Enterprise IT Watch Blog

Apr 26 2011   8:47AM GMT

After Amazon, iPhone and Dropbox, is there a new normal?

Michael Morisy Michael Morisy Profile: Michael Morisy

We’ve written about the dangers of the consumerization of IT before (actually, again and again), but such progress has marched on, despite our earnest protestations, linked arm-in-arm with that golden child, cloud computing. At least, until last week, at which point both ate some serious crow in the form of an outage and raised awareness of privacy breaches.

Highest profile, of course, was Amazon’s EC2 outage that took out sites like Reddit, FourSquare and, according to one forum poster, cardiac monitoring tools. Lives, then, might literally have been at stake.

In another cloud/consumer blow, Dropbox updated its terms of service, making explicit its willingness to turn your data, hosted on their servers, over to the authorities. Not surprising, but another chip of control taken away from the data owner.

And finally, it was made public that the iPhone is tracking your every move, leading to spooky maps that, in some cases, go back years and which could potentially be used against their owners in legal matters.

I wish I felt gleefully vindicated, but the truth is that these are minor setbacks in a much larger trend, and it’s time to take a careful reassessment of what the new normal is in a world where data policies and even uptime are largely dictated by consumer companies such as Amazon, Apple and even small web startups that might be here one day, gone the next.

  • Downtime doesn’t always equal disaster. There’s a great scene in the Social Network where Jesse Eisenberg channeling Mark Zuckerberg yells that Facebook can never go down. In reality, Facebook does occasionally (but very rarely) go down, as does most every service. I’ve even used some web services that keep something sadly close to regular business hours, with planned downtime for most of the evening every single night. The reality is that for most web services, the golden 5 Nines of uptime is simply not worth the extra cost.
  • The benefits are real. Consumerized IT, whether it’s smarter smart phones, more productive communication, more collaborative work, or any other of a thousand changes, has brought real benefits that decades of top-down budget-driven initiatives have failed to deliver.
  • The risks are real. See above, but also see the very real compliance risks, data leakage risks, and more.
So instead of feeling vindicated or burned, it’s time to acknowledge the risks and rewards, calculate the acceptable and unacceptable losses, and craft policies that look past all the cloud-vs.-no-cloud dogma and focus on what’s right for the business: Non-critical information on commodity servers, whether they’re your own or someone else’s, with more critical infrastructure getting the redundancy and disaster recovery it warrants.
Have these latest bumps changed your roadmap? Any advice you’d give your peers on preparing to navigate the new normal, however you see it? Let me know at Michael@ITKnowledgeExchange.com, and we’ll throw some free swag and knowledge points towards our latest contest your way.
Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

