“IT vs Private Cloud” Paradox

Many years we speak of cloud computing, and I have been selling private cloud for a long time. But we’re still in very early stages of private cloud adoption. Why?

Answer was a surprise even for me. Private cloud is not something IT department need.

Every commercial company is a manufacturer. Yes, I’m not mistaken. Even small nail salon is a manufacturer. They produce profit. Just for argument simplicity let’s talk about profit as income minus costs (capital expenses and operational expenses including salaries). As we know dollar saved is dollar earned and therefore we’re driving costs down.
But where does cloud part come in you ask? Just wait for it.

Let’s take a look at allegedly most interested in cloud employees – IT department. Department includes IT management and administrators / specialists, IT assets in both hardware and software. And budget. As a rule, IT budget looks like some kind of financial black hole actively consuming sums with many zeroes. It’s almost impossible to understand financial flows and how it reflects on actual IT services. Here comes private cloud with financial visibility, service catalogs and measured service – so we can actually say how much one mailbox costs. We’re in CFO dream now.

But IT department says: NO!

Ok, let’s take another look on IT department, completely unrelated to technology – motivation.

What average IT admin wants? Pretty simple answer: high-tech toys, arcane techno mage status and significance. Who should choose new servers/storage system? Of course ME, it’s MINE! No, it’s not. It’s a tool, not a toy, and cloud brings us standards for systems. More than that, cloud makes admin interchangeable, the role does not bear any arcane knowledge anymore. Cloud admin is highly qualified in several areas – yes, but I don’t really see a lot of admins after 30 who really want to study something new and adapt. People want stability and “expert” title. What they do not want is to remain students till grandchildren.

What does IT management want if we skip part with kickbacks and gray schemes on procurement? Pretty the same – influence and significance. Which directly translates to number of employees and total systems cost. Plus a budget to control themselves, with no one looking over the shoulder. Each new new employee reporting bring costs, and each new admin add NO to the cloud question.

What cloud makes with IT budget? Black hole splits into separate services with measured costs, and CFO can now compare internal services with available on the open market. Which can be not in internal services favor. Cloud brings financial visibility to financial management and line business managers as well as how to spend budget in accordance with company targets.

– What, board will be able to see how I spend my budget?! – direct quote from one CIO I met.

It’s not a paradox, we now understand why IT don’t like cloud. But what should we do? I don’t have that answer.

Insider threat for Cloud. Some thoughts.

As we move towards 100% virtualization the role of vAdministrator appears more and more important. vAdmin can rule all the infrastructure from one single console, unlike years before. One of Top3 US banks can be brought down completely by a single script, imagine that!
We start to see more and more cases when fired admin log in to ex-employers infrastructure via McDonalds WiFi and delete some critical data.
Let’s take CodeSpaces example – hackers wanted a lot of money, but didn’t get it. So they just deleted everything, including backups.

The only thing growing faster than IT security spending is the cost of security beaches. That’s the reality we see today.

Without any questions level of control will be increasing as well as pressing on privileged users and admins. But what really surprised me – 4 security pros on the stage (SEC2296, VMworld 2014) have said nothing about organizational problems in this security nightmare with insiders.

Let’s think about it a little. Insider is the person inside the company – employee most of time. And we can divide them into 3 basic categories:

  1. These people will do something bad and sell company’s secrets no matter what.
  2. People who can do something bad or do nothing.
  3. Angels. They will do nothing bad even if management will do something bad to them.

Type 1 insiders should be discovered ASAP, ideally even on interview – that’s why there are HR professionals involved and background checks performed.
Type 3 insiders are not a threat.

There are still type 2 people left, and that’s the type we ignore. Majority of any employees in any company. These people will do something bad as retaliation, they will not strike first. And guess what we’re doing to them?
– put under suspicion and constant control
– treat all their activity as they’re type 1 people
– completely ignore their personality, treating like replaceable and expendable working unit.

I can assure you – nothing is more stimulating like this kind of treatment for employer when you have an access to most critical services.

There is NO statistics on percentage of incidents caused by bad management treating employees like a trash. And we try to solve organizational problem technically, without any human interaction. Is this because we’re techno geeks lacking social skills or just because it’s more difficult and complex than to put web cams everywhere including restrooms?
At some point there can be ONLY trust. Imagine you’re on the operating table – how can you enforce security and be sure surgeon will do only permitted actions? There is no way, period. We’re giving very high rights to the surgeon, and we’re (society) also give very high responsibility.
Virtualization administrator with highest access is the very same surgeon operating on organization’s IT heart, sometimes while the heart still beats. So why we take a look on what admin is doing and not on how manager treats him / her?

So, after years of experience and thoughts I see 2 basic rules of information security when we talk about these type 2 guys and gals with full access.

  1. Insider threat becomes VERY real when you treat your employees and colleagues as insiders and threat instead of people who help. When you see them as easily replaceable and expendable working units.
  2. Employee’s loyalty to company starts with company’s loyalty to employee.

We should solve organizational and administrative problems first, otherwise technical solutions will be useless. Or even they will even lower overall security.