Turns out, the speed of light isn’t the universe’s limiting velocity. As evidence, I offer the SolarWinds security breach, which exited the news faster than any photon could follow.

Among the more interesting bits and piece of the SolarWinds security fiasco was how it familiarized us with the phrase “supply chain” as a cloud computing consideration.

But first, in the interest of burying the lede …

The business case for cloud computing – we’re talking about public cloud providers like AWS, Azure, and GCP – has always been a bit fuzzy. For example:

Economics: The cloud saves companies money … except when it doesn’t. If the demand for computing resources is unpredictable, provisioning in the cloud is just the ticket, because the cloud lets you add and shed resources on demand.

That’s in contrast to on-premises provisioning, where you provision for a specified level of demand. If you can accurately predict demand and your negotiating skills are any good you can probably buy enough computing resources to satisfy that demand for less than a cloud provider can rent them to you.

Engineering: Modern computing platforms and infrastructure are complex, with a lot of (metaphorically) moving parts. In the ancient days, IT dealt with this by buying its infrastructure from a single-vendor supply chain that pre-packaged it (IBM, if you’re too annoyingly youthful to remember such things).

With the advent of distributed computing and multivendor environments, IT had to bring its infrastructure engineering expertise in-house, partially offsetting distributed systems’ lower prices while supplanting a single-link supply chain with more links than a chain mail tunic.

Meanwhile, the requirements of multivendor supply chain management made the complexities of infrastructure engineering seem simple when compared to the complexities of service-provider contract negotiations. And, even worse, the complexities of multi-layer license agreements.

And, even worse than that, the aggravations of multivendor bickering and mutual finger-pointing whenever something goes wrong.

The rise of PaaS providers promised to reverse this trend – not completely, but enough that IT figured it could reduce both its vendor management and engineering burdens.

Security: In the early days of cloud computing, security was where the cloud value proposition seemed most dubious. Putting a company’s valuable data and business logic in the public cloud where IT had no control or oversight over how it was secured struck most CIOs and CSOs as a risky business at best.

But those were the good old days of basement-dwelling hobbyist hackers. Over the past decade or so these quaint relics of a bygone age have been replaced by malicious state actors and organized crime.

Meanwhile, working with a cloud provider has more and more in common with renting space in an office building: You’re relying on the architect who designed it and the construction firm that built it to select suppliers of concrete and girders that provide quality materials, and to hire a workforce that won’t plant concealed weaknesses in the structure.

You could, of course, hire your own architect, project manager, and construction workers and build your own office building.

But probably not. Unmetaphorically speaking, whether you manage your own data center and computing infrastructure or outsource it to a cloud services provider, you’re dealing with a complex, multi-layer supply chain.

The major cloud providers have economies of scale that let them evaluate suppliers and detect sophisticated incursions better than all but their largest customers can afford.

But on the other side of the Bitcoin, the major cloud providers are far more interesting targets for state- and organized-crime-scale intruders than you are.

Bob’s last word: Sometimes, making decisions is like dining at a gourmet buffet, where our choices are all good and the limiting factor is the size of our plates and appetites.

Other times, changing metaphors (again), the best we can do is, as Tony Mendez says in Argo, choose “the best bad plan we have.”

Right now, when it comes to cybersecurity, our situation is more Argo than buffet.

Bob’s sales pitch: Nope. I don’t consult on security. So I can’t help you there. But in the meantime, if you’re looking for reading material, I’m your guy. Help support KJR by buying some.

In ten days we can all celebrate having survived 2020.

Except for those of us who didn’t survive it.

A friend made the point that while most of us are quite concerned about COVID-19, we don’t think twice about the risk of driving to the supermarket and dying from injuries sustained in a collision.

As it turns out, my friend’s point made, with the assistance of a bit of googling, the opposite point: It turns out that traveling 230 miles by car carries with it a 1 “micromort” risk, a micromort being a one-in-a-million chance of sudden death. Extrapolating, a trip to the supermarket has a mortality risk of about 1 in 20 million, compared to the 1 in 1,000 we share for dying of COVID-19.

But the question he asked was the right one.

Without in any way trivializing the devastation that’s hit so many of us so hard on so many different fronts, I think that if we allow it, 2020 has given us an opportunity – an opportunity to think better.

Especially, this is the year that’s taught us how much the question my friend asked … “Compared to what?” … matters.

For example: As of this writing, California’s COVID-19 mortality has reached 22,436. On the face of it, this is carnage.

But … 22,436 compared to what? In round numbers, California’s population of 39.5 million is about the same as Florida and New York combined (40.9 million). But Florida and New York’s combined COVID-19 mortality is more than twice what California has experienced – 56,175.

Meanwhile, many of our fellow citizens are outraged … OUTRAGED! as they might have posted on Twitter … at being told by their government that they must socially distance themselves from others around them and, when in proximity, they must wear pieces of cloth in front of their faces.

But before we allow outrage to get the better of us, let’s ask our 2020 question: compared to what?

That is, if we compare mask-wearing imperatives to governmental regulation of, say, bowling, mandatory mask-wearing is a sizeable imposition. But if instead we compare them to the laws that protect our neighbors by requiring sobriety while driving, not to mention being having to earn a driver’s license and carry insurance?

When we think about the activities we’ve had to curtail or give up entirely, and how the businesses we patronized to enjoy them that have suffered catastrophically, yes, it’s been a miserable year.

But miserable compared to what? Our misery is trivial compared to what Londoners experienced during the blitz in WWII. And from what I know of the subject, Londoners in WWII complained less. (On that subject let me take a moment to commend Citizens of London to your reading list.)

So as we gripe about what an awful year 2020 was, let’s take a few moments to put it in perspective – to ask ourselves, when pondering our misery, what we’re comparing our it to?

Because we’ve had bad years before. There was 66,065,543 BC, when an asteroid wiped out the dinosaurs, along with three quarters of all other plant and animal species. There was 1347, when the bubonic plague hit Europe, eventually killing more than 25 million.

There was 1967, when paisley somehow seemed like a good idea, and, even more awful, 1970, when disco ran amok.

Meanwhile, in 2020 we discovered just how much we know about genetic engineering – enough to sequence a virus’s DNA and, in less than a year, engineer effective vaccines. Had we started trying to develop a COVID-19 vaccine ten years ago using the techniques available then, right about now we might have a vaccine worth testing.

Also in 2020 we discovered that, somewhere along the way, businesses either had already deployed or could deploy with relative ease the technologies needed for employees to collaborate with customers and clients, and each other, without needing to meet in person.

My first involvement with the business use of personal computers and computing was four decades ago. At the time, each personal computer required a separate capital proposal, complete with a financial Return on Investment (ROI) analysis.

In 2020 the business case for equipping employees with personal computers is “Don’t be ridiculous.”

So as we wrap up a year that was far from what we’d hoped it would be, let’s all ask each other to maintain perspective – to ask, no matter what the subject, “Compared to what?”

Because if we give an honest answer, for most of us and in most respects, while our situations are far from perfect, they’re closer to better than they are to worse.

# # #

I hope you find ways to have a wonderful holiday season. Me? I’m going to take a couple of weeks off – see you in 2021.

In the meantime, if you’re in the mood for past years’ Holiday Cards to the Industry, here’s where you’ll find them in the Archives: https://issurvivor.com/?s=%22holiday+card+to+the+industry%22 .

I hope you take the time to enjoy them.