"To have one's head in the clouds" is a saying that means one is prone to having fantastic or ridiculous dreams, to be thinking impractically, to be prone to day dreaming and to be disconnected from reality. Whilst this is an old saying that has been used in many forms, and in many circumstances, it has rarely been more apt than when referring to the delusion of Cloud Computing.

Cloud Computing, as confirmed by the authors and editors of Wikipedia (for all the credibility one may or may not attest to that source), is intended to provide its users with a highly scalable computing solution that sees applications, processing and storage of information conducted outside of an organisation's own computer infrastructure and within large data facilities provided by service providers. The term "Cloud" refers to the Internet as a place where such service providers exist and by which those service providers provide computational and storage resources to their customers.

In short, Cloud Computing is very much like the old-school mainframe, except that the mainframe computer itself is housed outside of the customer organisation's own network and is accessed via an Internet link. In the parlance of 2009 one might refer to Cloud Computing as being iMainframe 2.0.

The value proposition provided by service providers wishing to cash in on the Cloud Computing concept is that organisations who either can not afford their own computing infrastructure, do not wish to run it, nor do not have the required knowledge to run it can contract with a Cloud Computing service provider to access a centralised computing facility with all of the applications the customer needs, via the Internet, using thin-client technologies, such as Citrix at their local desktop. However there are some key issues that these service providers will either not address or will flippantly refer to as the customer's problem that potential users of Cloud Computing should take in to serious consideration.

The first key issue is the customer's ability to access their operational information, such as accounting data, whenever and however they want. The second key issue is how do they insure that their corporate confidential data, including the data of their clients, remains private when someone else has 100% control of that data? The third key issue is that the customer is beholden to the account management practices of the Cloud Computing service provider.

As a company director I know that I need to be able to access the information systems of my organisation 24 hours a day, 7 days a week. I need to know that in a worst case scenario I can go to my office and access systems, not using a network if necessary, to get the information I need to service my customers, and to conduct the day-to-day activities of my business. The inability to access my company's information for a few minutes is annoying and inconvenient, for a few hours is gravely disturbing, and for a day is damaging beyond calculation. Consequently my organisation has put in robust systems of information storage and access that ensure that when I need data, the data I need is available to me.

However, if I were to be a customer of the Cloud Computing model it would dictate that all of my information and the systems that process and make that information available to me are housed outside of the information environment that I control. The only thing I would have as an assurance of access is a service level agreement (SLA) with my Cloud Computing service provider. Whilst this SLA may be quite robust and well specified no Cloud Computing service provider will provide an SLA contract that covers communication paths between the edge of my network and the edge of their centralised computing infrastructure.

Current day Internet communication systems rely heavily on ADSL communications via the legacy telecommunications infrastructure laid some decades ago, however there is no ISP in Australia that will provide you with an SLA for your ADSL link. With the majority of SME businesses utilising ADSL technologies for their Internet link it means that most SME's who may utilise a Cloud Computing service would be doing so without a guaranteed communication path between themselves and the location housing all of their information processing systems. Given the unreliable nature of the Internet and the non-guaranteed nature of ADSL links this poses a significant risk to businesses using Cloud Computing.

When quizzed about such risks Cloud Computing service providers will most often say connectivity is the responsibility of the customer and that if they are worried about guaranteed access they should put in additional Internet links, citing that Internet links are cheap these days - and they'd be right - up to a point. Internet links are cheap, however how many SME businesses, that would be likely to use Cloud Computing because they don't have the money for their own infrastructure or don't have the knowledge to run them well, that would have the extra money for an extra link would not have the extra money for the infrastructure to manage that extra link or would not have the knowledge of how to diagnose that their communication issues are due to the principal link failing and how to switch to the backup Internet link? This leaves the customer with the conundrum of having additional Internet links, per the service provider’s recommendation, but no ability to use the links redundantly. Additionally I'd suggest that if a company can afford the extra $100 per month it might cost for an extra Internet link, they can probably afford an extra server in their own network to provide the computational resources they need, as a basic server can be purchased for less than $3,000 (and $100 p.m. over 3 years, standard depreciation time, is more than $3,000).

The net result of this is that organisation's using Cloud Computing are beholden to the whims of their Internet connectivity for their ability to operate their business. Whilst this used to only be a problem for eCommerce organisations, Cloud Computing will make connectivity a principal business risk for all users, including manufacturers, accountants, even fish-and-chip shop owners who might be using a Cloud Computing hosted account package.

