And on the second day God said “let there be computing – in the cloud” and he gave unto man cloud computing…on the seventh day man said “hey, uhmm, dude where’s my data?”
There has been much talk lately about the “Cloud“. The promise of information stored in massive virtual data centers that exist in the ethereal world of the Internet, then delivered as data or services to any computing device with connectivity to the “Cloud“. Hoff recently ranted poetic on the “Cloud” (here) and asked the question “How does one patch the Cloud” (here)
So what the hell is the cloud anyway and how is it different from ASPs (application service providers) and MSPs (managed service providers) of yesteryear, the SaaS/PaaS/CaaS (crap as a Service) “vendors” of today and the telepathic, quantum, metaphysical, neural nets of tomorrow?
I am not going to spend any time distinguishing between services offered by, or including the participation of, a 3rd party whether they take the name ASP, SOA, Web services, Web 2.0, SaaS/PaaS, or cloud-computing. For whatever label the ‘topic du jour’ is given, and regardless of the stark differences or subtle nuances between them, the result is the same – an organization acquiesces almost complete visibility and control over some aspect of their information and/or IT infrastructure.
There should be no doubt that the confluence of greater computing standardization, an increasing need for service orientation, advances in virtualization technology, and nearly ubiquitous broad-band connectivity enable radical forms of content and service delivery. The benefits could be revolutionary, the fail could be Biblical.
Most organizations today can barely answer simple questions, such as how many assets do we own? How many do we actively manage and of these how many adhere to corporate policy? So of course it makes sense to look to a 3rd party to assist in creating a foundation for operational maturity and it is assumed that once we turn over accountability to a 3rd party that we significantly reduce cost, improve service levels and experience wildly efficient processes – this is rarely the case, in fact most organizations will find that the lack of transparency creates more questions than they answer and instill a level of mistrust and resentment within the IT team as they have to ask whether the company has performed something as simple as applying a security patch. The “Cloud” isn’t magic, it isn’t built on advanced alien technology or forged in the fires of Mount Doom in Mordor, no it is built on the same crappy stuff that delivers lolcats (here) and The Official Webpage of the Democratic Peoples Republic of Korea (here), that’s right the same DNS, BGP, click-jacking and Microsoft security badness that plague most everybody – well plague most everybody – so how does an IT organization reliably and repeatably gain visibility into a 3rd parties operational processes and current security state? More importantly when we allow services to be delivered by a third party we lose all control over how they secure and maintain the health of their environment and you simply can’t enforce what you can’t control.
In the best case an organization will be able to focus already taxed IT resources on solving tomorrows problems while the problems of today are outsourced, but in the worst case using SaaS or cloud-computing might end up as the digital equivalent of driving drunk through Harlem while wearing a blind fold and waving a confederate flag with $100 bills stapled to it and hoping that “nothing bad happens”. Yes cloud-computing could result in revolutionary benefits or it could result in failures of Biblical proportions, but most likely it will result in incremental improvements to IT service delivery marked by cyclical periods of confusion, pain, disillusionment, and success, just like almost everything else in IT – this is assuming that there is such a thing as the “Cloud”
Update: To answer Hoff’s original question “How do we patch the cloud?” the answer is – no different than we patch anything, unfortunately the problem is in the “if and when does one patch the cloud” – which can result in mistmatched priorities between the cloud owners and the cloud users.
Something, something this way blogs 
Hey, uh, so…how do I patch the cloud, eh?
Don’t y’all have an agent for that?
Well, we have “supported” agents for the following platforms:
* Windows NT SP6a/95/98/Me/2000/XP/2003 (x86)
* Windows 2003/XP (x64)(including Windows 2003 R2)
* Windows Vista (x86/x64)
* Windows 2003 Itanium
* Windows Server 2008 (x86/x64)
* HPUX 11.00/11.11 (RISC)
* HPUX 11.23 (RISC/Itanium)
* IBM AIX 5.1/5.2/5.3 (PowerPC)
* Solaris 7/8/9/10 (SPARC)
* Solaris 10 (x86)
* Linux Red Hat 8/9 (x86)
* Linux Red Hat Enterprise 3/4/5 (x86/x64)
* VMWare ESX Server 3/3.5
* Linux Red Hat Fedora Core 3/4/5 (x86)
* Linux SUSE 8/9/10 (x86/x64)
* Mac OS X 10.3/10.4/10.5 (PowerPC/Intel)
* Windows Mobile 5/6/7, Windows CE 4.2/5, and Windows XP embedded
Plus we have “unsupported” agents for everything from IBM’s zLinux to Debian to Wyse thin clients.
So if we have an agent for it, and it is used as part of the “Cloud” then we can patch it, but if the cloud is made up of disparate bits and bytes floating aimlessly through the digital Cerebrospinal fluid of the Internet than we got nothing 😉
Given your definition, Amrit, we should probably refer to it as “fog computing.”
As in, onward thru the …
We could also refer to it as “Cheese computing.”
As in, who cut the…?
I noticed the following comment by jurquharts (here)
“This post contains both FUD and sage advice regarding the challenges facing enterprises addressing the cloud. FUD like “when we allow services to be delivered by a third party we lose all control over how they secure and maintain the health of their environment and you simply can’t enforce what you can’t control.” That’s exactly what we do with our money in banks. Sage advice like “it will result in incremental improvements to IT service delivery marked by cyclical periods of confusion, pain, disillusionment, and success, just like almost everything else in IT…” Amen, brother.”
Thanks for the comments James:
We do lose some level of visibility and control when we turn money over to a bank, that is why we have the FDIC, it is also why when some banks went bye-bye folks who had more than $100k in those banks lost everything over $100k – that isn’t FUD that is the reality of he current banking system, in the case of Cloud-computing or SaaS it is actually far worse, for example one has no control over how Amazon or Google maintain the health or security of their systems – they may do a fantastic job or they may FAIL, either way though there is no oversight committee or external governance process to ensure they do anything (aside from market forces that may react when they do FAIL), and aside form a SAS 70 audit there really is nothing that one can do to ensure they meet a base level of operational controls.
Would love to hear your thoughts though…
Pingback: Cloud Feed » Blog Archive » Daily Cloud Feed - Oct 26, 2008
@shrdlu – “fog computing.” surprised I haven’t ever seen that used as a headline in any major media outlet yet.
Pingback: And on through the Fog of Microsoft’s “Cloud OS” Azure « Amrit Williams Blog
Wasn’t it in Proverbs where Solomon quipped “..and a dog shall return to its vomit..”..cloud computing seems to be a reoccuring theme which no one seems to have a great grasp on.
Amrit,
Wow. Thanks for taking the time to hunt down that bookmark and commenting. (That’s the problem with using Diigo/del.icio.us as a commenting mechanism…no response mechanism except FriendFeed and DIY).
You are absolutely correct that the banking system has regulatory oversight, deposit insurance and the like, and that this is missing from the cloud. Phil Wainwright has suggested a SaaS code of conduct that would address some of this, and I put together (strictly on a whim) a cloud computing bill of rights that some are trying to find a trade group to ratify.
I’m afraid it will probably take a “data tragedy” to get policy makers to acknowledge the need, however.
In the meantime, there is no doubt that enterprises are being very careful about where they put their data, and what computational loads they send outside of their firewall. But they are finding both data and load they deem appropriate for the cloud.
This is a good (though at times raunchy) discussion. I’ll add this to my comment-challenged bookmarks of the day. 🙂
Pingback: Links for 2008-10-30 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] | Small Business System
Pingback: Amazon AWS Security…What a Cloudy Web We Weave « Amrit Williams Blog