“It must be, I thought, one of the race’s most persistent and comforting hallucinations to trust that “it can’t happen here” – that one’s own time and place is beyond cataclysm.” – John Wyndham, The Day of the Triffids
The Cloud is, too often, a solution in search of a problem. For many IT shops it is no longer a tool to be used in achieving a goal – it has become the goal.
Exacerbating the problem are the IT strategists who talk about the cloud without explaining which of cloud’s many definitions they’re talking about.
As always, KJR is here to help. And so, the next time the subject of “moving to the cloud” comes up, make yourself annoying by asking which cloud definition the speaker wants to move to. Among the possibilities:
Public cloud: A wholesale hosting solution, where IT can provision and de-provision (if that’s a word) virtual computing resources quickly and easily by just filling out a form.
Private cloud: A retail hosting solution, where IT can provision and de-provision virtual computing resources quickly and easily by just filling out a form, so long as IT has enough spare capacity on-line in its data centers to provision them.
Hybrid cloud: Public plus private cloud computing resources, seamlessly combined to use private cloud resources until they’re exhausted, then supplementing them with public cloud resources.
Software as a Service (SaaS): Commercial Off The Shelf Software (COTS, and no, I don’t know why the acronym only has one “S” in it) hosted in a public cloud.
Cloud as panacea: A version of public cloud that’s the driving force behind conversations that begin, “We don’t want to be in the data center business.” Sadly, like all acts of delegation, when IT outsources its infrastructure to a public cloud provider, the vendor is merely responsible for hosting IT’s applications. IT remains accountable however it hosts them.
Cloud as architecture: Establishing and enforcing the use of a standardized set of virtualized computing resources, so that all applications have identical hosting configurations.
Cloud discussions that don’t include cloud-as-architecture are likely to be pointless; also needlessly long.
Cloud-as-panacea discussions while even more likely to be pointless, will, in contrast, be mercifully brief.
Which brings us back to the SolarWinds fiasco.
An old but reasonably accurate critique of management consulting has it that management consultants will, if your organization is decentralized, recommend you centralize it to achieve efficiencies from economies of scale. If, on the other hand, your organization is centralized, we’ll recommend that you decentralize to encourage innovation by shortening decision chains and cutting down on bureaucracy.
The arguments in favor of IT’s collective move to public cloud computing is, for the most part, little more than an assertion that centralization is all upside with no downside – a panacea.
My concern: Not only isn’t it a panacea, but it creates enormous risks for the world economy. Why?
First: Public or not, without cloud-as-architecture it isn’t cloud. With cloud as architecture all computing resources a cloud provider delivers are, through the miracle of standardization, identical. While this certainly makes scaling much easier, it also means everything they host shares the same vulnerabilities.
Which in turn means public cloud providers will be more and more attractive targets because the very factors that make them appealing to IT make it easier for malicious actors to scale their attacks.
Bob’s last word: As SolarWinds-type breaches become more common, IT organizations will have to become increasingly sophisticated in performing cloud due diligence – not only on the cloud provider itself, but on its entire supply chain as well.
Bob’s sales pitch: What I’m selling is fame and fortune. Well, not exactly fame, but sort of; not fortune at all because I’m not going to pay you anything.
What’s the subject? ManagementSpeak is the subject. My supply is running low, and the demand is the same as always (one per KJR if I have any in stock that fit the subject).
So how about it? Keep your ears open and your translator engaged, and send in your juicy management euphemism … translation optional but appreciated. And make sure to let me know if I can give you credit as the source or you need to remain anonymous.