The cloud virtualization black hole
Silence is deafening
Reader Workshop Last week was an interesting one for the virtualization workshop, as we turned our attention to cloud computing and the reaction has been, well, nothing. Well, that's not quite fair – the comment on Virtualization and the cloud was, "Good article. Please, I implore you to add case studies," and on Unravelling the cloud confusion was "Where's the silver lining?"
There's not much we can read into either of these points, other than saying "good idea" to the case studies thing (indeed, we often get these through your own comments, so don't hold back!) – but the overall silence was deafening. It was similar when we asked what came beyond virtualization in a previous week. Now, we don't want to spend too much time hypothesising over what does, in fact, present a gap in our knowledge – though there does seem to be a level of "just don't know" when it comes to thinking where virtualization might lead. It is interesting instead to turn our attention to another article last week about applications/data and the cloud, which did raise a hefty number of comments.
The crux of the responses (which will indicate why this is relevant) was about trust, that is indeed, whether information is any safer in the cloud than in-house. Here's a selection of responses:
Utilising a cloud service as a core business process is idiotic in the highest degree. It is just plain stupid on so many levels.
I don't trust the cloud solution - I much prefer to have it all where I can keep my finger on it.
Storing normal information on the cloud is in itself a dangerous prospect, but when you realise the majority of companies process personal data of one sort or another it becomes clear just what a compliance nightmare this really is.
It's interesting to keep this perspective in mind when we look at virtualization and the cloud. Yes, sure, the virtual machine does offer a portable bucket in which applications could run, and indeed, this bucket could notionally exist anywhere that there is accessible processor capacity. But just because it can, doesn't mean it should. Why not? There are some pretty fundamental data protection issues for a start – which are only just starting to be talked about, never mind tested in the courts. Indeed, some of the comments were questioning whether cloud-based services were in fact legal under data privacy law in some jusrisdictions.
There are also questions over the longetivity and stability of some of the newer kids on the block. And finally of course, the cloud model remains largely unproven – though hosting has been around for years, the wholesale handover of IT to what remains a series of unknown quantities would be as foolish as... oh wait a minute, that's happened before hasn't it?
Cloud computing may offer a whole bunch of benefits over existing kit, but it doesn't appear that anybody is rushing to get to the front of the stage. Perhaps this one comment says it all:
I wouldn't want to be a test case, I'd take the wait-and-watch approach for others to set precedent whilst waiting for my current tin architecture to die by attrition, just for a few more years...
In all honesty, is it any wonder that many are just getting on with things, and waiting to see what happens? After all, it's not that IT staffers are idly looking for extra things to do with their time.
Perhaps the silence shouldn't be so unexpected after all.
Yep, you are correct that SOME timeshare systems offered dialup, but surely Hunt the Wumpus didn't need to be as secure as Stanford's financials - which in theory should have been on another system. LHS also offered dial up, but again, nothing secure was supposed to be on the system.
Microsoft hugs servers, why shouldn't we?
The external Cloud demands the outsourcing of trust. And thus amanfromMars is right - if you have no control you have no server (or server integrity, if the owner is kind enough to let you remain on the server while he makes a conquest of your data, clones it running, etc).
The Microsoft Security Response Center understands this. Their "10 Immutable Laws of Security" becomes a common sense guide to Cloud Security when you replace "bad guy" (the person who has exploited your trust) with "Cloud Provider" (the person you trust);
Cloud canneh change the laws of phusics ..
Justifiable paranoia? (aka: FAIL Scales)
>> For years and years and years and ... people have been able to entrust, say, their business accounts to an online accountant.
I remember the time well - back when you knew, each and every day, which continent your accountant had his server on. For that matter, the continent the guy who jimmied the door to his office was on.
But that was then. Your online accountant has since migrated to the Cloud in order to reap the benefit of negating the maintenance and management costs of that physical server. His shiny new IaaS server image now exists virtually between two or three continents, as the follow-the-sun package he selected achieves optimal cost for his minimal compute needs.
Now, have a guess at which continent you're slowly being flamed from .. I'll give you a clue - it's just gone past midnight .. ah, here comes your data now. You're right, of course, it doesn't really matter. But did you know that my access to your accounts, without your or your accountant's consent or knowledge, is legal on this continent? Here's an example from a continent that may also occasionally contain your accounts;
Its only unjustified because you don't understand the problem.