Andy Mulholland, CTO, Capgemini
The past week has not been a great one for the 'technology society' where everyone is connected and able to develop and use various technologies. First Amazon Web Services goes down for a USA region and then Sony PlayStation customers get their full identities stolen. Not good, as the saying goes, and probably has resulted in a large number of CIOs saying something like, 'I told you that you shouldn't be using AWS', whilst anxiously re- examining their security systems. So is this a reason to return to internal IT with strong firewalls and give up on online business, social CRM, etc?
Well, it is certainly a reason to re-establish some sensible controls, and practices, over activities that might have got just a bit too casual as business users and their managers experimented with new 'simple' solutions that 'didn't need the IT department'. But it's also time to question what really happened and what it should be telling us about the new world and its use of technology. Let's start with the Sony security incident, which made the headlines because of the household name and scale but in fact is merely the latest 'break-in' of this type. Centralised systems holding details such as these are not new, every enterprise holds client records, what is new is the accessibility of such systems, and the use made of such systems by an enterprise's customers.
Sony needs to secure the premises, and the business process, think of it as one of their high street shops, but customers equally need to secure their cash and credit cards when in the shop as their side of good practice. In a deluge of comments on the hacking, the one that stood out stressed that we all need to understand our side of the new business model. The advice given was to ensure that for each online business, such as Sony, to which you provide details you should use a different password. Okay difficult to manage perhaps, but simple sane advice, so how to do it? Try the solution developed by Bikerdr (you will need to scan down the page) for an interestingly new approach, maybe someone will do some quick development work and produce this as an enterprise level solution
There is a similar argument about shifting/sharing the responsibility to be made in the case of the Amazon Web Services issues. ZDNet covered the news at the time but have since then published a follow on 'post mortem'. This post by Phil Wainwright who has been following all aspects of SaaS into cloud for several years and is well informed, has some interesting further links including one to a further ZDNet piece he wrote that offers a very practical 'seven lessons' from the Amazon outage . In the list Phil points out that if you didn't plan for Amazon's failure then you share the blame. The same point as applies to Sony etc above.
So clearly we should be designing our apps to fail? That's easy to say but not so easy to square with the basic idea that we can have cheap and flexible apps for short periods. A much more radical approach as to exactly what technology we are using and exactly what that means in terms of expectations and options is, I believe, called for. At the root of this is the difference between TCP-based cloud services and UDP-based cloud services, a little understood topic, which in this case can be summarised as AWS uses UDP as a basis for its clouds and most IT departments have an expectation that the service level they will receive is that of a TCP cloud. Some people think that this is a controversial argument, but at its root is a very simple set of differences starting with TCP using connection oriented, and UDP being connectionless. This ying yang occurs at every level of the two approaches, and hopefully I have now interested you enough to go to the lively and interesting blog of Massimo on IT 2.0, and next generation IT infrastructures in which he discusses this topic .
The big point of this post is, 'are you a victim of circumstances, or have you figured out the need to understand the circumstances, and take back some elements of control?'