It seems to me that we are in the midst of one of the greatest cases of mass delusion of all time. You should feel lucky, because I am apparently one of very few people who have been blessed with the ability to see this and to bring the world to its senses. And now I’m going to enlighten you.
You think the Dancing Plague of 1518 was strange? You think the mass delusion that’s causing the majority of the developed world to ignore problems like resource depletion and global climate change is important and scary? These are nothing, nothing at all, compared to the trend that’s been overtaking otherwise sane organizations over the past few years. That trend is moving things “to the cloud.”
As I so often find myself writing in these pontifications, I just don’t get it. Now, let me be clear: I don’t think everything about the cloud is bad or wrong. The cloud certainly has its place. For example, I agree that storing the pictures of your kids on (two different) cloud storage servers can save you space locally, and make it easier to show the pics to Grandma when you visit. Heck, there’s even a place in this world for Software as a Service (SaaS). Choosing the right SaaS can save you the upfront cost and annoyance of licensing, installing, and the ongoing pain of maintaining certain application that can help your business.
What makes me stand in awe, mouth agape, shaking my head in disbelief is the willingness of what I think of as well-run and level-headed organizations to store reams of their highly sensitive and confidential business data “in the cloud.” I just don’t see how this can make sense to anyone.
Over the past couple of years we’ve been upgrading the IT infrastructure here at OSR. This has included replacing all our servers and network components and implementing an entirely new backup and disaster recovery scheme. In talking with IT consultants about backups, their first recommendation was always some incredibly clever cloud-based backup scheme. The rationale? It’s stored off-site in case of a disaster, you can access the backup data directly from other locations, and the amount of storage is never limited. Sounds good, right?
Maybe. At least, it sounded sort of good until I asked if the backup data was encrypted. “Oh, yes… the data is 100% safe and encrypted! In fact, everything is encrypted via 2048-bit SSL,” they told me with pride. When I pointed out that this meant the data was encrypted while it was being transported on the wire, but not while it sat on the backup company’s servers, they nodded eagerly: “Yup, it’s fully encrypted during transit.”
“What about the data at rest, on the backup company’s servers? Is that data encrypted, and if not, can it be encrypted?” I asked. Every time the answer was the equivalent of “I’ll need to get back to you” – and almost universally the answer was that the data was not encrypted when stored on the backup company’s servers. Or, when it was encrypted, the backup company’s staff had access to the encryption keys. Which, for the record, is effectively the same as storing the data unencrypted… at least in my book.
How can any company larger than a roadside lemonade stand be willing to store their private business data on servers owned, operated, and entirely controlled by a group of people they know nothing about? To me, it just defies common sense. So, I asked the IT consultants we hired.
“They’re SAS 70 Certified,” they replied. “That means they’re entirely secure and trustworthy!” So I spent some time investigating this mystic SAS 70. And guess what? It ensures nothing, absolutely and totally nothing, about the security of the data you store in a SAS 70 Certified data center.
We’ve got tons of source code. This includes source code for our own products, projects we’ve done for clients, and even code given to us as examples. Some of this code we own. Some of this code is owned by others. We’ve got accounting records, detailing who our customers and suppliers are and what we’ve charged and paid them respectively. If I backup this data onto servers in our office, I can lock the server room. I can take copies of backups home and put those copies in my safe (and yes, I *do* have a safe at home. Actually, I have more than one). I can send copies of those backups to OSR’s office in Vancouver, where they can be similarly safely stored under lock and key and protected by staff members who we, as a company, trust because they have been properly and thoroughly vetted.
But how could I trust this data to some data center, about which I know absolutely nothing? Who says they know what they’re doing? Who says my data will be secure? Heck, who’ll even assure me that the next Snowden with a grudge against one of our clients doesn’t happen to work at the data center holding my “cloud-based” backups? Of course, there are no such assurances. The best assurance you can get is “trust us, because we care about your data.” OK, but as they say, Доверяй, но проверяй.
Yet thousands, maybe zillions, of companies do just this. Trust. And they don’t verify. Because they really can’t. Or they do worse. They do much, much worse, in fact. Not only do they blindly trust a group of unknown ass clowns with their backups of their vital business data, they outsource their email.
If your company is like ours, we use email to discuss everything from the trivial to the critical. Would any of you want the contents of you corporate email posted on the Internet? No? Couldn’t you be doing exactly that by using an email system hosted “in the cloud” by a third party? I would say so. Yet more and more companies are moving their email services “to the cloud.”
Let me give you an example. There’s a company with whom we have a long-standing technology partnership. This multi-billion dollar high tech company, which shall remain nameless, works in a highly competitive field. In their field “the next big thing” is often a bet involving, very literally, billions of US dollars. The people working there are smart, technically sophisticated, and insightful. They have shown the ability to innovate and predict evolving industry trends. Heck, they even sometimes create evolving industry trends.
They also outsource all their email.
Seriously. A few years back, they moved the entire company’s email system to an external, cloud-based, hosted solution. So, as we’re exchanging product plans, schedules, marketing documents, presentations, and source code with them, that data is all being stored in “the cloud.” By a third-party. Where it’s probably guarded by a cadre of over-worked and underpaid, part-time, hung-over, college students listening to Avicii and wondering if they’ll be able to score some Jägermeister and extra football tickets for the coming weekend.
I asked one of their senior folks about this once. His answer? “Yeah, I don’t know. IT says it’s OK, and that’s what they’ve decided to do. It saves money or something, I guess. So…”
Did I say I just don’t get it yet? Doesn’t this seem like an awfully big risk to anyone besides me? The willingness of sane folks to commit their confidential and proprietary data to a random data center in a random location with random safeguards seems to me to be one of the craziest ideas I’ve heard of since train surfing.
So, no. OSR won’t be moving to a hosted email solution anytime soon. And we won’t be backing up our confidential stuff “to the cloud” either, thank you very much. And that’s regardless of the blather that IT consultants propound, the number of official-looking yet useless SAS 70 Certificates presented, or even the sometimes sincere yet predictably unreliable promises made by sales people. What amazes me most is how it’s not obvious to everyone that moving these things to the cloud is a Really Bad Idea. I’ve thought about it, and the only explanation I can come up with is mass delusion.
Aren’t you glad you have me to show you the light?
Peter Pontificates is a regular column by OSR Consulting Partner, Peter Viscarola. Peter doesn’t care if you agree or disagree with him, but there’s always the chance that your comments or rebuttal could find its way into a future issue. Send your own comments, rants or distortions of fact to: PeterPont@osr.com.