Photo Credit: Aaron Burden

Dr. Oddlust

How I stopped worrying and learned to love the Cloud

The Cloud can be better appreciated through practical, real-world experience. That I can provide from three vantage points. First, as an enthusiast. The Cloud is a minor technological advance driving a potentially major commercial advance for society. Second, as a user. Like so many others, I consume Cloud services: Dropbox, iPhone apps, and so on. But Canada Post is also a commercial consumer of platforms, infrastructure, and tools. Third, my team creates and offers products to the market as services in the Cloud. These include storage, archive and retrieval for institutional and consumer markets, and secure file delivery/collaboration.

Canada Post is arguably Canada’s very first “Cloud” provider. The mail is a 160-year-old national, pay-as-you-go, common service communications capability. Moving that mentality, experience, and method to the Internet is a natural progression. epost itself is a genuine 13-year old Cloud service.

To know how the Cloud has evolved, we need to understand where its come from and why.

Cumulonimbus: Worry, worry, worry

Over time, we all become comfortable and so our personal and organizational worlds get entrenched in the way things work. IT is a great example: there is some magic and, given the pace of change, an abundance of unknown and risk. So any relative stability is held dear by executives seeking efficiency and continuity. Then along comes the Cloud to disrupt that tenuous comfort.

Is the change that the Cloud represents a radical change to compute, storage, or network technologies? Not in the least. The same systems and processing capabilities, advancing at the velocity of Moore’s Law, are behind the Cloud as are behind decidedly more earthbound alternatives.

What has changed is the business model. Where the storage, compute, and network vendors would have everyone as their major markets, they’ll sell more to Cloud service providers acting as a proxy for the traditional end purchaser. Now, that end purchaser buys IT services and service availability. The value of the underlying technology increases because it is professionally managed and up-to-date. Moreover, it leaves the end purchaser’s capital free rather than tied up in these assets. It’s a change. Not a big change, mind you. Not one that is unprecedented; but a change in the nature of the risks at hand.

We, humans, tend toward irrational. When changes are afoot or if there is uncertainty, we fall back into habit irrespective of all else. We take comfort in the known and will do crazy things for that safety. As it relates to worry about the Cloud, despite the solid benefits and hollow threats, the Cloud’s anxiety causing features have and continue to include variations on the following themes.

Safety and risk

Safety and its obverse, risk, is perhaps the most primal imperative we carry in our genes. It is inescapable and in this context relates to concerns about our information and other assets. It takes the form of questions such as: Are the data safe? Where are the data being held and is our (our customer’s) information suitably protected? If we put our intellectual property into the Cloud will it be jeopardy? Can we trust the Cloud provider not to steal our information? Will the service provider extort us when we are dependent on it either by raising prices when our data and mission critical systems are with it, or by locking us into its particular systems?

Trust is hard to synthesize or fake. Fortunately there are means to mitigate these risks to acceptable and workable levels.

Availability and control

Availability is an obvious representation of our need to control our stuff. For various reasons we often overweight certain risks—due to recency, availability, and so on—which causes anxiety. Because there are so many readily available (yet suitably probable) examples of trauma due to unavailability and leaving important things to others’ control, we tend to get anxious. For IT and the Cloud it manifests in questions such as: Will the service be available? Can we count on the SLA? If the systems aren’t under our control, can we control availability… What about the longevity? Will it be protected from disaster? Will we, our customers, whoever be able to access it when we want to do so, or will it be unavailable or gone?

Comfort with loss of control is a conditioned state, like being a passenger in any form of transport, and eventually dissipates as a function of experience.

Stratus: What, me worry?

With the exception of Cloud visionaries and acolytes, it’s those in the commercial and government IT world that have tended to worry about the Cloud. Sadly, for the most part, they still do.

Fortunately the Cloud has a few things going for it right now. From all quarters, the early majority of commercial users is reporting the kind of positive results that the visionaries and early adopters promised would come after the initial wrinkles were ironed out. Costs are down; responsiveness is better. Positive results are accelerating bandwagon adoption, pushing into the early majority, which always represents the technology and change tipping point.

Myths and fears about the Cloud are being put to the test and are disappearing under the light shone on them. What remains are readily understandable risks. After all, business (including IT) is all about risk management. That reduces to dollars and cents, probabilities, insurance, and so forth. Business people and government administrators can both understand the situation and have the tools to deal with it.

Speaking of dollars and cents, courage is not the absence of fear, it’s acting despite the fear. But sometimes acting requires motivation. Today’s motivator for many moving to the Cloud, like the federal government (as witnessed by the recent Treasury Board announcement), is money. Yes, politicians and bureaucrats are worried at organizational and personal levels; yes, it’s a change in risk type; yes, it demands adjusting security, privacy, career roles, and so on; yes, it’s unknown in so many ways. But they’re doing it anyway… because they’re being forced to do it. In the federal government, they’re being “told” to do it via directives on cost, efficiency, shared services reuse, and so on. Businesses are being “told” to do it by their employees’ and customers’ demands for their own (mobile) devices, access to social networks, open data mash ups, and transparency among other wishes.

