Movie fans and free speech advocates flocked to The Interview over the holiday weekend thanks to the power of cloud infrastructure. Although a few hundred independent theaters showed the movie, as I detail in this column the vast majority of viewers were in front of their big screens streaming the movie via Google Play, YouTube and Xbox Video. Indeed, online sales were over five times those of at the box office. Media watchers will debate the financial implications of this experiment in concurrent video-on-demand (VOD) availability for a first-run movie, however I argue that there’s a more important lesson for business and IT executives. The Interview and L’Affaire Sony serves as an example of the benefits of cloud infrastructure for the deployment and distribution of enterprise applications and information. In an era of increasingly potent and malicious cyber crime, the wide availability of inexpensive, reliable and scalable cloud services means the cloud should be the distribution platform of choice.
This represents a big change from the marginalized status of cloud services in most large enterprises. Public clouds, long appreciated for their convenience and flexibility, are still typically used for the development, test and the pilot release of new and unproven applications. But as the Sony hack demonstrates, services like AWS, Azure, Google Cloud and others are ready and able to take on mission critical, revenue producing applications. Indeed, cloud services will come to be valued more for their reliability, data security and central manageability than cost and convenience.
An examination of the Sony exploit reveals that the information loss was primarily due to poorly secured internal systems that were easily accessed once inside the corporate firewall. Once inside Sony’s infrastructure, the hackers had free rein to roam around for months trolling for interesting tidbits including those infamous emails from Exchange servers, HR records, financial spreadsheets, contract documents and movie video files.
The case for using cloud services stems from flaws in typical enterprise infrastructure design epitomized by Sony: like a box of chocolates, they’re hard on the outside and soft on the inside. By moving sensitive information off vulnerable internal PCs and servers, connected by internal networks that allow hackers to surreptitiously hopscotch between systems, to cloud services, enterprises can prevent, or at least mitigate, similar corporate data dumps and the accompanying embarrassment and financial loss.
Cloud Service Providers as Information Custodians
In the column, I draw an analogy between banks as stewards and protectors of financial assets and cloud service providers (CSPs) as protectors of digital valuables. The common elements are the resources, expertise and sophistication required to protect said valuables from increasingly savvy, devious and malevolent threats. As in the financial realm, I contend that most enterprises are outmatched by today’s attackers and that CSPs are inherently better at cyber security and data protection. This realization should shift the debate between enterprise IT and C-level business managers about the speed and extent of cloud service adoption. The perception of public clouds will shift from ‘risky new technology’ to ‘the most secure, cost-effective means of delivering applications.’
Andreessen Horowitz partner and former head of Microsoft’s Windows division, Steven Sinofsky also argues that the debate over on-premise versus cloud infrastructure is ending. In a column outlining Trends, Choices and Technologies for 2015, Sinofsky writes:
The most substantial development in 2015 will be enterprises defaulting to multi-tenant, public-cloud solutions recognizing that the perceived risks or performance and scale challenges are far less than any existing on-prem or hosted solution or upgrade of the same. The biggest drivers will prove to be the need for primarily mobile access, cross-enterprise collaboration and even security.
Among his other predictions, Sinofsky also contends that the days of using email as discussion and collaboration platform and bulky document attachments as a primary means of information distribution and collection must end. The over/misuse of email was the primary source of harmful and compromising leaks in the Sony case and I contend much of that information would have never left Sony’s control had it used centrally managed, cloud-based file sharing and collaboration platforms. As Sinofsky puts it:
Using cloud-based documents supports an organization knowing where the single, true copy resides, without concern that the asset will proliferate. Mobile devices can use more secure viewers to see, print and annotate documents, without making copies unnecessarily. The idea of having a local copy of attachments (or mail), or even just an inbox of attachments, is proving to be a security nightmare. [emphasis added]
Sony’s damages would have been greatly mitigated had it operated email on a cloud service like Google Apps or Office 365 where a compromised password only exposes information from a single account, not the entire company message database. The information loss would have been even smaller had the email repository not also been a treasure trove of document attachments. Instead enterprises should move collaborate and file sharing to more appropriate cloud services like Exo, Glip, Jive, Box, Dropbox and Syncplicity and instead adopted Sinofsky’s advice of saving “email for introduction, announcements and other one-to-many communications.”
Cloud services provide tightly managed, granular, role-based access controls that not only thwart massive document dumps from hackers that compromise an entire file server or email database, but also facilitate usage tracking, secure mobile access and a “single version of the truth“. Sinofsky cites several useful examples for business:
Services like DocSend can track usage of high-value documents. Textio can analyze cloud-based documents without having to extract them from a mail store, or try to locate them on file shares. Quip edits documents and basic spreadsheets, and integrates contextual messaging avoiding both mail and attachments while safely spanning org boundaries.
Perception Pivot: Clouds as the Secure Option
I agree with Sinofsky that security could be the most important factor behind a dramatic increase in cloud use by business this year. It’s ironic given the early FUD spread by incumbent IT vendors and entrenched IT pros about cloud services: that they are insecure, unreliable, beyond IT’s control and generally scary places to store your data and run applications. Despite the occasional (brief) outage and theoretical (if not actualized) security threat, the Sony incident underscores the chasm between the (lack of) security practices in many enterprises and those in place at the largest CSPs. Business execs must demand IT provide a complete and honest assessment of their cyber security, asking the question: do you seriously think you’re more secure and reliable than Amazon, Google and Microsoft? If so, prove it.
After some due diligence, it will dawn on business executives that building private information fortresses and staffing an independent cyber security army is a losing proposition. Instead, security will be one more area where cloud economies of scale prove irresistibly compelling. Sinofsky nails the case:
If you use public cloud services on next-generation platforms you aren’t guaranteed security, but it is highly likely that the team has assembled more talent and has an existential focus on security that is very difficult for most enterprises to duplicate. If you use cloud services rather than local or LAN storage for documents, not only do you gain many features, but you gain a level of security you otherwise lack. Not only is this counterintuitive, it is challenging to internalize on many dimensions. It is also the only line of sight to a solution.
IT as API
Once IT becomes an API, whether to a data center like AWS or SaaS application like Salesforce, the barriers to using external infrastructure and applications become little more than configuration details. As I conclude in the original column, The Interview won’t just be a seminal moment in the ascendance of video-on-demand as the primary means of movie distribution, but also in demonstrating the superiority of cloud infrastructure (IaaS) and ‘packaged’ software (SaaS) a means of buying and deploying enterprise applications.