A Cloudy Christmas Carol

During this festive season, I thought it would be fun to interweave the stylings of a Charles Dickens classic, A Christmas Carol, with a visit by three ghost—the ghosts of cloud past, present, and future … And in true Ebenezer Scrooge fashion I will tie up some loose ends from my past failings (i.e., blog entries that I failed to complete earlier in the year) in this one final blog for 2016.

The Ghost of Cloud Past

The ghost of cloud past paid me a visit last night as I reviewed the year and some of my writings. Last year the rhetoric was a lot of trepidation about moving to the cloud from many organizations. However, in 2016 we saw that attitude shift quickly as the benefits and competitive needs outweighed the concerns. One of the reasons this confidence has improved from the past is that there is better visibility into cloud providers than ever before. So, time to scrutinize your past contracts and SLAs.

SLAs are primarily there to protect the provider of the service or to show competitive marketing. However, there are some interesting things you can glean from reviewing any SLA document. SLAs are typically broken up into three areas: Availability, Performance, and Functionality.

• The Availability SLA can show you how much is invested in the infrastructure and redundancy of a service provider. If the provider states three 9s (99.9% uptime) there is a relatively modest investment; if the provider states five 9s (99.999% uptime) there is a massive investment; whereas four 9s (99.99% uptime) is the average investment. I don’t say this to cast a poor light on anyone offering 99.9% uptime; that in itself requires a level of discipline and investment that many independent organizations cannot achieve. However, these numbers will offer some insight as to what type of data centers the provider may be using, or if they are deployed to different geographic regions. It can give you a better understanding of areas to delve deeper into when reviewing the service.
• The Performance SLA can show you how competitive the service is against its rivals. For argument’s sake, let’s look at a fictitious cloud provider that analyzes song lyrics. Its performance measures are:
  • Song upload
  • Song download
  • Song editing ~10 minutes*

 *assuming the file is less than 1MB

As you can see, I included a qualification to the performance measure. Most SLAs have this, so I point this out to make sure you are looking through the fine print of your SLAs to ensure you are getting the performance that you expect, based on your requirements. These SLAs are usually defined by the providers with their worst performance in mind. They often contain clauses such as “average over time” or exclusions of other problems that may impact performance. You can get a sense if your provider is pushing the performance boundaries if its SLAs are greatly superior to any competition, or if the provider is playing it safe and matching the competition.

• The Functionality SLAs can be availability or performance based, or based on a marketing promise, such as “We guarantee to deliver a report by 6 a.m. every day.” These can often be competitive differentiators, so look closely if there are SLAs about specific features that you care about. If there are many functionality-based SLAs it can give you some insight into what the provider believes is the most important items for its customers and what level of service you might be able to expect. Ultimately, I will hold by my statement that both provider and customer want to offer and receive 100% SLA achievement, and having too much focus on “good enough” SLAs can be a detriment to achieving that goal.

The Ghost of Cloud Present

The ghost of cloud present is here. Everyone is rushing to the cloud—they are containerizing and implementing DevOps with IaaS, and IT is trying to find out just what cloud services its line-of-business employees are using.

Containers have become the biggest trend in cloud computing along with moving services to IaaS providers. The reason they have become so popular is the ability they provide to rapidly deploy the service with a micro-service architecture to stay competitive. This trend does expose some security concerns, primarily around vulnerabilities within the containers themselves.  Therefore, organizations embracing containers should enforce a secure foundation for their containers (i.e., don’t create your containers with Shellshock not remediated).

Achieving faster velocity is great. However, make sure to protect your assets in the IaaS provider’s infrastructure by using multifactor authentication and good account procedures as I highlighted in my blog on “How to Protect Your Cloud Accounts from Being Hacked,” while also embracing SecDevOps to integrate security throughout the continuous deployment lifecycle. These present trends require an inclusive security posture that allows your organization to Protect, Detect, and Correct from today’s targeted attacks.

The Ghost of Cloud Future

The ghost of cloud yet-to-come has arrived and brings interesting new topics to review and discuss. How will the automated-everything world of the future impact our security postures and, ultimately, our daily lives? The heart of the IoT, AI, and connected world will be fueled from the cloud with 5G connections, with more and more reliance on machine learning algorithms to automate our environment. How will distributed ledger technology, such as blockchain, change how we trust any transaction? Will we allow more of our personal and transactional data to be utilized to improve our individual lives? Can we envision a world where our interface to computing devices is mostly vocal or visual? And how do we protect against those vulnerabilities? Will we trust automated vehicles, grocery stores, or delivery services with mission-critical activities?

Like A Christmas Carol, the future can be altered by our behavior starting now, so the world can become what we want it to be. Here are the things I am passionate about to improve the future:

• Helping the world groom more cybersecurity professionals. We need more people focused on the good rather than the bad.
• Having transparent data policies by every organization that clearly declare data collection, usage, and retention for the service and what the benefit is for the individual and the greater community.
• Simplifying security through the use of next-generation user experiences like natural language and augmented reality. The simpler we make it the more participation we get.

I know, the premise was corny, but I wanted to have some fun with my final blog of the year, and “The Twelve Days of Christmas” seemed overdone and too long. As always, I welcome feedback. You can reach me on twitter @Tischart. Happy Holidays, and here’s to a secure New Year!