5  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Richord
    The problem is that we are dealing with systemic risk” not individual risk. Facebook going offline or Amazon’s cloud disappearing maybe disastrous to those who spend their time on social networks but systemic risk occurs when a series of errors or dependencies create the “perfect storm”. Examples include the financial crises, flash crash and BP oil leak. What is the systemic risk of Apple or Dropbox providing our data to other organizations and governments? How will these organizations use this data and how will it harm people? What is inevitable is that at some point some of this data will cause harm. The question is the extent and consequences. Few are considering the systemic risk of these technologies and services. Perhaps the best advice would be; “be afraid, be very afraid” of the potential systemic risks. Make sure you have a "kill" switch for your data similar to the kill switch for the Internet. Make sure you can take yourself and your organization off the grid and continue to operate. Develop scenarios where you lose connectivity to everything. Can you or your organization survive? What would happen if your data was lost in the cloud or hijacked (Wikileaks)? We’ve seen examples of cybercrimes and we’ve experienced the results of “innocent” failures. What happens when these failures are not innocent but perpetrated? It may no longer be a risk of the weakest link but a systemic risk. Very complex to understand and perhaps equally complex to repair. What would have happened if BP was unable to cap the well? We dodged another bullet with this and the financial crises. Maybe the next time our luck will run out. Embrace technology but make sure that you can survive without it!
    10 pointsBadges:
  • Eric Hansen
    The Dropbox issue is pretty moot personally. How can it really surprise anyone that a service provider of any sort not comply with law enforcement? Is it an invasion of privacy, perhaps. But, you are using their service, so you have to abid by their rules, similar to living in someone else's home, or working for someone other than yourself. The only people that should be afraid of this is people who are using Dropbox's services illegally to begin with (i.e.: storing sensitive or illegal material). If it has sensitive data, use TrueCrypt. If it's illegal, that's what Usenet and personal drives are for. As for Apple, the shock of it is just pure over-reaction. Apple's devices have GPS capability...how does GPS work if it doesn't know your location? It can't. If people are going to be sweating bullets over this, then sweat bullets over actual GPS devices as well. Lastly, for Amazon, this isn't the first time its happened. The same thing happened a few years ago when EC2 was first being serviced. IT is meant to fail, why is it such a shock when it does? I understand what EC2 was supporting and everything, but in all seriousness, no one and nothing is perfect...it happened, they admitted to it, be glad they didn't just pretend they got hacked and blamed it on some foreign diplomat.
    2,065 pointsBadges:
  • Resistance is futile, except after downtime - Enterprise IT Watch Blog
    [...] meant to link this in my earlier piece, but the timing of this Industry Standard article was just priceless: IT’s cloud resistance [...]
    0 pointsBadges:
  • Amazon EC2 Outage Coverage: When will the darkened clouds clear? - Enterprise IT Watch Blog
    [...] Editor Michael Morisy wondered, in the wake of Amazon, iPhone and Dropbox, is there a new normal? [...]
    0 pointsBadges:
  • Rdefazio12
    The first thing that comes to mind when I hear the words “the cloud” is loss of control. Some might say that my predisposition to think in such terms is a reflection of the controlling personality types that dominate the IT industry, but I am not using the words “loss of control” to reflect a Freudian need to lord it over others. I am concerned about being unable to enforce certain standards of data protection and preservation without which the likelihood of data compromise rises significantly. If I were to abandon such protective measures in the shop in which I now work and a data loss would occur, I would be fired immediately, then sued, and then blackballed from ever working in the industry again. If a cloud service retained by my company were to engage in the same neglectful behavior, I would still be fired immediately for not having foreseen it, and then my company would sue the cloud service, not realizing that such litigation could easily cost it $3-5 million dollars just for the e-discovery portion of the case alone. Accountants and business managers often view IT managers as being uncompromising obstructionists who are quick to find reasons why something cannot change. There is a reason for this seemingly inexplicable proclivity. Unlike the situation in which a company loses a customer and the revenue that would be produced from business with it, a single data breach or glitch can not only bring a company to its knees in short order; it can also result in litigation that can bankrupt it and spawn litigation that can last for years, destroying careers and reputations in the process. IT managers know this, and they are eager not to facilitate the creation of opportunities for the worst to happen. The cloud is an ideal place for such to occur. There is no ability to verify that specific protective measures are being taken. Everything is presumed to be satisfied by trusting that a cloud services company will do the “right” thing. There is no ability to walk down the hall, down the street, or down the highway to the convenient cloud computing center to verify that appropriate steps are being taken on a regular basis. The data centers for most of these services are usually located very, very far away. In many cases they aren’t even in the same country. And that raises another issue all by itself. Let’s say that data is mishandled by a cloud services company’s data center in a foreign country. The first question one should ask is whether or not the laws of the country in which the data center is actually located provide unique obstacles to obtaining restitution for damages. This can be complicated by business arrangements that the cloud services company may