Although the net effect of Prism is not clear, the scare is timely, coming in a year when CXO’s, and boards are swamped with pitches to adopt the cloud, wholesale. Many had just turned their attention to cybersecurity. That attention comes a decade late. Too many companies have thought nothing of adopting the ‘cloud’ even though it is less secure than their own networks. At too many companies IT has warned for years of network intrusions, data thefts, malware injections, and diversions of IP while being forced to beg for budget. Only the avalanche of billions of dollars in stolen value finally got the message across. As billions more are poised to diffuse into the cloud, now would be a good time for CXO’s and boards to shed more light on why and how and where the data go.
Boards and CXO’s who have dismissed IT as “too technical” for them to understand have yet endorsed edge strategies as “necessary change”. Already the cloud like social media has come back to bite early adopters, whether through outages, abuses, or unexpected legal consequences. Not only does it matter who does what for whom but where in the world a company’s data lands, as we have seen, giving governments and other parties direct, and indirect, access to your information. Big data has attracted open source software and the open cloud developer community. A company does not really know what is built into the software and with what motives. Security is a problem from Hadoop (Java based) to Ruby on Rails. While even the Department of Homeland Security has been warning the public to turn off Java in browsers, Hadoop has suffered from, for example, “information-disclosure” issues and shares data across its system. Rails had been harboring critical vulnerabilities, including the ability to execute malicious data stealing code remotely on the servers running programs built with, say, Ruby on Rails. So, to what is your company exposing its data?
Before a company makes the shift to the cloud, it would do well to ask some questions:
What do we have out in the cloud? Data? Software? Platforms? Infrastructure? Do we understand what we are going to do next?
Are we looking at the public or private cloud? Do we own our data centers or does someone else?
Are the data centers secure and how do you know? Have they been audited by an independent third party? Are we and anyone else involved members of the Cloud Security Alliance? Who sets the standards these data center meet?
Is the power for our data centers secure? How much power do our data centers draw? How well does the grid support that draw? Do our data centers have a history of power outages? Is the power reliable or do you have plans to make it reliable? Do we understand our corner of the grid? Do we understand what would happen if someone builds a data center down the street or across the road? How long could we stay up if the grid goes down? And what happens next?
Have our data center capital investments kept up with power demands? Technology demands? Competitive demands? How long and what dollars would it take us to build out a data center for expansion? Are you expecting us to give you funding for expansion or redundancy on which we cannot deliver?
How secure are our power costs? How much are we paying for the power we use and the power we only might but might not use? Who pays if the price of power should spike? Have we assessed the possibility of power price spikes? What happens to our model if power prices go up and stay up and continue to rise? Have we hedged our bets?
How redundant are we? Have we considered the geo and geographic risks, from storm to earthquake, terrorism to malicious cyber attack, provider outage to utility blackout, interconnections to interdependencies? If the datacenter fails, to where do our systems fail over? What is our liability for failure?
And what about the software?
For too many years the greatest cyber challenge CXO’s and boards thought their companies faced was the lone black hat hacker. It has taken years for IT to get the message of organized and even nation-state threat through, even as IT itself moved towards software of unclear provenance often built by a community with mixed and unknowable motives. As companies have increasing embraced a free-lunch model of free code, free services, free work, free movement, and free information, and free work, they have ignored the oft proved truth: there’s no free lunch.