Monday, April 25, 2011

More than 7 deadly sins of cloud computing

I’m a sucker for a clever headline.

A while back I ran across an article about the “7 Deadly Sins of Cloud Computing” in Computerworld. Antony Savvas was writing about a report from the Information Security Forum (ISF) that announced it had identified those items of great IT wickedness that will turn something that sounds as angelic as it comes – cloud computing – into some sort of pit of eternal damnation.

OK, maybe I’m exaggerating, but just go with it. (Though after the beating that Amazon took from some quarters after their EC2 outage last week, maybe I’m not exaggerating by much.)

So what were those 7 cloudy yet sinful atrocities? I’ll tempt fate by listing them here, as reported by Computerworld UK:

Ignorance - cloud services have little or no management knowledge or approval

Ambiguity - contracts are agreed without authorization, review or security requirements

Doubt - there is little or no assurance regarding providers' security arrangements

Trespass - failure to consider the legality of placing data in the cloud

Disorder - failure to implement proper management of the classification, storage, and destruction of data

Conceit - belief that enterprise infrastructure is ready for the cloud when it's not

Complacency - assuming 24/7 service availability

It’s a solid list, for sure. For each of these, you can probably recollect relevant horror stories. For example, the folks whose sites were impacted by Amazon EC2 going down for an extended period of time last week are probably guilty of the last one: complacency. They forgot to architect for failure, something they had probably done all the time in pre-cloud IT environments.

As part of the write-up on these big no-nos, Steve Durbin, ISF global vice president, explains that "with users signing up to new cloud services daily - often 'under the radar' - it's vital that organizations ensure their business is protected and not exposed to threats to information security, integrity, availability and confidentiality." No argument there from me at all.

But, security isn’t the only thing you need to be concerned about if you’re going to list out cloud computing sins. And why stop at seven? (Historical and liturgical tradition aside, of course.)

So, after talking about some additions to the list with folks on Twitter, here are a few more sins that I’ve heard suggested that I think are worthy of adding to the list:

Cloudwashing (from @Staten7) – Describing something as a cloud offering that is not. Vendors get beaten up for this all the time. And they often deserve it. In his research at Forrester, James Staten points out that enterprises do this, too. So, this can apply to vendors and to enterprises who believe they’ve checked the cloud box by just doing a little virtualization work.

Defensive posture (also from @Staten7) – I think this is one of the reasons an enterprise cloudwashes their own internal efforts. They are not looking at cloud computing for the agility or cost benefits, but instead are working to meet someone’s internal goal of “moving to cloud.” They’re trying to cross cloud off the list while trying to avoid breaking their own existing processes, technology, or organizational silos. Or by saying they’ve already done as much as they need to do. Pretty selfish, if you ask me. Which is a sin all its own, right?

Needless complexity (from @mccrory) – The cloud is supposed to be clean, simple, and dead easy. Yet, there are cloud offerings that end up being just as complicated as the more traditional route of sourcing and operating IT. That’s sort of missing the point, I think.

Too many separate security projects (from @jpmorgenthal) – Back on the security topic, JP Morgenthal tweeted this: “I’m a big supporter of security investments but I believe there are too many separate cloud security efforts.” What are the issues? For starters, the right hand needs to know what the left hand is doing. And those different efforts need to be at the right level, area of focus, and have the right buy-in. Folks like Chris Hoff at Cisco and our own security experts here at CA Technologies can help you sort through this in more detail.

Worshipping false idols (from @AndiMann) – Well, this sounds a bit more like a commandment than a deadly sin, but I’m not going to split hairs at this point. This directive from on high can cover two topics, in fact: don’t get all hung up on cloud computing definitions to the exclusion of a useful approach. And, secondly, ignore silly rhetoric from vendors going on and on about “false clouds.” Yes, salesforce.com, I’m talking about you.

So there you go. Five newly minted Deadly Cloud Sins to go along with the 7 Cloud Security Sins from the ISF. All those sins, and I still didn’t figure a way to wrap in gluttony. That was always a favorite of mine.

What’s the bottom line here? Aside from a little bombast, there’s some good advice to be had in all this. Avoid these approaches and you have a fighting chance at cloud computing salvation. Ignore them and your users will be drawing pictures of you with little devil horns and pitchforks on them. That last scenario is never a path to success in my book.

Any additional sins you will admit to? There are plenty more cloud computing sins that could be added to this list, that’s for sure. Share any glaring ones that you think absolutely have to be here. Even if you’re the one that committed them. After all, confession is good for the soul.

No comments: