If there’s one topic that’s apt to get security professionals uptight – and provoke stand-up rows in the office – then it’s cloud computing. Tony Lock from FreeformDynamics recently conducted a poll on the subject in a workshop for The Register.
The big issue is, of course, loss of control. If you trust your information to someone else’s servers, then you have to trust their security procedures and technical measures to look after it. That makes a lot of IT professionals uneasy, for very understandable reasons. But just like outsourcing anything, there is good and bad. All businesses outsource some things – things like cleaning, deliveries and physical security (burglar alarms, etc.) – for three reasons:
- It’s not their speciality. They make widgets. And they have the staff they need to make, deliver, develop and support those widgets. Other people can do non-widget related activities better than they can;
- They don’t need the overhead, time commitment and complexity that employing all these extra people demands. Yes, they could hire their own cleaner, but it’s a lot simpler to get on the phone and let a cleaning agency take care of that;
- It’s a lot more cost-effective that way. Our widget company could invest in a worldwide fleet of planes, vans and delivery-people but that would be ludicrously expensive when they can phone a courier company and have them delivered for a few pounds a day.
So three very good reasons for outsourcing: better service, simplicity and cost. These lines of reasoning can easily be applied to IT. Outsourced IT can be better, simpler and cheaper. Yay, let’s go for it, say those hotheads in accounting.
Where this sort of analogy starts to fall down, however is in the risk assessment. If the cleaner doesn’t turn up, then it’s no big deal. If they don’t turn up on a regular basis, you fire the agency and get a new one. There might be a few more biscuit crumbs and sandwich remnants for the new cleaner to deal with, but no harm done, by and large.
If your outsourced IT services turn out to be useless, on the other hand, then the consequences could be pretty brutal. Your information could be exposed; you could lose access at a crucial moment or they could manage to lose the lot. You don’t want that to happen, because it could make you bankrupt or put you in prison.
But people don’t like risk-assessment, of course. It’s boring. It puts paid to a lot of exciting new things. It reminds you of your mum when you were five.
I hate to say it, though, but your mum was probably right.