As I cross deeper into the Dark Side that is management, I find myself working with more and more non-technical people. That's to be expected and I need to find ways to communicate the technical information security risks associated with various technologies. One of the best tools I've found to communicate these risks in a non-technical manner is to use analogy. Analogy has two big advantages. First, it makes the situation less intimidating to the non-technical and people are more apt to listen when they are not concerned with feeling like an idiot. Second, it forces me to make sure I fully understand the scenario and related risk. I must understand it fully to develop an appropriate analogy for non-technical folks. I find analogy becoming very handy as the Cloud continues to gather momentum and gain mindshare within the business decision makers intent on saving costs. Trying to explain the risks of shuffling company data together with other companies, giving up positive control of that data, explaining that deleting the data in the cloud isn't as simple as it sounds, explaining the fact that our data might end up in another country, which by the way has different regulatory requirements. And, just so we don't get too bored, let's consider what happens if we or our provider are served with an electronic discovery court order.
All of that detail makes my head spin and I deal with this stuff on a regular basis. What chance does a non-security professional have of understanding this in short order? That's where my analogy comes in. The Cloud is like a motorcycle.
You in the back, I hear your eyes rolling. Just hang with me and hear me out.
First and foremost, both the Cloud and a motorcycle are tools to make a task simpler. The cloud stores data and the motorcycle gets you from Point A to Point B. Compared to traditional technologies such as a car and a traditional data center, the Cloud and motorcycle are stripped down to the bare minimum required to get the job done. There is a certain beauty and elegance in these solutions.
Part of that beauty is the cost. Compared to a car, a motorcycle has about half the purchase price. When you compare a subscription service in the Cloud to the cost to maintain a server and data center, there is an even greater gap. Your mileage may vary on the specifics, but suffice it to say that the difference will be significant. That's the long way of saying that both the motorcycle and the Cloud are dramatically cheaper than the traditional solution.
The Cloud is faster too. I can set up a server in less than ten minutes and that's with me skimming through the Terms and Conditions over at Amazon's AWS. If you aren't bothered by such things, you can have your very own server up and running in five minutes. Tops. How long does it take to provision a server at your organization? On the motorcycle side, a Honda Shadow has a 0-60 time around 7.5 seconds. A Honda Civic takes about 9.7 seconds. Edge to the motorcycle.
Not only are the motorcycle and the Cloud cheaper and faster than the traditional options, they are sexier too. There is no arguing the romantic and rebellious mystique of the motorcycle and its rider. Popular culture continuously reinforces this image. On the other side of the coin, the Cloud is the new sexy for consumer technology and employees want to bring it to work. What's got more IT Hipster cred than casually mentioning at a networking function that your organization has embraced the Cloud. You are definitely one of the cool kids if you have the Cloud.
The upside to the Cloud is pretty compelling. Now for the down side. On a motorcycle, you can kill yourself in a hurry. You lack the protective shell a car provides. If everything doesn't go perfectly, you could have a Bad Day™ in a hurry. The same goes for the Cloud. You give up some of the protection you have in controlling the physical aspect of your data and servers. You now lack the protective shell that is your data center and all the control it gives you.
You also need to think differently when you use a motorcycle or a Cloud service. Running around at 65 MPH on two wheels relies on a different subset of the laws of physics than does a four wheeled car. The driver must adjust his or her technique to pilot the motorcycle safely and effectively. Similarly, the Cloud uses a different paradigm of IT service delivery and follows different rules than the traditional data center. Organizations must alter their management techniques to accommodate this different collection of constraints.
Because we make tradeoffs with both motorcycles and the Cloud, there are some mitigations we can implement to reduce our new risk exposure. With a motorcycle, we can use a helmet, special protective clothing to minimize road rash, and take special motorcycle driving classes to help us understand the new rules of physics we must master. On the Cloud side we can use encryption to protect the data at rest and in motion, we can use contracts to clearly describe the terms and conditions to minimize our risk exposure, and we can train our security personnel to consider the new challenges and risks of the Cloud. (BTW, the Cloud Security Alliance has the best collection of resources on Cloud Security that I can find.) These steps can go a long way to minimize our risk exposure.
Finally, we can do all the right things to protect ourselves and our data, but ultimately the people with whom we share the road have a greater impact on our safety and security than we do. If we are driving our motorcycle in full leathers and helmet with our motorcycle endorsement on our license, but that Mack truck still misses us in his blind spot we are screwed. We can do it all right, but if that car backs out in front of us as we are riding down the road, we will flip right over the handle bars and skitter across the roof of the car that hit us. The Cloud is the same way. We can do everything right from a security and legal perspective, but if there is a breach of our data in the Cloud we are just as screwed as if we stored it in our data center. We might be even more screwed if the prosecutor can convince the jury that only an idiot would give up positive control of their sensitive data.
In summary, both the motorcycle and the Cloud are tools. They are powerful tools that can make your life easier and more enjoyable or they can kill you dead in the blink of an eye. Whether the Risk:Reward ratio is acceptable for your organization, only the business leaders can decide ultimately. I think this analogy can help them put it in perspective though.
I bounced this analogy off a peer group last week and it seemed to go over well. Let me know what you think in the comments. I'd love to refine this analogy so others can use it too.