Why is IT so bad at cloud computing?
One in five don't secure servers in the cloud? That's not ignorance or neglect; it's denial
Cloud computing is such an attractive, all-encompassing integrated enterprise, data-center-quality, dynamic computing paradigm that every company seems to want to jump on board.
They're doing it, to be sure, but not nearly as quickly or enthusiastically as most analysts expected even a year ago (when adoption rates were, similarly, a disappointment from the previous year).
The issue isn't how big or complicated the company or its IT is. In a report comparing spending on software by SMBs vs. enterprise (big) companies, Gartner estimated SMBs are adopting cloud at a higher rate than enterprises. About 34 percent of SMB software budgets go for cloud-based apps or services; only 27 percent of enterprise budgets swing that way.
The biggest concern – for both big companies and small ones, those building internal cloud infrastructures and those using cloud services provided by others – is security.
According to an October Symantec report on cloud preparedness, 82 percent of IT people involved in cloud called security was one of the biggest challenges – higher by four percentage points than performance – the second-most-frequently mentioned challenge.
- Concerns over security are so high they break down into sub-concerns, each of which carries enough worry to make it a primary obstacle all by itself:
- 58 percent worry about mass malware outbreaks at a cloud provider's facility;
- 57 percent worry the provider will be hacked;
- 57 percent worry insiders will share data that's (technically) already outside the company, in a cloud;
- 56 percent worry rogue cloud systems hired by business-unit managers will cause a breach in the primary corporate apps;
- 56 percent worry using an external provider will allow data leaks between different customers inhabiting the same cloud;
- 55 percent worry about DDOS attacks on the provider;
- 54 percent worry about a complete loss of data for a court case;
- 52 percent worry about not being able to recover data for a court case (IT is now officially too worried about lawsuits and e-discovery; see accompanying post for a little appropriate whining about that)
- 52 percent worry cloud systems won't meet the requirements for regulatory compliance audits.
That's a lot of very specific worry about something that's supposed to resolve IT concerns about data and security, not add to them.
Why is security still such a mystery and such a concern?
Security has been the No. 1 concern about the cloud since the term first migrated from the oversimplified-presentation palate of telcos to the artificially overcomplicating presentation palates of tech consultancies.
Security is the reason cited most often for a migration speed so slow that three years after the idea of external, public-cloud computing took over the computing world (or at least its hype cycle) only a third of companies have made significant progress on their goals to adopt it.
- According to Symantec's data:
- between 11 percent and 19 percent of companies polled may be thinking about cloud, but haven't done anything about it;
- 19 percent to 25 percent aren't even considering doing anything;
- 19 percent to 20 percent are in discussion or planning phases;
- only 34 percent are either in trials or actively implementing cloud.
That's not a big percentage for something that takes up so much of the hype-consumption capacity among end-user companies. Vendors still seem puzzled about why adoption is so slow and methodical, aside from how fundamental the change is from concepts of computing based on the physical location of servers compared to virtualized-everything-computing.
Security is credited as the main reason big companies tend to go more for internal private clouds rather than external clouds; not just in Symantec's surveys. In others from Forrester, Gartner and The451 group as well.
Security is also cited most often as the reason both small and large companies have been putting mainly marketing apps, marketing people and application test/development staffs on cloud systems rather than departments they consider "critical" to the rest of the company. (Not often cited but true nevertheless, that ranking is responsible for double-digit increases in depression among marketers and test/dev managers who realize they've been ostracized. Depression is only noticeable among smile-all-the-time marketers, however. In test/dev the hands-on crew are all too busy breaking things to not have fun and the managers are already so beaten up one more shot at the ego has little incremental effect.)
Almost three quarters of cloud users don't do their own security on external clouds
Why is security such a big deal?
Could it be the hand-off, power-without-effort, auto-magical aspect of cloud computing (which is, mainly confined to the sales pitch, not the products or implementation)?
