Cloud Computing Security

Cloud computing is the current rage among IT professionals. It is where someone else is hosting not just web pages, but whole business systems. The allure of moving systems to the Cloud is that things will be much better (and cheaper) than having to manage systems ourselves. Who can argue with "cheaper and better"? The problem is that all the issues have not been fully explored and one issue is security.

Security on "Cloud Computing" is a big issue. While we have not heard of people being hacked while their data is on the "cloud", that is only because the technology is too new for the big stories to leak out. Anywhere data is - it can be compromised. It can be compromised by an outside attack or from within the "cloud" provider. For an example of an inside attack, in January 2009, an engineer at Fannie Mae was indicted for trying to put in some logic that would have destroyed all 4,000 of their servers. Once there is enough important data on "the cloud", there will be people trying to get their hands on that data illegally.

Another problem is what will happen when the "Cloud" provider updates their system. It is possible to have a security hole opened when the system is updated. For example, Facebook updated their system and exposed a lot of data that people thought was secure. Other systems have had embarrassing security failures when making changes.

Other issues include government and regulatory issues. In many jurisdictions, you have less legal protection when your data is on the "cloud" For example, if your data is on a system inside your company; it takes a court order for a government body to look at that data. When it is at a service, it only takes a subpoena. In 2009, a Dallas hosting service was raided by the Feds and a number of computers taken. A number of "innocent" clients had their hardware and data seized in that raid. Where your data is can make a difference as it could be more secure when in one jurisdiction than in another. The other problem that this incident shows is that someone else using the shared hardware might do something that would bring the whole system down. It isn't enough to "vet" the supplier; you might need to "vet" all other clients on that hardware.

The final issue is that of the provider. Right now, much of the sales pressure is on price. That means that providers are pressured to offer the lowest price. In that environment, there will always be people who will cut corners. They will cut corners on staffing, on making sure that the security is tight, on actually meeting peak demand, etc.

When planning on moving your systems to the "cloud", it is important to not just include security in the Service Level Agreement, but also to monitor and manage what your "cloud" supplier is doing.

Make fewer decisions!

Warren Buffett says that he only has to make one major decision a year in order to keep on making oodles of money. I have run into people who think that they need to be doing that before the morning coffee and many more before the end of the day.

Part of this difference is in the knowledge of how systems really work. We make a living by dealing with systems that are not rational, not ordered, but are Chaotic and can be described by fractal mathematics. What that means is that the systems often have the same behavior when measured by a long time line as when measured by a short time line. Thus, the mutual fund operators who trade daily wind up with nearly the same results as those that trade one a month or once a year. Those that trade less often have lower costs and can use the effect of compound interest in their favor.

One aspect of chaotic systems is that many of them can be described with simple mathematical equations. These equations don't give a total definition, but simply describe what is happening. In short, many (but not all) complex situations can be described by simple principles.

This is why simple "employee handbooks" work. Yes, there are huge manuals at some companies that try to spell out what should happen in all situations. But, those huge manuals can't cover every situation. Instead, those "employee handbooks" that lay out core principles give employees the direction on how to make the right decision in any situation. Using simple decisions to drive how many other decisions will be made - allows for simpler system management.

Just because you can, should you?

Fairfax, VA, police department is writing significantly fewer traffic tickets because of the new computerized system for entering them. Officers are spending a half hour per ticket to write it up and if there is a bug, it can take several hours to finish. The question for any software developer is: should you computerize something just because you can?