Some very good points and stuff to think about. To me much of what you said is summed up in your two line:
“But to an Enterprise without a real plan as to what “Cloud” really means to their business,”
and
“If you simply expect to layer them on your legacy infrastructure, operational models and people and call it “Cloud,”

Whether a company takes the path of a 1, 1.25, 1.5, 2, etc. is more about their understanding of needs. Most of which, as you point out above, don’t have a clear “business objective” in mind, except to “use that cloud thing”. It will be interesting to see how the whole “network overlay” thing works it self out in the end. It seem that many (most? all?) providers are pushing that model as well to get the adoption. As yoda said “The dark side clouds everything. Impossible to see the future is.”

The one thing that does bother me a bit is that with the “this on that” reliance that is being built, the ability to secure it becomes much more of a task of peeling back the layers and making intelligent decisions on each of them. In reality, as complexity increases, the number of folks who can see clearly through the tangled web shrinks dramatically. The issues of trust and transparency becomes even more important IMHO.

Thanks for the post, got me thinking about soem things.

You’re clearly not arguing that these overlays won’t be part of Option #1 (‘they’re simply mom and apple pie and are, for the most part, invisible’). Yet you do argue that these same overlays are: ‘They’re a crutch and another band-aid to solve legacy problems’?

It can’t be both, can it?

Lets suppose you go down path #1. What’s the first thing you’re going to do with your new fandango S/P/Iaas Pub/Pri/Hybrid cloudamatron? Probably a simple, low risk, low impact application, right? Well, most of time (unless it’s *also* a new, stand-alone siloed app), it’s going to need to somehow interact with some kind of legacy system. How will it do that? Probably with a gateway of some kind, along with a VPN, of some kind, using a tunneling mechanism of some kind.

Doesn’t this sounds a little like path #2?

I think the technical distinction between the paths you present are minimal, at best. However, I’ll grant you that framing the solutions as either #1 or #2 might be useful, helpful and maybe even necessary when trying to get an organization to buy in to the plan.

For those who are not already aware of pastafaricness, http://en.wikipedia.org/wiki/Flying_Spaghetti_Monster

Where is this going? Tin Foil Hats, of course: the study http://berkeley.intel-research.net/arahimi/helmet/ that showed the foil hats often used for protection against remote mind control by aliens and Big Brother, often not only failed to protect the brains of the potential victims, but actually amplified the radio signals inside the foil at frequencies that are specifically reserved for government use. Is it possible that it was a plot all along, to peer into the brains of the most paranoid? Yikes !

Smoke it, Beaker!

Good question as I really didn’t spell that out. A “Security Purist” is someone who fails to take into consideration the design requirements, prevailing business environment, economic, organizational, cultural and architectural constraints, and instead simply blathers on about “the only way” without compromise.

…just like the BBQ discussion above.

Guess who was cut out…

Wikipedia describes it like this “The advent of computer technology, reliable software, and a desire by commercial airlines to cut costs by reducing flight deck crew have eliminated the requirement for Flight Engineers on modern airliners. The same general logic has led to the removal of the Flight Engineer position in many modern military aircraft.”

You get the point.

There will always be a need for engineers with deep knowledge of the underlying structures and the ability to design systems and take care of smooth operations. In fact it is likely there will be a growing need for such experts. At the same time there will be reduced ‘cabin crews’ flying the plane or sailing the ships. And this is applicable to commercial as well as government and military operations.

Right now, we see an emphasis on automating and speeding execution speed without commensurate updates to control and auditing systems–like cranking up the horsepower in a car without upgrading the steering and brakes–at some point you are going in a ditch.

Inserting people in-line into the process is not feasible–we are relatively slow, expensive, and often some of these systems are so complex they are beyond the scope of one person to understand (Airbus example, Flash Crash). I think that Hoff has the right idea that we need to leverage automation and analytics on the control and audit side.

Machines policing machines — how SkyNet-y.

Omar