Home > Cloud Computing, Cloud Security, Disruptive Innovation > Dear Mr. Schneier, If Cloud Is Nothing New, Why Are You Talking So Much About It?

Dear Mr. Schneier, If Cloud Is Nothing New, Why Are You Talking So Much About It?

squidly

Update: Please see this post if you’re wondering why I edited this piece.

I read a recent story in the Guardian from Bruce Schneier titled “Be Careful When You Come To Put Your Trust In the Clouds” in which he suggests that Cloud Computing is “…nothing new.”

Fundamentally it’s hard to argue with that title as clearly we’ve got issues with security and trust models as it relates to Cloud Computing, but the byline seems to be at odds with Schneier’s ever-grumpy dismissal of Cloud Computing in the first place.  We need transparency and trust: got it.

Many of the things Schneier says make perfect sense whilst others just make me scratch my head in abstract.  Let’s look at a couple of them:

This year’s overhyped IT concept is cloud computing. Also called software as a service (Saas), cloud computing is when you run software over the internet and access it via a browser. The salesforce.com customer management software is an example of this. So is Google Docs. If you believe the hype, cloud computing is the future.

Clearly there is a lot of hype around Cloud Computing, but I believe it’s important — especially as someone who spends a lot of time educating and evangelizing — that people like myself and Schneier effectively separate the hype from the hope and try and paint a clearer picture of things.

To that point, Schneier does his audience a disservice by dumbing down Cloud Computing to nothing more than outsourcing via SaaS.  Throwing the baby out with the rainwater seems a little odd to me and while it’s important to relate to one’s audience, I keep sensing a strange cognitive dissonance whilst reading Schneier’s opining on Cloud.

Firstly, and as I’ve said many times, Cloud Computing is more than just Software as a Service (SaaS.)  SaaS is clearly the more mature and visible set of offerings in the evolving Cloud Computing taxonomy today, but one could argue that players like Amazon with their Infrastructure as a Service (IaaS) or even the aforementioned Google and Salesforce.com with the Platform as a Service (PaaS) offerings might take umbrage with Schneier’s suggestion that Cloud is simply some “…software over the internet” accessed “…via a browser.”

Overlooking IaaS and PaaS is clearly a huge miss here and it calls into question the point Schneier makes when he says:

But, hype aside, cloud computing is nothing new . It’s the modern version of the timesharing model from the 1960s, which was eventually killed by the rise of the personal computer. It’s what Hotmail and Gmail have been doing all these years, and it’s social networking sites, remote backup companies, and remote email filtering companies such as MessageLabs. Any IT outsourcing – network infrastructure, security monitoring, remote hosting – is a form of cloud computing.

The old timesharing model arose because computers were expensive and hard to maintain. Modern computers and networks are drastically cheaper, but they’re still hard to maintain. As networks have become faster, it is again easier to have someone else do the hard work. Computing has become more of a utility; users are more concerned with results than technical details, so the tech fades into the background.

<sigh> Welcome to the evolution of technology and disruptive innovation.  What’s the point?

Fundamentally, as we look beyond speeds and feeds, Cloud Computing — at all layers and offering types — is driving huge headway and innovation in the evolution of automation, autonomics and the applied theories of dealing with massive scale in compute, network and storage realms.  Sure, the underlying problems — and even some of the approaches — aren’t new in theory, but they are in practice.  The end result may very well be that a consumer of service may not see elements that are new technologically as they are abstracted, but the economic, cultural, business and operational differences are startling.

If we look at what makes up Cloud Computing, the five elements I always point to are:

cloud-keyingredients018

Certainly the first three are present today — and have been for some while — in many different offerings.  However, combining the last two: on-demand, self-service scale and dynamism with new economic models of consumption and allocation are quite different, especially when doing so at extreme levels of scale with multi-tenancy.

So let’s get to the meat of the matter: security and trust.

But what about security? Isn’t it more dangerous to have your email on Hotmail’s servers, your spreadsheets on Google’s, your personal conversations on Facebook’s, and your company’s sales prospects on salesforce.com’s? Well, yes and no.

IT security is about trust. You have to trust your CPU manufacturer, your hardware, operating system and software vendors – and your ISP. Any one of these can undermine your security: crash your systems, corrupt data, allow an attacker to get access to systems. We’ve spent decades dealing with worms and rootkits that target software vulnerabilities. We’ve worried about infected chips. But in the end, we have no choice but to blindly trust the security of the IT providers we use.

Saas moves the trust boundary out one step further – you now have to also trust your software service vendors – but it doesn’t fundamentally change anything. It’s just another vendor we need to trust.

