Cloud risk: A look at real concerns and exaggerated worries

While many companies have had no qualms about jumping onto the cloud bandwagon, others still resist buying a ticket. Why? Because of risk. After all, handing over the keys to your server room or datacenter to a corporate entity located who knows where is no easy decision for a CEO or business owner who has invested in building and growing their company. Brad Fillo, a Security Engineer with Check Point Software Technologies, whom I met and talked with recently at a tech conference, has thought a lot about cloud risk and he was more than willing to express his opinions on it so I could share his insights with our TechGenix audience. Brad is a 20-year IT professional who began his career in the heyday of the dot.com era in the San Francisco Bay Area with Sun Microsystems. It was here Brad specialized on datacenter operations, virtualization, and evolution. Since moving back to Canada in the late 2000s, Brad has had various business development/sales engineering roles in the managed IT services space, with a focus on the efficiencies inherent in the move of IT workloads to datacenters as a precursor to the cloud as it is known today. Brad has made the leap into cloud security with Check Point Software as of 2016, where he currently holds the position of channel security engineer. To help us understand both risks and benefits involved in moving your business to the cloud, Brad starts off by taking us back to basics by asking a simple but necessary question: What really is “the cloud”?

So what is “the cloud,” really?

For the purposes of this discussion, I will focus on what the industry refers to as a “public cloud.”

Functionally, the cloud is the delivery of two things as a “utility” or a “services” model:

• Applications such as Gmail, Dropbox, Slack.
• Infrastructure, which is the servers, storage, and networking devices that are/were traditionally owned by an organization to provide services similar to the above.

With the cloud, the focus shifts from the efforts to provide these services to one of how to best use these services. It removes the burden of ownership of any of the underlying systems, in both physical and philosophical terms, from the corporate IT organization.

More specifically, the corporation need only concern itself with what the cloud services enable for their organization, and not with the physical components that provide that service. The facility, the hardware, the assembly of that hardware, the maintenance — all become the provision of the cloud provider.

The cloud provides the ability for these IT services to be accessed from the source rather than within the confines of a corporation’s IT sphere. Now that they are within the purview of the Internet, these services can be reached by anyone with access to it.

In the world of IT services and delivery, this is a powerful new freedom.

No longer do users have to wait until they are back at the office (or connected to it via VPN) to upload their client meetings or track their mileage/expenses. With these applications delivered as cloud services, the end-user is able to do so by accessing the service itself, and in near real-time.

And the systems of record are updated just as quickly. The benefits of that are of particular importance if you are in supply chain management, or resource management/planning, or any other corporate function that makes decisions based on up-to-the-minute information.

So what does it actually look like?

Where are these “clouds?” Is it not just “someone else’s computer?”

Indeed the cloud can be regarded as “someone else’s computer.” But more correctly it is an abstraction of the workload (the more typical operating system and corresponding applications that run on them) away from the dependence on the physical hardware it resides on.

The outcome of this is the portability of these workloads. Thus “someone else’s computer” is, in fact, many computers. And thus the “computer” is at once far more distributed, more powerful, and ultimately far less the focus. What it enables, rather than how it does so, becomes the key.

Indeed this is part of the magic. The ability for the workload to be movable allows for geographic optimization and dispersion for the very nature of why the Internet was originally conceived: to decentralize the risk associated with critical infrastructure and to allow fault-tolerance.

Perhaps a more accessible example is the storage of data within a cloud environment. The average consumer is at least aware of storage and its limitations (and location), whether within their smartphone, their home laptop, or their personal cloud-based email account.

In the days before cloud, a dedicated server generally would have dedicated disk all within the same chassis.

As servers evolved, there was a move to physically separate these components into more single-purpose devices. Thus the industry began to see dedicated servers with minimal internal disk (or none at all), and the data disks then resided in a dedicated storage device with its own brains.

The servers would direct data to these devices and let the device itself decide where to spread the data to the disks. Consider the data “poured in the top” of the device and left alone to work its magic

This abstraction now makes it difficult to determine “where my file is” within the device. This introduces the beginnings of the decentralization of data. The dramatic positive of this situation is that the use (and resistance to hardware failure) is now spread across many devices, not simply one.

The cloud itself takes this analogy far further. Instead of having data delivered to one physical unit within a datacenter, now the data is “poured in the top” of countless datacenters around the world. Your pictures of your kids, or your critical files, or your block-level backups would be a challenge to wrap your arms around if you needed to, as components of each may be spread out across many geographically-diverse systems.

Can I trust the cloud?

With abstraction and decentralization of data and services, the next obvious question is “can I trust it?” That is, how does a user/organization know their Office365 or their Gmail will always be there?

Therein lays the challenge. While the physical decentralization of these services inherently provides (by inherent design) more fault-tolerance and general reliability than traditional methods, often the providers of these services do not guarantee them to the degree the user might expect.

In the consumer space, Google, for example, does not provide any formal user level agreement or service level agreement (ULA, SLA) for their consumer (i.e. free) Gmail product. No uptime guarantee, no data-loss guarantee, no matter how unlikely.

Where it is far more key is within the commercial space. Two of the largest Infrastructure providers are clear as to what their service level agreements cover. No guarantee against data loss, no guarantee against security breaches. This often comes as a shock to those new to the cloud.

Consider the following analogy: Arguably one of the key benefits of using a credit card is the risk that the provider takes on from the user. If a card is stolen or used without authorization, the credit card provider indemnifies the user from that risk. The trouble is, there is often a perception in the IT world that cloud providers do the same. That is, the cloud providers will provide all of the necessary security and general risk-protection for the organization.

The truth is, they do not. As in the traditional IT world, organizations need to protect themselves and their data specifically when they release it “into the wild” of the cloud. In order to fully realize the benefits of any cloud service, these aspects must be covered.

Is cloud risk real?

Seems like a lot of hassle. Is it worth the risk? Wouldn’t we be better off without it? Should I get off of Gmail/Box/etc.?

An age-old question that is applied to any new technology as they emerge.

With any technology, there are inherent risks. As with the introduction of the automobile, the telephone, or the first computer, it is easy to point to the problems with each of those technologies, and the risks they bring with them.

And while value is in the eye of the observer, the capabilities that these technologies bring for the average user far outstrip the risks involved. Thus mathematically these are good and useful steps forward, and they are obvious in much of our daily lives.

Three key points (within the corporate world) outline this clearly:

• Elasticity — The ability for cloud resources to scale up and down in response to wildly shifting demands for the workloads they provide. For example, the now-classic example of tax season or streaming services for the big sports event.
• Time-to-value — Arguably one of the aspects that is often not fully quantified has to do with the reduction in time from the purchase of an IT infrastructure to the time it begins to make/save an organization money. In the recent past, large architectures could take better parts of a year or more between delivery and production. Now this time is reduced to mere seconds in some cases. And, in practically all of the major cloud providers, this can happen automatically.
• Automated provisioning — With the ability to enable the turn up and turn down of cloud services via automation (API calls, native integrations with key services, to name a few), many such services can be enabled (or at the very least augmented) via a non-specialist such as a lower-level service desk agent rather than an architect. This shifts the burden of this task to less expensive resources, in addition to speeding up the time to resolution.

Just as the world would be reluctant to give up the modern conveniences of credit cards or mobile payments, so too will the world be reluctant to go back to the days of cost and inflexibility of the traditional owned IT infrastructure. Companies can instead focus on their core products/services, rather than be in the world of IT.

The cloud is ultimately no different. Arguably its potential is equal to that of the Internet itself.

Featured image: Shutterstock