Is it significant that, even though security is the No. 1 concern (with a bullet) IT people have about cloud computing, 72 percent of companies already using external cloud providers cannot or do not take control of security on their own cloud-based servers?
That tidbit is from an upcoming survey from CloudPassage, a firewall- and intrusion-detection vendor that takes the odd approach of making cloud systems secure by adding more cloud to them, by selling its multilayer security software as a subscription service (SaaS) rather than as traditional software.
- According to CloudPassage's survey of IT people:
- 31.2 percent of companies let their cloud provider handle all the security;
- 21.3 percent do cloud-server security themselves, but manually rather than automated or by policy;
- 20 percent don't secure cloud-based servers at all.
I realize I said not too long ago that, as a specific technology, cloud computing doesn't exist.
I still believe that's true, but not to the extent that servers running in the cloud don't have to be secured or maintained because, in the cloud, the don't really exist or can't be found by bad guys. Metaphors like "cloud computing" are wonderful ways to shorhand complex concepts, but they're not good as hiding places for actual servers.
What I meant by "doesn't exist" is that cloud computing isn't a raw, new technology whose insides shouldn't be messed with by IT people without specific cloud experience. "Cloud" is a blanket term describing the tight bidirectional integration that makes many types of virtualized systems operate like one big, coherent system.
It's not designed to do all your routine server work for you. You don't have to vacuum a virtual server; you do have to put a firewall on it.
Many in IT are still confused about what this "cloud" is and what they have to do about it
The cloud is like a dashboard that lets you monitor and control a whole range of systems from one place, with a lot of load balancing, trust-relationship-maintaining, resource sharing and remote-system-function-calling going on all the time so the Unix systems in Poughkeepsie can offload some of their peak-time processing work on the Tempe data center while both do temp data dumps on the high-speed storage systems in the DR/business-continuity facility in Skokie.
Underneath all the nifty cloud technology – the virtualization, virtualization-management and virtualized-system-integration products from VMware, Red Hat, Microsoft, Citrix, Cisco, EMS, IBM or other developers of products designed for resource-intensive, high-availability data-center applications – are virtual servers exactly like the little ones running Exchange and SharePoint and your firewalls and those test/dev-marketing apps you can't stand to have in the actual data center because the test/dev and marketing people come with them.
You can't just load those VMs onto virtual-server cluster in someone else's cloud and expect them to take care of all the security.
Yes, cloud service providers do security; they spent a lot of time answering your questions about their security, what protocols they follow to respond to DDOS attacks, malware floods and other common threats. They also spent a lot of time dodging your questions about when you'd get to tour their cloud facility to see the high-security provisions for yourself. (They realize it's a trick question, you weasel; no one should be able to get in there except for vetted and bonded employees of the service provider.)
That doesn't mean you don't have to build a firewall to cover your cloud servers, or go into the master images of the virtual machines and build in the same access controls, policy-based access- and use restrictions you build into the VMs in your own data center (or, if you work for Luddite, Inc., into your physical servers).
Yes, it's more work. Yes cloud providers are supposed to save you (some) work. No, it's not unreasonable to expect you to be responsible for the security of your own damn servers.
Cloud providers sell capacity, not auto-magic
Cloud providers aren't there to rent you slivers of utopia for which you can pay by the hour and only for as much heaven as you can use.
They rent you space in their computing environment, exactly as they did when they were just hosting services, or co-location service providers or outsourcing service providers.
When you hired them under those names you knew you were responsible for security on the physical servers you placed with them.
The service providers only promised to provide enough reliable power, Internet bandwidth, basic monitoring of the physical environment and physical security of the building.
If someone got into your servers via telnet, FTP or anything else that didn't involve entering the building, the failure of that security was your fault, not the service provider's.
It's the same thing with the cloud.
Cloud providers rent you preconfigured chunks of computing resource rather than square feet of floor space.
You contract for so much bandwidth, so much CPU power, so much storage, memory, database-server space, access and performance characteristics and any other resources you need to make an application run on someone else's hardware.