Fair enough.  So let’s chalk one up here to “Cloud is nothing new — we still have to put our faith and trust in someone else.”  Got it.  However, by again excluding the notion of PaaS and IaaS, Bruce fails to recognize the differences in both responsibility and accountability that these differing models brings; limiting Cloud to SaaS while simple for cute argument does not a complete case make:

cloud-lower030

To what level you are required to and/or feel comfortable transferring responsibility depends upon the provider and the deployment model; the risks associated with an IaaS-based service can be radically different than that of one from a SaaS vendor. With SaaS, security can be thought of from a monolithic perspective — that of the provider; they are responsible for it.  In the case of PaaS and IaaS, this trade-off’s become more apparent and you’ll find that this “outsourcing” of responsibility is diminished whilst the mantle of accountability is not.  This is pretty important if you want ot be generic in your definition of “Cloud.”

Here’s where I see Bruce going off the rails from his “Cloud is nothing new” rant, much in the same way I’d expect he would suggest that virtualization is nothing new, either:

There is one critical difference. When a computer is within your network, you can protect it with other security systems such as firewalls and IDSs. You can build a resilient system that works even if those vendors you have to trust may not be as trustworthy as you like. With any outsourcing model, whether it be cloud computing or something else, you can’t. You have to trust your outsourcer completely. You not only have to trust the outsourcer’s security, but its reliability, its availability, and its business continuity.

You don’t want your critical data to be on some cloud computer that abruptly disappears because its owner goes bankrupt . You don’t want the company you’re using to be sold to your direct competitor. You don’t want the company to cut corners, without warning, because times are tight. Or raise its prices and then refuse to let you have your data back. These things can happen with software vendors, but the results aren’t as drastic.


Trust is a concept as old as humanity, and the solutions are the same as they have always been. Be careful who you trust, be careful what you trust them with, and be careful how much you trust them. Outsourcing is the future of computing. Eventually we’ll get this right, but you don’t want to be a casualty along the way.

So therefore I see a huge contradiction.  How we secure — or allow others to — our data is very different in Cloud, it *is* something new in its practical application.   There are profound operational, business and technical (let alone regulatory, legal, governance, etc.) differences that do pose new challenges. Yes, we should take our best practices related to “outsourcing” that we’ve built over time and apply them to Cloud.  However, the collision course of virtualization, converged fabrics and Cloud Computing are pushing the boundaries of all we know.

Per the examples above, our challenges are significant.  The tech industry thrives on the ebb and flow of evolutionary punctuated equilibrium; what’s old is always new again, so it’s important to remember a couple of things:

  1. Harking back (a whopping 60 years) to the “dawn of time” in the IT/Computing industry making the case that things “aren’t new” is sort of silly and simply proves you’re the tallest and loudest guy in a room full of midgets.  Here’s your sign.
  2. I don’t see any suggestions for how to make this better in all these rants about mainframes, only FUD
  3. If “outsourcing is the future of computing” and we are to see both evolutionary and revolutionary disruptive innovation, shouldn’t we do more than simply hope that “…eventually we’ll get this right?”

The past certainly repeats itself, which explains why every 20 years bell-bottoms come back in style…but ignoring the differences in application, however incremental, is a bad idea.  In many regards we have not learned from our mistakes or fail to recognize patterns, but you can’t drive forward by only looking in the rear view mirror, either.

Regards,

/Hoff

  1. June 4th, 2009 at 08:37 | #1

    People are quite enamored by Schneier. I recently send a link to the DBIR to someone and they sent this back to me: "Meh. Lotta security hype out there. My hero is Bruce Schneier."

  2. Israel Bryski
    June 5th, 2009 at 07:07 | #2

    I must admit Jon, I used to be a "My hero is Bruce Schneier" guy, but he is pushing it with this Cloud garbage he has been spewing lately. This year at the RSA Keynotes, he said how Cloud is "nothing new" and only mentioned the SaaS model, just as in his recent blog post.

    Hoff, I would love to hear the lyrics of your "Cloud Guy" Real men of genius. If its anything like this one (http://www.youtube.com/watch?v=ErFu6WVMH0s&feature=related) you may have a new career brewing.

  3. Esurnir
    June 7th, 2009 at 02:26 | #3

    "So please, Mr. Schneier, spare me the diatribe and stick with the Friday Squid postings and leave Cloud to those of us who do care about it."

    Is kind of lame sorry about it, but Bruce Schneier is a security analyst so he -do care- about this problems, and while his critic may or may not be good. He still hit the nail on having to trust a third party company with your works and documents. What if the company go bankrupt, what if an insider in that company sell all the documents from the marketing department to the concurence ? Those are problems from cloud computing which are worth talking about.

    When someone make a critic about your baby, you take it and answer politely, you don't quip back with insult and tell someone "please don't mess with our affairs". That's what a ot of company did, only to go bankrupt because someone poked their nose harder than the others and revealed their weakness.

    Have a nice day

  4. June 7th, 2009 at 05:01 | #4

    @Esurnir

    Fair enough. I agree with you:

    "I was a bit of a dick to Bruce in this post. I've exchanged emails with him to this end & apologized. I think, despite what have been called "thinly veiled ad hominem attacks" that my points are valid."

