a Windows Server to host a private cloud at your company. If you later want to transition to a Microsoft’s infrstructure, it’s very simple.
But wait, it can’t be that simple right? Correct. Another speaker that really stood out was Joseph C. Granneman. He talked about a lot of the very practical concerns around going to cloud computing. For example here are just some of the interesting points he brought up:
- Multi-tenancy and how do you keep your data secure from the Cloud’s other customers?
- How do you keep your data secure in general – in transport, while being stored, backups?
- Availability – what strategies do you use to keep your company connected to the internet, because out there is where all your data is! If your internet connection goes down, that’s like losing power to your data center!
- DBAR/Business Continuity – how does the cloud recovery from a disaster? What if they take too long to come back online?
- Because your data will be near other customers (of the cloud company) – what if your hardware is seized as part of an arrest or investigation? What if your data is included in a case and becomes a matter of public record? Ouch.
- What if the cloud company goes out of business or is sold, what becomes of your data and your backups?
- Need to make sure the Cloud doesn’t have crazy terms like “as soon as data comes onto our network, we solely own it’s intellectual property and you forfeit your claim of IP”
- Shared attack surface – this was an interesting point. If all of our companies move to this Cloud infrastructure, that means that a would-be attacker would certainly become more interesting in breaking into this Cloud – it now becomes a “high value target”. Because if you can, you might have further access to lots and lots of other company’s’ data too, right? In addition, what if one of your (unknown) Cloud neighbors is the victim of a denial-of-service (DOS) attack? When the attacker takes out this other company, they incidentally take you out too! There are certainly some “cons” to having all of this infrastructure centralized.
Bottom line, this whole cloud movement isn’t as cut-and-dry and everyone makes it sound. That may have already been obvious. Despite the challenges though, it seems like Cloud computing is ready to go like, right now! With the unimaginable cost-savings/cost-avoidance that is associated, I do fully expect this to hit companies in the next couple of years. Put another way, I don’t see any reason left, on why it wouldn’t. It will be interesting to see how it all turns out.
By the way, a prediction that almost every speaker referenced was that by 2013, mobile users will exceed PC users, as the primary vehicle for getting to the Internet.
Dave Cullinane said that they created the Ebay mobile app just to prove they could and exercise the technology. However that year, that app generated more an half a BILLION dollars for them. So these times, they are a-changin’…