The nature of the IT game right now ought to have everyone still just a little bit worried. When there’s no reason to worry; there is no uncertainty and hence no opportunity. And today, the Cloud is about opportunity on so many levels.

Cirrus: Don’t worry, be happy.

It’s arguable that although we are still a little worried, we’re dealing with our Cloud anxiety. So, how do we get to love the Cloud? Time... Over time, evidence will mount and further technological change will happen. Comfort with the adjustments to the nature and magnitude of risk and role brought on by the Cloud will evolve when eventually nobody remembers what once prevented the shift. The Cloud will be the way. With Cloud, time is on our side.

  • The economy is on our side. As we all know, it has been a bit unforgiving for the past five years. Around the world, businesses and governments are dependent on information technologies, which constitute enormous proportions of operating costs and capital budgets. So, they see and are seizing the opportunity to restructure those IT costs from the capital intensity and magnitude of yesterday to gain productivity and tools that enhance innovation and core business value.
  • Demographics are on our side. Post-GenX grew up “native” to mobile and Cloud. It doesn’t trouble them and they are gaining influence. That said, stupid kids are not on our side; including every social networker who does ill-considered things online. For instance, posting to Facebook a photograph of the operative pages of your new Passport is dumb. But because it’s hard to outlaw naïvity or stupidity, the technology/ the Cloud will take the blame. The Cloud is not a security or privacy risk; people are.
  • Precedent is on our side. The longer the Cloud is in the wild and getting bigger, the more people will see it as nothing fearsome. Anybody used a credit card in the past decade or two or a phone system or benefitted from power or water utilities? In their own way, these are what the Cloud is ultimately: a utility that has greater value for all than for a few. It’s heading beyond PaaS, IaaS, and SaaS to ITaaS.
  • Geography is both on our side and not. It is because as the Internet grows up we realize that geography’s revenge is national borders and jurisdictions less porous and malleable than the promises made long ago. That puts us back into traditional realms we know and understand. Geography is not on our side because what the Cloud creates is a relatively few data centres with more data in them. Easier to guard—maybe—but definitely more at risk in the event of breach or catastrophic problem.
  • National security establishments (and Assange/ Snowden) do us no favours. Just as the spectre of the Patriot Act starts to recede, along come the NSA and CSE revelations that they (a) can decrypt the primary (SHA2) algorithms used in all SSL and PKI, and (b) are snooping everywhere. Of course, this extends well past any single “Cloud,” but public Cloud will bear the brunt of the fear.
  • Human behavior is not on our side. Many behavioral and cognitive biases work against the Cloud. Among others is the monstrously delusional belief that if we have control and possession over something it will be safer. Silly, and would end the banking practice entirely. But, that’s not how we compartmentalize things; and possession is 9/10ths the law they say. So, many will continue to favour traditional approaches to IT over the Cloud for a while.

Erasing ignorance is always beneficial and would contribute to loving the Cloud. Even more misunderstandings and mythologies about the Cloud need to be exposed.

  • Upon hearing about the Cloud, everyone defaults to “public cloud,” the apparent global wild West of exposed networks. But most Cloud deployments are of the private or hybrid variety. There are good reasons to use every type, but the (perceived) risk profile of these two is better than for public Cloud.
  • Being aware of the difference between Platform, Infrastructure, and Software as a Service is important because it affects risks. Similarly, the difference between an application in the Cloud and data in the Cloud significantly changes the risk profile of the Cloud.
  • Security in general and among the top-tier Cloud infrastructure, platform, and service providers is very high grade. Security is, however, imperfect. It will be challenged and then enhanced in the ongoing dance of progress. That doesn’t mean one should hide under the blankets waiting for morning.
  • It’s logical that those whose mission is to invest and gain cutting edge expertise in managing information must have greater resources and capability to cost-effectively protect information than organizations for which IT is not the primary business.
  • Greater understanding of the machinations of laws, (conflicts of) jurisdiction, and the intra-governmental relationships and treaties among Canada and other nations would go a long way to expose the absurdity of red herrings like Patriot.

Forecast: partially cloudy with change on the horizon

The forecast for Cloud deployments is positive and rapidly changing. Storm fronts are ceding to a comforting shade which will only be more pleasant as the economy and the demand for focused attention to core business productivity and innovation brightens and heats up.

Ultimately, the new world of the Cloud is not about the technology and technological control over information and so forth. It’s about trust, relationships, and what you do when you don’t trust but still need the relationship.

Other writings that might be of interest.