The second issue I have concern about is security. When an organisation holds its own data and does all of its information processing within the four walls of its own building they only need to worry about illegal access or manipulation of their information by someone who manages to cross in to their building, either by physically entering the building or via an external network link (such as the Internet). The organisation is in full, 100% control of their information and information systems and can make their own decisions about how much or how little security they require. Organisations that utilise Cloud Computing services only have their SLA contract to tell them how secure they will or won't be and have no tangible controls over how those security needs are being met nor do they have the ability to ensure that what is in the SLA is in fact being delivered. Unfortunately the first time the organisation will find out the service provider didn't do their job is when the customer's data is stolen, manipulated or otherwise illegally accessed, by which time it’s all too late.

Cloud Computing service providers have a number of significant threats that they need to deal with. Not only do they need to deal with the normal background noise threats posed by script-kiddies, and not only do they need to deal with the threats posed by attackers who have a specific gripe against one of their customers, but they also need to deal with attackers who see them as a high-value target, that to break in to the Cloud Computing service provider's network is to gain access to many organisation's confidential data. Finally Cloud Computing service providers also need to deal with unethical customer's who choose to try and use their legally provided access to gain knowledge of their competitor customers on the same infrastructure by trying to subvert the internal security systems or who may deliberately try and degrade the performance of centralized systems to damage their competitor’s operations. Keeping all of this in mind, potential customers of Cloud Computing service providers need to realise that Cloud Computing service providers almost never design their systems with security being core to their architecture and that they at most have 1 or 2 people on staff with a very limited understanding of information security threats and their mitigations, and no experience in assessing an environment for security threats.

The outcome of this is that customers of Cloud Computing service providers are putting their highly valuable, company confidential, operationally vital information in to an environment that is of high value to illegal users, that has many people of various ethical positions within it, that has likely not been designed from first-principals to be secure and is maintained by people who have little to no understanding of the intricacies of information security threats and mitigations. One might suggest that this is like putting one's child in to a used car manufactured in the former Soviet Union without getting it independently checked for safety and trusting the used car salesman when he says, "sure, it'll get your family where you need to go safely." The only time you will find out he was not 100% accurate is when that family car crashes in to a lamp post and your family (business) is the proverbial road-kill on an accident commission TV advertisement.

The final significant threat posed to customers of Cloud Computing service providers comes down to the account management behavior and robustness of the service provider. If an organisation's information and processing systems are wholly contained and operated by a Cloud Computing service provider that service provider can essentially hold the customer hostage to their own information. If there is an account management dispute the service provider can simply cut off access to the customer's own information putting the customer's business at grave risk of failure. In this circumstance the customer will have little option but to do what the service provider instructs them (pay more, pay in advance, etc…) as trying to pursue the provider through other means will take too long and will kill the customer’s business. Additionally if the Cloud Computing service provider ever had business difficulties of its own it is not clear how the customer would regain access to their own information in the event of a receivership or the service provider business simply closing its doors. In fact it may not even be clear about what right the customer would have to gain access to their information once the service provider's management loses control of their own systems in such a circumstance.

In summary, I consider Cloud Computing to be a farce that has little true value for potential customers, that is deliberately designed by service providers to entrap customers and that introduces significant new security threats to the customer's company confidential information that they would otherwise not have to deal with.

Update - 13th August 2009

Two days ago I attended an evening seminar discussing the management of intellectual property when an employee leaves the organisation. One of the presenters at the seminar was speaking on the issue of forensic analysis for the purposes of recovering lost data or determining what data had been taken.

During the forensic experts presentation he mentioned that he had recently done some work for a client operating a virtualised environment and that this raised some interesting challenges, however he identified that ultimately he was able to obtain a snapshot of the host environment and start reverse engineering things from there. At this point an interesting ramification for cloud computing environments struck me.

What if your organisation was using a cloud computing service provider and another of your service provider's customers ended up in a lawsuit that required their company data to be presented as evidence? A computer forensics expert could well take a snapshot of the cloud computing service provider's virtualised infrastructure, under subpoena, resulting in your company's data being presented as part of the evidence in a case you are not involved in. This information then could become part of the public record of the case, thereby disclosing your company's confidential data to the general public (including your competitors).

So here we have yet another reason companies should be very wary of Software as a Service (SaaS) / Hardware as a Service (HaaS) / Cloud Computing solution providers.