Locking Down the Cloud: Dealing with Complexity

I love this illustration from a recent Netskope Cloud Report.


The IT guy, standing in his dinghy, is estimating that he has 40-50 cloud apps running in his enterprise.

But check out that submerged iceberg: it’s more like 397! That’s nearly 10x the IT estimate.

You’ll notice that Netskope also points out that 77 percent of those apps are not enterprise ready. We’re talking consumer cloud apps like Dropbox, Evernote, Twitter, and so on. We’re talking all those “stealth IT” and “shadow IT” sites that employees set up on their own -- to prototype an idea, or get a specific task done, fast.

And I haven’t even mentioned mobile phones, and a new crop of devices every year.

What this points out to me is just how cloud-complicated the IT professional’s life is today. If you are managing an enterprise, you are already in the cloud, like it or not.

photo 1 Allen Falcon, the CEO of Cumulus Global, which resells, integrates, and manages cloud services for hundreds of clients, including many school districts, is not surprised by the difference between the view from IT and the reality.

“The amount of information moving around today is staggering,” he said. “When I suggest certain automated management services to business owners I will frequently get a skeptical response.”

The boss will say, “We just don’t have that many files that have to be managed.”

Then Allen tells him that his employees accessed 7,000 files last week.

“They are always shocked,” Allen said.

The biggest challenge for today’s IT staffs, according to Allen?

“Too much,” he responded simply. “Too many threats, too many files, too many viruses, too many devices, too many cloud services…”

That Future of Cloud Computing survey I cited in a previous post also addressed this issue: 46 percent of the respondents were worried that IT management will grow more complex as workloads move to cloud.

“People are accepting and adopting cloud, but they also realize it’s not as easy as it should be,” said Michael Skok, a general partner with North Bridge Venture Partners, which sponsored the survey. “We’re still very early in the market here, and this worry over complexity tells me we have industry issues to resolve.”
Hence: automation.

Recently I heard VMWare’s Nicholas Weaver refer to automation as “effort evolution.” That’s a good way of putting it.

Automation gives IT staffs a way to evolve with their expanding enterprises in the cloud, because manual configuration is just too time-consuming. Automation reduces costs, increases business agility, and helps prevent variations that could create vulnerabilities.

photo 2“One of the challenges with security, and with cloud in general, is the difficulty in finding resources to do accomplish all of the required tasks,” Oliver Wai told me. “The cloud solves that problem by moving some of the ‘nuts & bolts,’ like provisioning and basic configuration, to the cloud. That enables teams to focus on the their main tasks and that is the delivery of applications or services that their customers care about.”

And it’s not just security. Automation can also help IT staffs better manage governance and compliance. Processes can be baked into virtual machines and cloud resources so that developers and others are forced to comply with best practices.

Jason Sabin, of DigiCert, told me that he uses automation to create an audit trail of all activity, which allows his team to look for irregularities and problem areas to address.

“Auditing is a must for cloud-based security,” Jason said. “When using any type of automation, auditing the compliance of the activities is mandatory. Because an administrator needs to be able to come back and check upon what has occurred at any point in time.”

Mike Kavis also recommends using automation to stay on top of ballooning issues of certification and governance.

“Most software built in the cloud today is expected to be held to stringent security standards as defined by regulations such as HIPAA, PCI, SSAE16-SOC, and many others,” he said. “In order to pass the certifications for these regulations, auditors must see proof of enforcement of various security best practices.”

That submerged iceberg of work pictured above? Automation will make it easier to secure, and prove that it’s secure.

“Proving that a system is secure is a difficult task if you try to address it manually,” Mike said. “It’s much easier if it’s automated.”