Cloud Computing—the Love Story


It was the moment the dime dropped. I was reading about a RSA/IDG report on security for cloud computing. As I studied their results, I had a growing conviction that we have passed a point of no return when it comes to enterprise computing and the cloud. Unfortunately, I tend to agree with one of their findings—security policy is not making it into the suitcase. We somehow expect the cloud to do it.

RSA/IDG research indicates that over half of the companies that use or plan to implement cloud computing services in the next 12 months do not have a security strategy for data integrity or compliance. Although the study’s sample was small (100 users and I have not seen the selection criteria), the RSA/IDG study passes the smell test—they interviewed technology savvy management professionals who worked for companies with $1 billion or more in gross annual revenue. This happens to fit the demographic for TechForum members so I read the next part carefully. A more telling statistic from the survey is that among those who have gone to cloud computing solutions, almost 30% did not involve corporate security departments.

I could have guessed as much. Up until now, I had only anecdotal evidence from our membership that supported this conclusion. I first began to hear about real implementations of public cloud computing solutions at our storage and virtualization meeting in March—not at a Security Forum. A handful of IT professionals told us at this event that they were using Amazon’s E3 and other storage providers in certain circumstances to cover ad hoc demands for capacity. Time sharing is not a new concept, but it usually pertains to certain kinds of large database applications. A big clue that the cloud computing train has left the station is the array of vendors who suddenly want to be the cloud provider to enterprise organizations. When diverse companies such as Google, Cisco, Sprint, Amazon and IBM jump in with cloud solutions, that indicates the marketplace will support them.

What is so compelling about cloud computing that companies are moving to these kinds of solutions faster than processes can be put in place to secure data? Is it part of the efficiency movement that the recession has spawned? Do people have a sense that too much money is being spent on security without a return on the investment? Let’s face it—business would love to outsource IT infrastructure and offload some of the security responsibility to suppliers to better manage costs?

The cloud computing thrust is partly about the money, but goes deeper than just saving a buck. Our businesses have become synonymous with our information systems and our network infrastructures have attained a level of complexity that is almost incomprehensible. We need a term like cloud computing in order to honor the importance, complexity and criticality of technology management to the business process. Cloud computing is phrase that connotes just enough vagueness to work for the technical and non-technical alike. We would have invented it, if it had not come along.

Cloud computing is not only a convenient phrase, it is accompanied by a certain degree of optimism. At our most recent Security Forum in May, there was much discussion about the cloud having great potential for defending against fast breaking threats. The cloud could be the place where we white list the trusted sources and monitor behavior before our data is compromised. This sunny cloud view is corroborated by the RSA/IDG Study. Seventy percent of those surveyed said they feel at least somewhat confident that their businesses are prepared for adopting cloud computing widely and securely.

From where I sit, I would like to feel happy about something and why not believe in cloud computing, even though the security part is murky? Keeping the bad guys out is a tough job and proving regulations have been complied with takes an enormous effort. Those of us in security and network infrastructure have been rolling our own for a long time and where has it gotten us? As we move our strategies to the cloud, we will not be alone. There are a lot of businesses doing the same and we will have many allies, from telephone companies to search engines, to choose from. Without question, achieving security in the cloud is going to be a big production; but I am equally certain there is no turning back.

I am reminded of the lines from the film “Shakespeare in Love”:

Henslow: Mr. Fennyman, allow me to explain about the theatre business. The natural condition is one of insurmountable obstacles on the road to imminent disaster.
Fennyman: So what do we do?
Henslow: Nothing. Strangely enough, it all turns out well.
Fennyman: How?
Henslow: I don't know. It's a mystery.

When I read about Vivek Kundra being appointed Federal CTO, I raised an eyebrow, my right one to be exact. I liked all the fresh things he had done to shake up the information systems and business as usual in Washington, DC. I consoled myself with the thought that maybe his appointment was all part of the new agenda of change. Out with the old and all that.

My reservations were not that he was a little young at age 34, but only that he had no enterprise management experience. Vivek Kundra is bright, well educated and politically ambitious. He has run technology startups and given blood to help a non-profit organization like Washington DC be more responsive to the needs of the district by getting more info online. These qualities make his resume sparkle, but where’s the beef when it comes to large enterprise systems? Management is what the CTO job is all about. In this day and age, business and IT risk go hand in hand.