    /Hoff

  5. casey
    June 8th, 2009 at 06:22 | #5

    Hoff is answering an assertion by Schneier with one of his own. If Google/Amazon/Salesforce were to take umbrage it wil not affect my infrastructure one bit. Claiming that innovation/headway is/are being driven is marketing language. You will not convince anyone this way. Centralization/Distibution of any type of resource comes with advantages or disadvantages and after the Cloud fails once or twice we will get "Modular" computing where independent 'cloudlettes' provide scalable IT solutions. Not trying to be snarky, but I remember how Client-Server was marketed and I think that Bruce's point was not that nothing is new, but the philisophical debate started in the 60s continues in one form or another today.

    cheers

  6. July 17th, 2009 at 04:25 | #6

    I believe cloud computing is in its execution "new" regardless of however "old" the concept may be (there are academic papers from the University of Illinois & University of Texas which date back to 1997 / 1998 on the topic), is a new and compelling phenemona. In fact, I'd argue that CDNs (content distribution networks) are the most stable and earliest large scale examples of cloud based technology though I realize they are typically unidirectional. Having said that I feel that your points are valid with respect to the new and potentially innovative uses for the technology regardless of how it manifests itself (I personally feel people are bastardizing these terms and using them far too liberally and as such incorrectly). What I am most concerned about from with respect to the cloud concept isn't the use case per se but rather the manner in which many of the solutions are being pitched regarding security and assumed levels of risk. Are they any more or less secure than solutions provided by hosted entities or MSSPs? I feel that remains to be seen. Having worked with one of the best MSSPs in the biz in another life, I can say that attention to detail and due diligence with respect to accredidation of the environment itself does play a key role in decision making.

  7. October 2nd, 2009 at 00:23 | #7

    “The tech industry thrives on the ebb and flow of evolutionary punctuated equilibrium”.

    Christ, something in my cerebral cortex just popped.

  8. Luke
    October 16th, 2009 at 17:56 | #8

    Mr. Hoff has spent entire page to piss off Schneier, but only a line in comment space to mention "I was a bit of a dick to Bruce in this post. I’ve exchanged emails with him to this end & apologized."

    C'mon Hoff, be a man … create another blog post with title "I was a bit of a dick to Bruce and apologized to him.". Push it to twitter space and whatever promo tools you are using as well to be fair.

  9. October 16th, 2009 at 18:10 | #9

    @Luke

    Did you happen to MISS THE FIRST LINE OF THE POST!? Click on the link?

    Here you go:

    http://www.rationalsurvivability.com/blog/?p=1013

    In case you missed it, the post that link clicks through to is titled: "Dear Mr. Schneier, I Was A Jackass & I’m Sorry…"

    Written JUNE 10, 2009.

    I *did* "push it to Twitter" and Bruce quoted it in his blog.

    We done? 🙁

    P.S. Do me a favor, if you want to challenge me to be a "man," at least give me a real name/email address so we can correspond like men. Thanks.

  10. Luke
    October 17th, 2009 at 04:47 | #10

    Mr. Hoff,

    I'm following your way – I apologize for missing and reading the link on first line(it's counter-intuitive to jump to another page without reading the article first). You could be added in header, body and footer and made upper case red links.

    Sorry if I sound rude in my post, now I'll be nice and think before posting.

  11. October 22nd, 2009 at 10:24 | #11

    Bruce has opinions….like all of us….doesn't mean they are Gospel 😉

  12. Anders Berg
    April 15th, 2011 at 18:41 | #12

    Sorry Hoff, but I do agree with Bruce for the most part.

    In the 70ies when I started in the "biz", we had utility computing (pay for what you use) and "elastic infrastructure" from the point of view of our mainframe customers (business units and subsidiaries).

    In the late 90ies we (the company I worked for at the time) had "I/PaaS" where customers could order unix environments prepped with certain middleware and apps on the MF and have them provisioned in minutes.

    Later we got standalone unix machines and windows everywhere and the elasticity in capacity as well as pricing was gone. Expanding capacity or acquiring it in the first place took a quarter (3 months). That was a significant regression. What I see now is simply a return to the 90ies model, which was a refinement of the 60ies model (since unix wasn't on the mainframe in the 60ies, or at all for that matter, nor were VM).

  13. me
    June 19th, 2013 at 10:58 | #13

    i’m not going to waste my time explaining why, but cloud computing is nothing but an opportunity created by marketing people to sell the same old lousy software and services into the market. it is pure, 110% hype, of no significant value. 2 years from now, you won’t even hear about it, when marketing introduces the new model. ETL, SOAP, ASP, were all historical failures, just like this hype. The Internet and Web are true innovations. Never listen to marketing people, they live in the gartner magic quadrent smoking magic weed.

  1. June 6th, 2009 at 15:26 | #1
  2. June 10th, 2009 at 14:20 | #2