In more than a decade of talking about cloud computing, I have found the principle of ownership has been a recurring theme. People feel comfortable owning their computing. They know where they stand. Since cloud computing means giving up ownership, it makes people uncomfortable, uncertain of their ground.
But while there’s comfort in ownership, it’s not of itself a guarantee of security or certainty. People often talk of the risks of trusting computing that lies “outside the firewall,” as if cloud computing providers don’t use firewalls. Of course they do, and in many cases, their firewalls are more robust and better policed than the average enterprise firewall. What the phrase really means is, “outside my firewall.” There’s an implicit assumption that it must be better, simply because it’s mine.
Even if I concede that it might not be the world’s most secure device imaginable, at least I know I can trust it. It’s sitting on my own premises, configured and managed by own staff, and up-to-date with my organization’s current security and access policies.
Or is it?
We use the term ‘on-premise’ to describe computing that’s within the domain of an organization. But it doesn’t always mean what it appears to mean. Many acres of so-called on-premise computing assets are actually deployed elsewhere, at co-location centers and facilities management sites. The organization trusts the operators of those third-party premises to control access and security.
In larger organizations, it’s not even safe to assume that staff working on your own site are direct employees. With many IT consultants and other administration staff either outsourced or brought in as contractors, the assumption that on-premise assets are configured and maintained by the organization’s own direct employees ignores the facts on the ground.
At least the organization still sets its own processes and policies. With proper procedures in place for ensuring everyone knows the rules and puts them into practice, you can be confident that the IT infrastructure is operating as it should and that any risks and threats are correctly managed.
And how do you do that?
The real reason we like ownership is that, whenever we need to, we know we can just walk in and make a hands-on assessment of the situation on the ground. If we’re honest with ourselves, that sense of direct, actionable accountability is probably covering a multitude of sins. We know there are times when our own people or our contractors, whether through lack of training, process flaws or sheer carelessness, get things wrong. We probably tolerate errors within our own organization that we would never accept from a third-party provider because we know we have the power to put things right to our own satisfaction if we ever need to.
Yet in a modern IT infrastructure, there are other ways of controlling proper policy and process. The technology allows us to instrument, verify and audit whether procedures are being followed correctly. Accountability, governance, compliance and problem resolution are no longer dependent on physical access. It can all be done electronically in real-time.
Using a third-party cloud computing provider can therefore be just as trustworthy and certain as relying on in-house resources, provided the instrumentation and governance of policy and process is as good. In practice, this is one area where public cloud providers did not begin well. Some providers espoused an arrogant mirror-image of the “it’s my firewall” mindset: “We don’t publish an SLA, you can trust us because we’re a big, friendly online brand.”
Fortunately, those attitudes are now being challenged. For customers willing to pay the extra cost, the current generation of cloud providers offers better transparency into processes, a more granular choice of policy settings and enterprise-grade instrumentation and reporting. Because investments are pooled across the entire customer base, a cloud provider can operate the technology at a larger scale and sophistication than most of their customers would wish or need to do individually.
There’s still some work to do to establish the process and policy stipulations it’s reasonable to demand from third-party providers. Enterprises must focus on specifying the results they want, rather than attempting to constrain the provider’s underlying technology and operational choices in unnecessary detail. But in principle, a proper governance infrastructure is capable of delivering more control from a third-party provider than most enterprises realistically have over what happens today within their own on-premise IT.
Ownership is not the critical factor here. What matters is having the right mechanism in place for proper accountability and governance.