The more important point is whether it matters in the first place. Hands up all those who know about employee group behavior that is wreaking havoc inside the enterprise as a result of bringing in unauthorised iPhones? I haven’t heard of such a case. I doubt we would except a long time after the event. At least not in a way that could be readily discussed in the public domain. It’s too embarrassing.
from November 29th, 2011 ZDNet article “Does governance really matter?” by Dennis Howlett
FUD . . . cloud governance is a simple case of FUD. There, now I can stop writing.
For those of the younger set who may not be familiar with the acronym FUD it stands for Fear, Uncertainty and Doubt and was a sales technique employed by IBM blue suits who would in days gone by outnumber prospects on sales calls delivering horror stories of failed initiatives underscored by the catch phrase “you know, no one has ever been fired for buying IBM.”
Now in reading the above statement, one may consider it to be more of a tongue in cheek allegory than an actual practice but sadly this was not the case. Especially when it comes to questions of increased risk in the cloud and issues of cloud governance.
Cloud governance of course is a myth created by traditional vendors who are playing on the fears of end users, and in particular senior management (see my July 27th, 2011 post Fear and loathing in Washington: Why a recent survey found that 92% of government IT leaders have reservations about making the move to the cloud) that similar to the SaaS creep illusion attempts to coral and retain clients under their onerous and outdated business models. In short, there is a significant difference between cloud governance and data governance or security. Implying an increased or elevated level of risk through app devices operating in the cloud ignores the reality of the security risks that have always been and always will be with us. Just ask Richard Stiennon about the number of security breaches that occur everyday within the confines of traditional IT infrastructures. There is absolutely no evidence that cloud based apps pose an increased risk, and certainly not to the degree that would outweigh the countless benefits these convenient and emerging collaborative solutions provide.
Now this isn’t to say that data protection is not an important element of any sound IT strategy whether behind the firewall or in the cloud.
In fact in my June 9th, 2011 post (Protecting your data in the cloud: Top cyber security expert Richard Stiennon weighs in on what you need to do to protect your most valuable asset – information), Stiennon, who is one of the world’s top cyber experts, had this to say:
Protecting data is actually quite simple Jon. ALL data should be encrypted ALL the time in the cloud. View your provider as the enemy. They cannot control their privileged users and they are subject to subpoena or lawful intercept. If encrypted and if the encryption keys are stored off the cloud, you have control over your data and do not have to worry about third party jurisdictional issues.
Even though Stiennon’s commentary was focused on unwanted government access to confidential information, the basic approach is the same as it relates to protecting critical data regardless of infrastructure.
Referencing the observations of an industry insider, here is the key takeaway from today’s post, “Data is at the heart of governance, not the cloud, or any other device required to access data.” In the end, the cloud is simply a delivery model.”