Posts

CEO Perspectives 3: Reconsidering Security

When the subject of cloud computing comes up, one question seems to always be lurking in the backs of our minds: Is it secure?  This is particularly true for real-time systems.  Indeed, many engineers are reluctant to share their data even with their own company’s IT department, much less put it on the cloud.  Yet pressure from management, associates, and customers to access data from real-time systems is causing more and more companies to consider cloud-based solutions.  When they take a serious look, they may find themselves reconsidering security—and their assumptions about it.

The inescapable fact of computers is that there will always be security threats.  Andrew McAfee put it this way: “The only way to have 100% computer security is to have zero computers.”  All systems, cloud-based or not, need to implement security.  What’s different about a cloud-based system?

When you think of cloud computing, think aggregation.  Cloud companies bring together many customers to provide top-quality software and services at very competitive prices.  The successful ones also provide top-quality security, because the size of their customer base makes them good targets for hackers.  To fend off attacks and protect their business, cloud companies thus need to expend more effort on security than most other companies.  They need to hire the best security experts, and maintain a higher standard of vigilance than a typical factory or water treatment plant.

An "Access Denied" message.A recent blog on CloudTech by ZapThink  mentions these factors in a comparison of public and private clouds.  They point out several ways that a private cloud, which tends to be more do-it-yourself in terms of security, can actually be less secure than a public cloud.  Factors such as infrequent hardware updates, less stringent testing, variable staff capabilities, and a lack of awareness of security risks even within firewalls all contribute to the possibility of less-than-optimal levels of security on home-grown systems.

In addition to external threats of malicious hackers, there is also the question of internal security.  You may have analysts in the head office, technicians out at a remote site, and operators on a production line all accessing the system, but different parts of it.  Different groups need to be identified, and individual authentication capabilities built into the security model on that basis.  The article “What Every CEO Needs to Know About the Cloud” states that because cloud computing was originally developed for individuals or peer groups rather than corporate systems, this has been a weak point for some cloud providers.  Vendors are aware of this issue, and most are expecting to provide administrative security functionality in their systems fairly soon.

The lesson here for anyone considering putting real-time data on the cloud is that there is no need to throw out the baby with the bathwater, citing lack of security.  For external threats, cloud systems may actually offer more protection than an in-house system.  These threats can be mitigated further by ensuring that all firewalls stay closed, and that there is a one-way flow of data to the cloud.  For internal confidentiality, any envisioned cloud system should be able to provide authentication and authorization as well as a traditional platform.  If there is as yet limited choice for such a system, more will become available soon.  Demand for cloud computing continues to grow.

CEO Perspectives 2: Changing Misconceptions

Expanding into the cloud is like pioneering into new terrain.  Some have gone there and come back with amazing stories.  Others have moved out, lock, stock, and barrel, and keep writing letters, telling us how wonderful it is.  We may experience a longing for adventure and profit, but there are doubts and fears to overcome.  How much will it cost?  What will I have to give up?  What if something goes wrong?  How do I know I’ll be safe?

New terrain.Since cloud computing is new and unknown, it is natural that these questions arise.  For answers, we turn to seasoned travellers who have explored the new terrain and who also understand our concerns.  Last week we mentioned one such specialist, Andrew McAfee, a principal research scientist at MIT who studies how technology is changing the business world.  In his article  What Every CEO Needs to Know About the Cloud, McAfee addresses the concerns of the business community: cost, reliability, and security, in a somewhat unexpected way.  His insights suggest that we may be moving into a space where the old rules don’t always apply.

Take cost, for example.  It’s hard to predict.  There are some studies that show costs double when you move to the cloud, and yet other studies indicate that it is cheaper in the long run.  Which to believe?  McAfee says that it really doesn’t matter.  IT is such a small part of a company’s budget anyway–about 3.2% on average, according to Gartner–that cost is not a big issue.  Furthermore, with cloud providers taking advantage of the economies of scale, and with hardware prices going down all the time, the costs of cloud computing will be continually decreasing for the expected future.  So cost is not as big an obstacle as we might expect.

