Quick Follow-up to "Cloud Computing Insanity"
The post generated a crazy amount of debate - and that's a good thing! But I wanted to make another key point, particular with respect to the myriad of objections with respect to "what could happen" if your company moves to the cloud.
Many of the objections about using cloud computing contain elements of truth, but lead to a seriously flawed conclusion.
For example, a popular objection is that your cloud provider might turn your data over to the government without your awareness. This is seen as a unique and mortal danger of using the cloud - a "showstopper" to many. Somebody would get fired, for sure.
While this is possible, it's an extremely remote risk for several reasons. First, if the government knows where you are, they will first go to you to get your data (if you know anybody in the US AG office, ask their opinion). If they have a warrant to access the data, you're very likely to give it to them. The government goes to cloud providers when they are unable to locate the owner of the data - ie a shadowy individual, not a corporation with a known street address.
This is "how it works", but doesn't imply the risk is zero. Yes, there's some possibility it could happen with a national security letter, etc.
But remember: your cloud providers don't just have more engineers than you, they have more lawyers than you.
And good cloud providers are much better and more likely to fend off unwarranted data requests than you are (there's been much in the news about this recently). And by the way, government accessing your data is not guaranteed to be a bad thing - what if one of your employees has gone rogue and is planning to do something reeeaaallly bad?
Regardless, it's a really bad decision to forego the benefits of cloud computing because you fear this remote possibility. Even if it happened, in what scenarios would it cause material harm to your business? At the same time, I can virtually guarantee that technical obsolescence (via cloud avoidance) is a clear and present danger to your company.
The real problem is that lawyers in your company aren't paid to fend of technical obsolescence. That's why lawyers make recommendations, and business leaders make decisions.
26 plus ones
Shared publicly•View activity
View 7 previous comments
- Dave - Very thought provoking post. And thanks for setting up a more sane forum for responses than the milieu on the GigaOm comments :)
Your post rung true from my experience running a SaaS company and specifically an anecdote from one IT Director at a mid-sized enterprise:
Paraphrasing his words:
"I love the cloud because honestly we know all IT systems will go down at some point, but with the cloud, if they do, we can't do anything about it. I know that sounds silly but with the power company, if there's an outage, no employee calls us and says 'when will the power be back on' - they just trust that the power company will get the power on ASAP. Similarly, it's ridiculous that we don't just make sure the best people - i.e., the relevant cloud provider - provide a service, and then trust them to fix the service if there are issues - or change if we don't like it. To have to inspect every detail of every service is a waste of our time."Jan 28, 2013
- Here is the most recent Official Google Blog, "Google’s approach to government requests for user data" http://goo.gl/hRNyF
From NYT Technology Bits Blog on the subject, "...the company stands out in its efforts to protect users against government requests for data."
“Google’s been kind of a pioneer,” Mr. Trevor Timm, a privacy advocate studying surveillance at the Electronic Frontier Foundation, said.Jan 28, 2013
- Here here...as a recovering lawyer I hate taking business advice from lawyers...almost as much as I hate taking product advice from IT guys...I'd think IT is a bigger problem at these companies than legal...but both are going to need to get on board or be passed over.Jan 29, 2013
- This is true as far as it goes, but there are two factors: one, securing in-house IT is a mature skillset, focusing on the border of the network. Whatever's inside that border can be presumed to be fairly safe. The cloud changes that calculus, because the distinction between inside and outside the firewall becomes much more labile.
The second factor is the international one: for a US company, there might not be much difference, legally speaking, between hosting something themselves, in a traditional colo facility, or in AWS. For a non-US company, however, that difference might be significant. There are conflicting data-privacy regulatory frameworks, including, yes, the Patriot Act, but also many others, and there are also national requirements to host and process certain types of data within a country's borders.
I blogged this in a bit more depth here: https://communities.bmc.com/communities/community/bsm_initiatives/cloud/blog/2013/01/31/you-are-not-insaneJan 31, 2013
- Loving what Dave is doing at Upstart, but we have missed his strong voice in Enterprise Cloud Computing. Dave, great to have you back in the debate! Reminds me of your speech at Los Angeles City Council.Feb 1, 2013