Cloud Affords Us many capabilities, but I will focus on one of the most important for cybersecurity: owning less. Before Cloud (BC) a company that wanted to operate IT needed to build a data center, run networks and hardware, configure operating systems, manage identities and access and much more. After 20 years of assessing companies of all sizes, I can attest that it's really challenging to secure an IT environment (well) and, more so, keep it secure over time. Many factors come into play such as how the environment has grown and business requirements, but the main two factors are complexity and lack of process. Owning less in the Cloud means the opportunity to do what the business needs without needing to be a DBA or a SIEM expert or an Active Directory guru. For companies whose main business is not IT, but rather IT supports their main business, Cloud provides a lot of opportunities to get all the juice and half the squeeze.
One of the major attractants, particularly for companies whose business is IT, is the automation and codification of infrastructure. What once took months to purchase and weeks to configure is now done in seconds and paid for by the hour. Additionally, the Platform-as-a-Service offerings allow companies to have databases without DBAs and advanced networking without network engineers. This was a game changer for running lean, however, at a cost that some are realizing is too high. In the past 5-10 years, much of the automation and codification capabilities once exclusive to the Cloud have become more available and accessible to companies who want to roll their own. Certainly, all the things I run on my servers at home would be impossible to manage (well) without containerization and automation. So, with such tooling now available, there is an argument that some companies could be as successful and secure with running modernized IT on their own. As long as they have the people and process to back it up or are willing to ruin their weekends. 🙂
I read an interesting article over the long weekend from David Heinemeier Hansson on the repatriation of his apps from the Cloud at 37signals. I have long been beating the drum to run, not walk to the Cloud, especially for small and medium enterprises who run lean IT teams and can substantially benefit from "owning less" of IT both from an operational as well as a cybersecurity perspective.
However, David brings up a good argument on why (certain) companies can and should consider migrating back to "owning" more of their IT stack for cost savings.
I asked the community last week what holds more weight: cost savings or risks of trying to do cybersecurity (well) on your own. The survey results were interesting: 31% stated the cost savings are intriguing, leading me to believe Cloud costs are becoming more of a concern. However, the higher vote of 46% was the concern that the people costs would outweigh the benefit. I tend to agree that the people (and process) costs are going to be high, especially if IT is not a core function of the business.
What are your thoughts? Novel? Crazy? Somewhere in between? Throw your comments at me.