Running a city or a state government is nothing like running the systems he would impact as CTO of the US. Think about the level of interoperability that would challenge any one in charge of government IT--think IRS, postal service, Medicaid, Pentagon, Social Security payments, EPA, Army Corp of Engineers, and the list goes on. In contrast, Washington DC has shallow legacy information systems in comparison to the systems that might come under the national CTO’s purview.

Granted, the CTO job for Vivek Kundra was principally going to be the website to chart the impact of the recovery spending. For that job, he was a great choice. And a logical place for the current administration to start when creating a position at the federal level that had never been important before. He would architect interoperability around a specific project--how recovery funds are spent.

But what this country needs is something more than a politician who, by the way, is a tech whiz. What this country needs is a vision and a game plan and someone with the technology credibility and business acumen to pull it off. Creating new technology systems from scratch is one thing, but "google-izing" government computing with all its legacy systems means people have to work differently. And the one thing we know about managing technology so that it works, is that the job is as much technology as it is management.

Last week when the word came out that the new CTO had been oblivious to the fraud perpetrated by his direct reports, my doubts about his management skills were unfortunately confirmed. If Mr. Kundra was not looking at the money and the vendor relationships, he was not understanding the basics of running a technology business and managing a budget on a relatively minor scale. He was selling the sizzle, but the beef was rotten. I see Vivek Kundra as a kind of Hamlet in this morality play. Maybe he misplaced his trust—but if the FBI knew about the fraud and the sting, why didn’t he notice anything wrong? And the FBI did not trust him enough to bring him into the process? The word that comes to mind is “amateur.” This happened on his watch.

President Obama and his administration “get technology” more than any previous administration. Technology spending is a critical part of the recovery agenda. But we need more than a technology ombudsman to head up the technology strategy for the United States government. We need a technology ambassador with large systems management experience at bat--someone with an eye on the ball and a good batting average. And, sad but true, we need someone who has been out after dark and knows to anticipate what might be lurking in the shadows.

When businesses close, banks fail and people loose their jobs and their homes, we expect all the boats in the ocean will sink. It is logical to assume that everyone will be hurt by the fast spiraling vortex of deflation. However, when all is said and done, it appears that technology is emerging as one of the areas that will keep on going during this time of economic uncertainty. Behind almost every cut in programs or staffing, technology solutions are being sought to take up the slack. To lift a line from Charles Dickens, “It is the best of times; it is the worst of times.”

A recent study by Forrester claims that security spending across the board (including upgrades and staffing) by the companies who subscribe to their sampling will increase. Slightly.

Among our membership, the job turnover seemed to spike at the end of last year, but that too, has leveled off to a more a normal rate of career shifts that we expect to see among our upwardly mobile population.

And in the new stimulus package which President Obama signed into law this afternoon, there is significant money earmarked for technology initiatives. Here are a few of the high points:

- The stimulus bill includes $7.2 billion for broadband grant and loan programs.
- although cut form $1 billion, $650 million to education is going specifically to the Enchancing Education Through Technology Program (EETT)
- $19 billion of the $100 billion for the healthcare measures goes specifically for healthcare information technology

It is as though everyone, thanks in part to a tech savvy president, gets the message that technology can and will help us get by. Make no mistake; the stimulus bill documents a huge shift in public opinion. We are all familiar with the litany of complaints about the computerization of everything, the loss of the personal touch and all the other dehumanizing aspects of the computer age. All of a sudden, the endorsement of technology is clear as a bell. Those who can manage computer technology are playing an integral role in our response to economic and social disaster.

Technology’s star has been rising for a long time thanks to microprocessors and the Internet. But with the current stimulus package, those of us who manage technology have crossed the chasm. Our sector does not seem to be suffering the fate of many others—salaries are going up, spending on information technology and security is holding its own, and employment is staying the course. Technology adoption has gone main stream—it is not longer in the hands of a few early adopters and pioneering innovators. Technology is really part of how we do things anymore.

