Cloud computing is a topic of pursuit for me this week at HP
Discover. The dilemmas I raised last summer about cloud solutions (Got Cloud?) remain, from my perspective, so I'm keen to hear more about the state of the
practice. In my experience, senior management doesn't really know what
"cloud" is, although they're not as clueless as the Indian official
who apparently took "cloud computing" too literally (Hilarious: Rain
could corrupt your data in the Cloud, Indian official says).
Senior managers do, however, understand that cleaning up
after a breach is a different ball of wax when the breached systems belong to
someone else, and the exposed data belongs to a government agency. (I've spent
most of my career working for research think tanks.) Can the agency confiscate
systems, or monitor or conduct a cleanup? Who foots the cleanup bill sent by
Senior managers also understand, very clearly, that
sometimes the breach is when an external attacker gets access, and sometimes
it's when one of your own people accidentally puts data where it doesn't
belong. No matter what sorts of protections the cloud provider can claim,
there'll be data that's not allowed to go there, and it's a nightmare if it
does. It's less of a nightmare if that happens on your own systems than if
it happens on someone else's systems.
I've often said that any security policy has three goals: make
it easy for Good Guys to do Good Things; make it hard for Good Guys to do Bad
Things; and make it hard for Bad Guys to do anything. If it's very easy to
store data "out there” somewhere (Good Guys doing Good Things), it's also very
easy to put something out there that doesn't belong there (Good Guys doing Bad
Things), and that worries people.
So I scheduled some cloud-related sessions this week.
Today (Tuesday, June 5), we heard HP CEO Meg Whitman
list three themes for HP's strategy: cloud computing, security, and information
optimization. Those first two strike directly at the concerns I've outlined, so
We heard Jeffrey Katzenberg, CEO of DreamWorks, reassure us that he trusts HP to protect his cloud-based
information. That's better than saying he doesn't trust HP, of course, but it
somewhat misses the concern I described above. No matter how good a cloud provider is at
stopping Bad Guys from doing Bad Things, Good Guys could still get careless and
do Bad Things that could be a lot harder to handle when the breached environment
is outside our direct control.
I attended a session on "Top IT Trends” that included the
usual list of reasons for considering cloud solutions, but I still didn't get
any new insights on the concerns found in the research organizations I've
I attended a session called "Engineering Cloud
Transformation, Lessons Learned,” but that was about the rollout experience,
not the security concerns.
My quest for an a-ha moment continues. I'm hoping I'll hear
something this week that suddenly makes me think, "A-ha! That's it! There's a
way to pitch a cloud solution that will address the things that keep senior managers (the
ones I know) up at night.”