I don’t consider myself a huge cloud promoter, but articles like “Experts: Cloud Brings Vulnerabilities” from Defense News drive me crazy.
If you read as many articles about IT as I do, you’ll recognize this character: the Reactionary Skeptic. It’s great work, if you can get it. I’ve been guilty of it myself. The formula is simple: identify a trend, and then argue that caution is necessary. You are the voice of reason, of pragmatism, and the position is unassailable because who would argue against caution? The Reactionary Skeptic is so common a trope that they even have a catchphrase: “Devil’s in the details.”
The trouble with the Reactionary Skeptic is that it’s a bloodless position. There’s no vision. The article is filled with warnings without a single suggestion for improving the situation. Altogether, the message being communicated to government is: Be Afraid. This kind of article encourages a fearful conservatism, which is the most toxic trait in government managers today.
To make matters worse, many of the objections in this article are specious, not specific to cloud, or conflate unrelated issues.
“There are specific vulnerabilities associated with cloud architecture that, as far as I can tell, have not been fully and adequately addressed,” said Moulton, who previously served in the U.S. Air Force doing special operations communications.
What kind of vulnerabilities is he talking about? No way to tell, because we move immediately to another concern:
“When there is no centralized control of all those systems, there is no central place to [get] access to everything else,” Bejtlich said. “Is it better to have everyone decide how to deploy their systems independently, or is it better to have one super-image that we believe contains the best security posture?
Here, we’ve conflated cloud-based computing with monoculture. They are by no means the same thing. It’s perfectly possible to have a variety of security postures sharing the same cloud environment. In any case, this is a question of strategy that any IT security staff must answer, with or without a cloud.
“There’s the rush to this, and everyone thinks they’re going to save so much money and manpower,” he said. “I don’t agree with that broad assumption.”
Here’s a strawman. Few people would agree that clouds are about saving money and manpower. Yes, there may be gains from consolidation, but most folks want to use cloud to turn capital expenses into operating expenses and thereby introduce more agility into their infrastructure.
“You have to have a ton of trust because you’re basically turning over your crown jewels to a service provider that may not be in business next week,” Moulton said.
If you read any of the cloud strategies, nobody’s planning to deploy their “crown jewels” into a public service provider. Moulton assumes a black-and-white world of cloud deployments, when most shops are far more practical and explicitly advocate a mix of public, community, and private resources.
Instead of brandishing unmoored anxiety, bring something to the table. Offer alternatives. Suggest opportunities for research. Anything that might help the industry move forward. If you don’t have productive suggestion for improvement, or can’t articulate an alternate vision of the world, you’re just heckling.
I don’t blame Moulton, Bejtlich, or even Fryer-Biggs for the quality of this piece. What’s at fault is an industry whose media is literally obsessed with failure and the potential for failure, which makes it way too easy to publish a piece like this. As long as fear drives page views, we’ll continue to see the Reactionary Skeptic.