have with the actual data center owners. For example, Google has data centers in the United States, Ireland, Britain, Germany, France, Austria, Italy, Russia, China, Japan, and Brazil. Not all these facilities are owned and operated by Google. Some data centers are set up in leased space contained on another company’s property. The arrangements that Google has with the property owner can complicate things quickly when litigation is involved and the search for the deep pocket begins in earnest. In the meantime, the company that has trusted the cloud service provider to do what is right can be left to twist in the wind. If truth be told, and goodness knows that it needs to be told, IT’s infrastructure is incredibly fragile. The interconnected nature of IT and the dependencies that it has on services and equipment not directly under its control makes for an enterprise that can experience data blackouts even if the root cause has nothing to do with the way it runs its business. The concentration of IT services, just like the concentration of business decisions or government power, is usually a bad thing. If there is anything that IT’s experiences should teach us, it is that having many points of decision making ensures greater safety of data, not the reverse. Some might argue that cloud computing is distributed. A data center in India or Bangladesh can process information in parallel with another data center in Israel such that there is no single point of failure. As long as regular maintenance of the equipment and systems is performed and as long as there is sufficient backup power, verified copies of the data, and redundancy of communication equipment, then everything will be fine. In a static world where political alliances never change, where regional military actions never occur, and where human nature is as pure as the driven snow that might be correct; but considering that we have tensions with various countries, that the laws that affect the ownership and security of data are changing in many countries around the world, and that there are sociopaths in the employ of data firms, I would contend that all the safeguards listed do not provide the level of protection with which most business managers would be comfortable if they knew the whole truth about data security and the real status of data protection. I’ll give one little example that has nothing to do with anything catastrophic on the IT side of things before I end just to show how a lack of synchronicity between actual IT practices and business operations can create a serious problem. Let’s say that a business named Big Company, Inc. (“BCI”) closes a deal that took two years to negotiate with another company named Little Company, Inc. (“LCI”). Representatives from both companies sign the papers, and a honeymoon period of cozy relationships ensues for about six months. Then, BCI starts to experience business problems, and it looks around to see how it can conserve its cash. A smart legal staff person happens to read the deal’s documents, and he notices a clause in the agreement that in his opinion allows it to withhold payment for a period of 180 days pending some remedial action on the part of LCI. The management at LCI sees an immediate threat to its financial viability if money is withheld, so it checks with its lawyers. LCI’s lawyers see no justification for the cessation of payments, and it sues BCI on LCI’s behalf. During the litigation, LCI’s attorneys present a request to the court for the production of electronic documents related to the discussions before, during, and after the deal was signed. BCI’s attorneys begin the search for documents, and it discovers that many of its documents were stored in its document database, now housed at the cloud services company. The attorneys send an e-mail to the cloud company asking it to produce the documents that were written two years ago. The cloud company says that it will take some time before it can respond. Six weeks later, the cloud services company replies that the data center in Bangladesh where BCI’s data is stored does not have a backup tape going back that far. The oldest tapes that it keeps go back two months. LCI’s attorneys contend that the missing documents would provide a clear picture of the intent of the negotiations, but BCI’s attorneys contend that nothing can be done about the data loss and that it relied on the cloud computing company to provide reliable backups. How would the court rule? It might agree with BCI thus forcing LCI into a financial crisis and possible bankruptcy, or it might rule in LCI’s favor, leaving BCI with no other option than to sue the cloud service company. If the cloud service company is domiciled in another country or if it has separate contractual agreements with the various data centers that operate as independent businesses, BCI may not be able to recover anything at all. Bad things happen to good people, and when they do, they seek restitution. Cloud services look great when people look at the polished, shiny image that they wish to present when wooing new business. What needs to be considered as well, something that probably cannot yet be assessed with any real accuracy, is how such services look when things go wrong. How do cloud services companies behave when placed under real pressure to perform or else. There is a value to having onsite control of equipment. It costs more to do so, but it also offers the ability to tailor services to a business that cloud services cannot do. IT managers can control the people who do the actual work more effectively, and they can sign off of deliverables with more certainty that what they are asserting is actually true. When business people, who really don’t know the ins and outs of IT work, make decisions about how data is processed by virtue of voting their dollars toward cheaper solutions, they need to have their feet held to the fire when things go wrong. It is called ownership of decision making. Presenting well reasoned objections to capricious decisions in this regard is not just advisable, it is mandatory behavior for IT managers if they are to do the jobs to which they were appointed and if they are to protect the digital welfare of the companies that employ them.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: