Bob Lewis – Page 79 – IS Survivor Publishing

Will the cloud’s success be its failure?

By: Bob Lewis|In: Architecture|Last Updated: January 25, 2021

The Cloud is, too often, a solution in search of a problem. For many IT shops it is no longer a tool to be used in achieving a goal – it has become the goal.

Exacerbating the problem are the IT strategists who talk about the cloud without explaining which of cloud’s many definitions they’re talking about.

As always, KJR is here to help. And so, the next time the subject of “moving to the cloud” comes up, make yourself annoying by asking which cloud definition the speaker wants to move to. Among the possibilities:

Public cloud: A wholesale hosting solution, where IT can provision and de-provision (if that’s a word) virtual computing resources quickly and easily by just filling out a form.

Private cloud: A retail hosting solution, where IT can provision and de-provision virtual computing resources quickly and easily by just filling out a form, so long as IT has enough spare capacity on-line in its data centers to provision them.

Hybrid cloud: Public plus private cloud computing resources, seamlessly combined to use private cloud resources until they’re exhausted, then supplementing them with public cloud resources.

Software as a Service (SaaS): Commercial Off The Shelf Software (COTS, and no, I don’t know why the acronym only has one “S” in it) hosted in a public cloud.

Cloud as panacea: A version of public cloud that’s the driving force behind conversations that begin, “We don’t want to be in the data center business.” Sadly, like all acts of delegation, when IT outsources its infrastructure to a public cloud provider, the vendor is merely responsible for hosting IT’s applications. IT remains accountable however it hosts them.

Cloud as architecture: Establishing and enforcing the use of a standardized set of virtualized computing resources, so that all applications have identical hosting configurations.

Cloud discussions that don’t include cloud-as-architecture are likely to be pointless; also needlessly long.

Cloud-as-panacea discussions while even more likely to be pointless, will, in contrast, be mercifully brief.

Which brings us back to the SolarWinds fiasco.

An old but reasonably accurate critique of management consulting has it that management consultants will, if your organization is decentralized, recommend you centralize it to achieve efficiencies from economies of scale. If, on the other hand, your organization is centralized, we’ll recommend that you decentralize to encourage innovation by shortening decision chains and cutting down on bureaucracy.

The arguments in favor of IT’s collective move to public cloud computing is, for the most part, little more than an assertion that centralization is all upside with no downside – a panacea.

My concern: Not only isn’t it a panacea, but it creates enormous risks for the world economy. Why?

First: Public or not, without cloud-as-architecture it isn’t cloud. With cloud as architecture all computing resources a cloud provider delivers are, through the miracle of standardization, identical. While this certainly makes scaling much easier, it also means everything they host shares the same vulnerabilities.

Which in turn means public cloud providers will be more and more attractive targets because the very factors that make them appealing to IT make it easier for malicious actors to scale their attacks.

Bob’s last word: As SolarWinds-type breaches become more common, IT organizations will have to become increasingly sophisticated in performing cloud due diligence – not only on the cloud provider itself, but on its entire supply chain as well.

Bob’s sales pitch: What I’m selling is fame and fortune. Well, not exactly fame, but sort of; not fortune at all because I’m not going to pay you anything.

What’s the subject? ManagementSpeak is the subject. My supply is running low, and the demand is the same as always (one per KJR if I have any in stock that fit the subject).

So how about it? Keep your ears open and your translator engaged, and send in your juicy management euphemism … translation optional but appreciated. And make sure to let me know if I can give you credit as the source or you need to remain anonymous.

Solar unpowered security

By: Bob Lewis|In: Architecture|Last Updated: January 18, 2021

Turns out, the speed of light isn’t the universe’s limiting velocity. As evidence, I offer the SolarWinds security breach, which exited the news faster than any photon could follow.

Among the more interesting bits and piece of the SolarWinds security fiasco was how it familiarized us with the phrase “supply chain” as a cloud computing consideration.

But first, in the interest of burying the lede …

The business case for cloud computing – we’re talking about public cloud providers like AWS, Azure, and GCP – has always been a bit fuzzy. For example:

Economics: The cloud saves companies money … except when it doesn’t. If the demand for computing resources is unpredictable, provisioning in the cloud is just the ticket, because the cloud lets you add and shed resources on demand.

That’s in contrast to on-premises provisioning, where you provision for a specified level of demand. If you can accurately predict demand and your negotiating skills are any good you can probably buy enough computing resources to satisfy that demand for less than a cloud provider can rent them to you.

Engineering: Modern computing platforms and infrastructure are complex, with a lot of (metaphorically) moving parts. In the ancient days, IT dealt with this by buying its infrastructure from a single-vendor supply chain that pre-packaged it (IBM, if you’re too annoyingly youthful to remember such things).

With the advent of distributed computing and multivendor environments, IT had to bring its infrastructure engineering expertise in-house, partially offsetting distributed systems’ lower prices while supplanting a single-link supply chain with more links than a chain mail tunic.

Meanwhile, the requirements of multivendor supply chain management made the complexities of infrastructure engineering seem simple when compared to the complexities of service-provider contract negotiations. And, even worse, the complexities of multi-layer license agreements.

And, even worse than that, the aggravations of multivendor bickering and mutual finger-pointing whenever something goes wrong.

The rise of PaaS providers promised to reverse this trend – not completely, but enough that IT figured it could reduce both its vendor management and engineering burdens.

Security: In the early days of cloud computing, security was where the cloud value proposition seemed most dubious. Putting a company’s valuable data and business logic in the public cloud where IT had no control or oversight over how it was secured struck most CIOs and CSOs as a risky business at best.

But those were the good old days of basement-dwelling hobbyist hackers. Over the past decade or so these quaint relics of a bygone age have been replaced by malicious state actors and organized crime.

Meanwhile, working with a cloud provider has more and more in common with renting space in an office building: You’re relying on the architect who designed it and the construction firm that built it to select suppliers of concrete and girders that provide quality materials, and to hire a workforce that won’t plant concealed weaknesses in the structure.

You could, of course, hire your own architect, project manager, and construction workers and build your own office building.

But probably not. Unmetaphorically speaking, whether you manage your own data center and computing infrastructure or outsource it to a cloud services provider, you’re dealing with a complex, multi-layer supply chain.

The major cloud providers have economies of scale that let them evaluate suppliers and detect sophisticated incursions better than all but their largest customers can afford.

But on the other side of the Bitcoin, the major cloud providers are far more interesting targets for state- and organized-crime-scale intruders than you are.

Bob’s last word: Sometimes, making decisions is like dining at a gourmet buffet, where our choices are all good and the limiting factor is the size of our plates and appetites.

Other times, changing metaphors (again), the best we can do is, as Tony Mendez says in Argo, choose “the best bad plan we have.”

Right now, when it comes to cybersecurity, our situation is more Argo than buffet.

Bob’s sales pitch: Nope. I don’t consult on security. So I can’t help you there. But in the meantime, if you’re looking for reading material, I’m your guy. Help support KJR by buying some.