What do the government chief information officer, privacy commissioner and national cyber security centre have in common?
Nothing. That’s what. All have issued quite contrary advice on the use of cloud computing by government agencies that are simply confusing decision makers in government and slowing adoption. In a classic case of left hand/right hand a recent published document by the National Cyber Security Centre titled Cloud, Risk and Security muddies the water significantly and should be challenged.
Let’s start with the good. As I commented a few weeks back the GCIO has released an excellent paper on managing the risks of cloud computing (as well as other things like large projects and security). While this is a mandatory process, it signals a clear message that the GCIO recognises that the cloud horse has bolted, can be carefully managed through good risk planning and, as a document for evaluation of cloud providers, is excellent. It seems to be a steer away from just demanding agencies use specific government-approved services to one of guidance, expertise, and careful management of your own destiny.
So they get a 10 out of 10.
Then we have the Privacy Commission that released its their view some months back on cloud computing that serves as confusing, to say the least, particularly for small to medium business. The information hasn’t been updated in nearly 18 months. Asking a small business to consider NIST standards is like asking a mechanic to understand the chemical makeup of a particular alloy (that is, utterly irrelevant), and spuriously quoting standards doesn’t much help either. Martha, on Xero, running a Dog Day Care business does not care a jot about ISO20001. While it makes the point that privacy is everyone’s responsibility, it associated privacy with technology, which is a particular bug bear of mine. Privacy is a business problem not a technology problem.
So it gets five out of 10 for at least attempting something but it is missing the audience in much the same way a foreign movie without subtitles does.
Now we have a paper published on the National Cyber Security Centre website that, on the face of it, would scare Martha from the Dog Day Care business into buying her own datacentre, let alone any slightly paranoid government chief executive or chief information officer, who are likely to start buying servers again.
“This paper seeks to encapsulate aspects of cloud risk and related work in order to present a comprehensive view of the benefits, issues and risks in cloud computing.”
It doesn’t say it is a balanced view, which is good, given the first paragraph:
“There is much concern and a great deal of caution in the use of cloud services and the hosting of critical data in the cloud. Gartner describes organisations using cloud services as early adopters and fast followers, the terminology indicating the immaturity of cloud services. Many early adopters are driven
by the need for performance, scalability, resource sharing and cost saving.”
I guess the document shows its age here, given that cloud computing cannot be called immature on a global level. But the issue I have with the document is that, another pet hate, it does not quantify the risk of cloud computing against the real world.
As a former risk manager I know that all risk must be quantified against a given state. For example. You can’t say “it is risky to move to Baltimore because that is the murder capital of the US” without pointing out the fact that you live in Syria, now. Risk must be quantified on where you are now and where you are going.
The first 18 pages of the document set the scene, though it is not entirely certain who the audience is.
Then we get into risks:
“While the cost savings have been the most visible and best promoted perceived benefit of cloud services, the risks of cloud have not been comprehensively identified and are less well understood.”
This is a true statement, and as we will see, this document isn’t helping that problem.
The author points out the first risk being a changed business model. To me, this is not a risk, this is a) natural progression of ICT, which most overseas countries have figured out already and b) the entire idea of cloud is to unlock new business models. Sure, there is a risk that if you aren’t ready, you’ll screw it up, but that has nothing to do with cloud, at all. We should have moved to a service management model in government ICT a decade ago. If cloud drives it out, all the better.
The list of risks then expands into this table that when matched against risk, looks massive. Here’s a handful and my view:
- Bandwidth Cost: Likely to be less, in my experience.
- Poor technology performance: Likely to be better than what most agencies do today and if issues occur, easily scaleable.
- System Resilience: Massively resilient compared to in-house operations that can’t afford that level of SLA.
- Incident Response: Probably a lot better than what an agency does currently and certainly able to match Service Management if you have it.
- Vendor Lock-In: As opposed to the completely proprietary lock-in you have today with your own hardware?
- Multi-Tenancy security implications: Better than what you do today I would suggest.
- Data location: Does it matter as long as the data is safe? Nope, it doesn’t. Your data will be safer in the cloud, regardless of where it is.
- Increased attack surface: Nonsense. That’s like saying that living in an apartment building with three million tenants is less safe than living in your own house.
- Malicious insiders: Not a risk. You are more likely to have an admin with good access to your current environment than you ever will have in a cloud environment.
- Reliance on external support. Not a risk. You are more likely to get 24X7 from a cloud provider than you ever are from your own internal 8X5 team.
Now, if you pick a rubbish Cloud provider, then you’ll get this kind of risk, which is why the GCIO released its guidelines, so you don’t.
Then the author gets into what is clearly their area of expertise, security risk. There is no doubt the author is an expert in this area. However, in my opinion, the risks are un-balanced.
Here are a few examples:
Location. The author seems to think that anything that is not New Zealand is a high risk but then points out that locations should be away from physical hazards (like earthquakes and volcanoes – hello Auckland and Wellington) and then points out that we are reliant on communications to get there. I’d put my bottom dollar on any coud service provider being able to provide multiple layers of redundant across multiple continents with multiple connection points being far superior to the current practice of having a data centre in your basement on The Terrace.
Jurisdiction and sovereignty is raised as well:
“One reason for the international focus on the Patriot Act is the aggressive and enthusiastic use of that legislation, by the US. This has manifested itself in a degree of distrust by EU nations in the ability of US cloud service providers to adequately protect and secure their data. It is fair to say, however, that many other nations are equally enthusiastic but perhaps less public in exercising access rights.”
Well, if we were going to avoid that risk then we’d move our workloads out of New Zealand to Sweden and Germany. Given New Zealand’s relationship with the Five Eyes network, it surely is at more risk here?
Poor vrtualised environments is raised as a risk, again, in my opinion, cloud-provided virtual environments are infinitely better than inhouse.
The list of risks goes on and on but fails to meet the quantification of risk process.
Where am I today, how risky is it, where will I be if I move to cloud, how risky will that be against my original position? THAT is where the GCIO guidance comes in, kicks ass, and cleans up. Can I say that? Too bad if I can’t.
The problem with documents like this is not the content. It's written by a professional and the material is valid. The problem is that it’s not balanced and then the fear, uncertainty, and doubt it creates costs the country untold millions while agencies take advice on how to navigate a minefield that simply does not exist.
Worse, it kind of makes the government look a bit silly when the GCIO has the helm on this and some other minor agency appears to be undermining their good work.
But as always, it’s just my opinion.
Ian Apperley is the director at Isis Group and blogs at Whatisitwellington