“Rarely do we find men who willingly engage in hard, solid thinking. There is an almost universal quest for easy answers and half-baked solutions. Nothing pains some people more than having to think.” – Martin Luther King Jr.

Turns out, the speed of light isn’t the universe’s limiting velocity. As evidence, I offer the SolarWinds security breach, which exited the news faster than any photon could follow.

Among the more interesting bits and piece of the SolarWinds security fiasco was how it familiarized us with the phrase “supply chain” as a cloud computing consideration.

But first, in the interest of burying the lede …

The business case for cloud computing – we’re talking about public cloud providers like AWS, Azure, and GCP – has always been a bit fuzzy. For example:

Economics: The cloud saves companies money … except when it doesn’t. If the demand for computing resources is unpredictable, provisioning in the cloud is just the ticket, because the cloud lets you add and shed resources on demand.

That’s in contrast to on-premises provisioning, where you provision for a specified level of demand. If you can accurately predict demand and your negotiating skills are any good you can probably buy enough computing resources to satisfy that demand for less than a cloud provider can rent them to you.

Engineering: Modern computing platforms and infrastructure are complex, with a lot of (metaphorically) moving parts. In the ancient days, IT dealt with this by buying its infrastructure from a single-vendor supply chain that pre-packaged it (IBM, if you’re too annoyingly youthful to remember such things).

With the advent of distributed computing and multivendor environments, IT had to bring its infrastructure engineering expertise in-house, partially offsetting distributed systems’ lower prices while supplanting a single-link supply chain with more links than a chain mail tunic.

Meanwhile, the requirements of multivendor supply chain management made the complexities of infrastructure engineering seem simple when compared to the complexities of service-provider contract negotiations. And, even worse, the complexities of multi-layer license agreements.

And, even worse than that, the aggravations of multivendor bickering and mutual finger-pointing whenever something goes wrong.

The rise of PaaS providers promised to reverse this trend – not completely, but enough that IT figured it could reduce both its vendor management and engineering burdens.

Security: In the early days of cloud computing, security was where the cloud value proposition seemed most dubious. Putting a company’s valuable data and business logic in the public cloud where IT had no control or oversight over how it was secured struck most CIOs and CSOs as a risky business at best.

But those were the good old days of basement-dwelling hobbyist hackers. Over the past decade or so these quaint relics of a bygone age have been replaced by malicious state actors and organized crime.

Meanwhile, working with a cloud provider has more and more in common with renting space in an office building: You’re relying on the architect who designed it and the construction firm that built it to select suppliers of concrete and girders that provide quality materials, and to hire a workforce that won’t plant concealed weaknesses in the structure.

You could, of course, hire your own architect, project manager, and construction workers and build your own office building.

But probably not. Unmetaphorically speaking, whether you manage your own data center and computing infrastructure or outsource it to a cloud services provider, you’re dealing with a complex, multi-layer supply chain.

The major cloud providers have economies of scale that let them evaluate suppliers and detect sophisticated incursions better than all but their largest customers can afford.

But on the other side of the Bitcoin, the major cloud providers are far more interesting targets for state- and organized-crime-scale intruders than you are.

Bob’s last word: Sometimes, making decisions is like dining at a gourmet buffet, where our choices are all good and the limiting factor is the size of our plates and appetites.

Other times, changing metaphors (again), the best we can do is, as Tony Mendez says in Argo, choose “the best bad plan we have.”

Right now, when it comes to cybersecurity, our situation is more Argo than buffet.

Bob’s sales pitch: Nope. I don’t consult on security. So I can’t help you there. But in the meantime, if you’re looking for reading material, I’m your guy. Help support KJR by buying some.