Reliability is another example.  People look at the Amazon outage of last year and ask, “How can we trust the cloud?”  McAfee points out that at least one company glided right through the crisis: Netflix.  They had anticipated such a scenario, and built redundancy into their system to withstand a service interruption.  So the show went on for Netflix, without missing a beat or dropping a customer.  What’s more, argues McAfee, many cloud services have a higher reliability record than on-premise implementations.  According to the Radicati Group, Gmail’s available up-time is over 99.9%, making it more than 30 times more reliable than most corporate email systems.

Whoa, hold on a minute there, partner.  We’re talking real-time here, not email.  Let’s bring the discussion up to speed and consider how all this applies to a mission-critical real-time system.  OK, the lesson from Netflix is useful.  A real-time cloud implementation should be able to provide some kind of redundancy, preferably through multiple vendors, or if not, at least through functionally isolated, physically separated systems.  At the same time, doing better than a corporate email provider sets a pretty low bar.   It begs the question:

Is it possible for a cloud system to be reliable enough for real-time data?

Which brings us to a final misconception, not specifically mentioned by McAfee, but important to us.  We need to clear up the either/or mindset.  We have to stop asking: cloud or no cloud?  Should I drop everything and move on to the bold, new frontier, or stay here with the wimps and Caspar Milquetoasts?  This is a false dichotomy.  Nowadays the cloud is more than an open public space “out there” that somehow receives and delivers data in vague and mysterious ways.  We have options, such as private clouds for tight control, and hybrid clouds to isolate the machinery, PLCs, and SCADA controls of an industrial plant system from managers and analysts who are authorized to access the plant data via the cloud.  In either scenario, the vital heart of the control system is not exposed to the cloud.

The important thing to remember is that the new frontier out there beckoning us onward is not so scary or inaccessible as it may seem.  It is possible to build an outpost, and still hold the main fort on your real-time data.  However, there is at least one more area of misconceptions to look at: security.  We’ll talk about that next week.

CEO Perspectives 1: Surprise Benefits

Recently the Harvard Business Review reprinted an article by Andrew McAfee titled: What Every CEO Needs to Know About the Cloud.   McAfee is a principal research scientist at MIT who studies how technology is changing the business world.  In addition to providing a clear, concise introduction to cloud computing for a CEO, McAfee suggests that we don’t really know all the implications of cloud computing, and he points to a number of benefits that might come as a surprise.

To shake us out of our old habits of thinking, McAfee compares the shift from traditional IT into the cloud to a shift that took place in factories a century ago when steam power was replaced with electric power.  There were real costs involved in such a fundamental change: completely rebuilding production lines, buying and installing new equipment, and retraining or rehiring staff.  At a time when power was distributed mechanically from a central steam engine, few people could envision a factory where each tool has its own built-in electric motor.  Now it’s impossible to imagine ever going back.

In the same way, argues McAfee, the benefits from cloud computing often come in ways that exceed expectations.  He gives an example of a global contracting firm that implemented a cloud solution to provide remote access to reference data like estimates, blueprints, and images.  The time savings on data retrieval were substantial, and yet the company soon found out that a major bottleneck had been unexpectedly eliminated as well.  Before, to collaborate on such projects, an engineer would have to wait for the IT department to add the new user, give clearance for the FTP server, and provide space.  With the cloud system, the engineer can quickly enter the necessary access information and bring in a new collaborator right away, eliminating costly delays.

The article discusses other benefits of using a  cloud-based system, including providing an enterprise-wide platform for collaboration, opening new opportunities for data mining previously considered impossible, and readily enabling a space for development and hosting of new applications.  In summary, McAfee says that the cloud “allows companies to increase the scale and power of their IT and the speed at which it can be accessed and deployed.  It eliminates administrative headaches and works across locations, devices, and organizational boundaries.”

So how do these CEO perspectives apply to real-time data?  We’ve already discussed some of the benefits to expect from putting real-time data on the cloud.  What additional advantages does this new article suggest?

From our perspective, it implies the value of providing instant access to live data in real time to users in a collaborative environment.  It hints that data mining opportunities may open up when the coming “Internet of things” is connected in real time.  It leaves us wondering what would happen if an IT department could take even a part of the 89% of IT resources currently spent (on average) for infrastructure and maintenance and divert it to projects like creating seamless interoperability among all of a plant’s legacy equipment.

It is a little too soon to know exactly what to expect.  Those who implement early will be the first to find out.  And as the technology of cloud systems for real-time data matures, they will be well postioned to reap the benefits.