They give you secure access to your VMs, build barriers between your VMs and those of other customers and make sure the security around the outside of the cloud environment itself is tight.
If someone enters using a fake ID from your organization, or hacks into your corporate net and then rides your VPN into the cloud and onto your servers, that's not the cloud provider's fault.
If hackers do the same thing to another cloud customer, but break out of their VM cluster and attack your servers, it's partially your fault if the servers are unsecured and you get pwned.
It might be the provider's fault another customer's hackers were able to approach your VMs; it's your fault there was nothing to stop them once they got there.
"Confusion" about how to manage cloud is more about denial than ignorance
Three years after I started writing about cloud computing I was still writing stories about how confused many companies were about cloud computing – what it was, what it could do for them, what they could do with it, how they'd work with anything put in a cloud, what they'd do if anything were lost…a whole series of questions I figured were self-evident to anyone savvy enough to investigate whether they should cloudify some part of their IT infrastructure.
What I kept running into were people who had some kind of conceptual block they could move around like a box inside their heads.
They understood virtualization, how to manage virtualized systems, how to overcome the weaknesses of "virtual" systems neither the sysadmins nor most of their management tools could see.
They understood how the cloud technology worked, how to allocate resources, how to evaluate the results.
Sometimes they even understood how to deconstruct existing applications so they were more services-oriented; software designed to run as SOA can be treated as separate application within the cloud, so it's possible to assign more CPU power or memory or storage to the database, query and search functions and other pieces at the business end of the app, rather than spending the same resources for access control or storage management as for data crunching.
No matter how well they seemed to understand the various little pictures, most managed to misunderstand some portion of their relationship with external service providers.
"Cloud" is cushy, but secure your own damn servers
Most didn't get that cloud providers are not full-service outsourcers who run and maintain the apps they house.
Nice as it would be to finally find it, cloud providers are not the vendors who will finally deliver he Auto-Magic feature that was supposed to be part of every labor-saving app or system you ever bought. ("It happens, auto-magically; you don't have to do a thing.") Cloud providers don't promise to take any big pile of bad code, unstable software or cluster of VMs and take away your need to be involved in any way once you hand off the messy IT to them.
Cloud providers provide IT, not miracles. The cloud can't fix all your problems; it can't even hide them all.
If you don't trust the security of the cloud, but aren't completely sure why, it's possible you haven't gotten your hands dirty enough to figure it out. That's true especially if you know everything there is to know about how to secure your corporate networks and servers against all threats. Your servers in the cloud are the same as they were in your data center. Only the IP addresses are different.
"The cloud" is not Oz; it's a data center. It's someone else's data center. It might work better than yours, have plenty of resources it can rent you whenever you need them and someone who smiles and speaks politely when you call with a question or a problem (rather than the incomprehensible argot of scowls, growls and obscure acronymicry sysadmins use to fend off meddling even from highly technical managers).
"The Cloud" is luxury co-location, hosting services with ease-of-use functions that actually ease use; outsourcing without the complete loss of control.
Even in a luxury hotel you have to lock the door
You have to secure things you put in the cloud; you have to maintain software and data you put in the cloud; you have to keep track of data you put in the cloud, what apps can use it, who can access it and what they can do with it.
Three and four years ago I thought all those things were so obvious anyone interested enough to ask about them would probably understand them already.
But people buy into "The Cloud" as a way to make more IT available to their companies without the incremental addition of workload every new IT resource inside the firewall requires – security, maintenance, lifecycle management, data controls.
It's not really fair, but even in the cloud, there's no way to avoid that. Every server you put in the cloud has to be managed and secured and audited and monitored, just like any server you put inside your firewall. The only exception is SaaS, which runs on someone else's server and doesn't give you any control of the app itself.
If it's your server, your app, it's your problem, even in the cloud. Ignore that rule and something terrible will eventually happen and it will be your fault.
So if you're one of the 20 percent of IT managers who don't secure their servers at all or leave all the security to their service providers, do your bit to keep the unemployment rate from increasing: go secure your servers.