Now I really believe those who claim there is more money in online fraud than there is in drug dealing. When I read about the WorldPay ATM exploit and got to the part where the caper was described as involving only 100 false cards that were used in 49 cities worldwide during a 30 minute window and the net was $9 million—my ensuing gasp startled everyone in an otherwise normal office. The details are worth reading because you realize at once that this was a master mastermind. The mules—the "cashers" who carried out the crime—were captured on surveillance videos and they made no attempt to go incognito in front of the cameras. So either they were doing someone a favor, or they were assured that the cameras were disabled, or they were told so little that they are going to be useless to prosecutors.

But I come back to the physicality of getting the counterfeit cards to 49 different geographic locations and into the hands of people who could nonchalantly saunter into a mom and pop grocery store, stand in front of a cash machine and make withdrawal, after withdrawal, after withdrawal. During the same 30 minute time frame! How did they do that? This crime may in the end prove to be low tech, compared to the highly organized effort that was necessary to distribute the points of attack and coordinate them to occur briefly, but simultaneously around the world.

According to the FBI, the ones behind this heist weren’t born overnight—they probably were proficient in ATM fraud of which there have been a few publicized cases. A sinister new wrinkle in ATM fraud, the credit limits of these WorldPay cards were disabled. You can bet if there is a trail that leads us to the gang responsible, they are probably hiding in a place where laws can’t leverage much. And I won't be surprised if we find that someone with inside knowledge of WorldPay's system helped pull this off.

I read with great interest the commentary by Dan Briody in CIO Insight today. He asks a worthy question, “Could IT have saved Citigroup?” But in my opinion, that query has nothing to do with reality. True, the Citigroup we knew is no longer; it is morphing (and taking its disparate IT groups with it). But no matter how great the IT leaders are at a company, they are always the handmaiden of the business units, not the gatekeepers.

Having worked for an earlier incarnation of Citi in the 1980’s, I came away with a sense of the fiercely competitive business units within the organization. That was just after Tom Peters and Robert Waterman published their wildly popular business book In Search of Excellence, and Citi was held forth as a successful company for its innovative business leadership.

And Citi, more than any other corporation I have experienced, rigorously tied any technology project to a business return on the investment. And they did so very smartly. For example, with outsourcing (that dirty word), they immediately realized savings in the custom programming department and were able to migrate many legacy systems to newer platforms that would otherwise never have been changed. However at the same time, they prudently kept control of the outsourcing fad, limiting offshore engagements to no more than 25 or 30% of their applications.

So where did Citi go wrong? What I experienced in the early 80’s was a corporate culture that celebrated the individual business leader within the bank. In some instances, it devolved into fratricide among departments. In fact, my unit within Citi was spun off as a different company and the products we had developed at Citi became products we sold to Citi. It quickly became apparent that the VP’s who signed off on equipment purchases from us were friendly toward the business leaders who had previously worked at Citi. However, there was a dark side to their fealty-- if a VP wanted to come in ‘under budget’ with their IT expenses, they would delay paying us until another business cycle. Frequently a VP kept us on the hook for payment until they were promoted internally, or they left the company. That was my first encounter with corporate politics and it was unsettling to see how an individual’s survival instinct could run counter to the welfare of the organization as a whole.

Tom Peters and Robert Waterman celebrated Citi (it was Citicorp at that time) for their cultivation of the business leader (people) who had vision (action) and they saw in Citi a trend toward innovation and risk taking in their willingness create new solutions for their customers (customer). Peters even said this kind of leadership was a triumph over the ‘bean counters,’ who had run the great American corporation during the 1970’s.

So how does this relate to the question “Could IT have saved Citi?” The answer is still "No." IT could not have saved Citi any more than the bean counters could have. My perception of IT, since the beginning of my career has been that IT always comes in second to the business goals of the organization. In the case of Citi, under its former leadership, the aggrandizement of the individual business units lead to a balkanization among the lines of business. Each unit was jockeying for a better position in the next race for themselves, not out of shared sense of corporate governance. In fact, corporate governance, which includes how and where IT dollars get spent, became an expression of the political ambitions of the individuals in the business units.

While IT leaders are rock stars in many organizations, and their salaries are commensurate or greater than the salaries of their business counterparts, they must operate within the corporate culture. Those of us in technology management positions know that the technology we adopt is changing the way business is conducted—so we are change agents, in that we are supporting new and disruptive technologies. But the philosophies of the business leaders at the top of the food chain is the blueprint of the corporate culture. IT may be building the house with newer materials and technologies, but Business is still the general contractor.