Food, Poetry, Security

National Cloud BBQ on a Train Nightmare

Leave a comment

A TechTarget writer has written an emotional rant against regulation of cloud computing. It’s thick with prose and allegory, perhaps to hide the fact that it has little to offer the reader in terms of logic and reason. Here’s a fine example:

The cloud train is rolling, and locomotives (and their engineers) do not appreciate it when morons in suits barge in and start pulling levers for no earthly good reason. I’m all for consumer privacy and commercial accountability; pass laws that simply forbid bad actions, not make technologists and enterprises jump through crazy hoops.

Simply forbid bad actions? What makes it so simple? No explanation of these simple laws is offered and they seem to contradict with his earlier argument.

First, he is asking for a blacklist, or a list of things that are disallowed. A whitelist would be a list of things allowed. There are flaws in both lists (and blacklists are especially hard to write well) so it’s best to have a balance of each.

Driving a car, for example, you will see signs that say “No right turn” as well as signs that say “Speed 55”. A car that makes a right turn is violating the blacklist, a car that drives more than 55 is violating the whitelist. Actually, to be more accurate, anyone who is driving a speed that is “safe and prudent for current conditions” is on the whitelist. Imagine an intersection that has a sign posted for every conceivable “bad action” with a vehicle and you will see why blacklists are not so simple.

Second, let’s say we go along with the author’s suggestion and only write blacklists, we still need cloud environments to accept them. The common way to audit a company for adoption of a rule is to review their written/documented policies. So it’s probably safe to say that the author intends for his “forbid bad actions” laws to be turned into company policy, which then needs to be audited. That turns out to be what is being proposed and yet what he is trying to complain about — a contradiction.

The DATA legislation, for example, would call for IT shops to “require each person engaged in interstate commerce that owns or possesses data containing personal information, or contracts to have any third-party entity maintain such data for such person, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information.”

No matter where you or your data resides, it is subject to audits on demand. Your data management tools can handle that in a snap, right? On no wait, they can’t. Those tools don’t exist. Looks like you’ll be on your knees begging sales, HR, your payment processors, your vendors, your partners and your customers for all that crap — and legal will still find a way to blame IT.

His interpretation is clearly off the mark (another reason why blacklists are not simple). The legislation he quotes asks an auditor to confirm that polices and procedures for security practices are in place. This is not a request for “data management tools”. Note the contempt the author has for “legal”. Perhaps it’s the same contempt he has for the “morons in suits”?

The author is basically expressing frustration with regulation at a very visceral but unqualified level. We’ve all been there. Then we calm down and do the research. Some laws are just written poorly and need to be improved, while some laws are based on real harm. Thus, without quantifying a negative example, his argument boils away entirely. The one and only case he gives us is that some people” he knows use multiple systems.

“The move to the cloud is one of the defining information technology trends of the early 21st century,” says John Villasenor of the Brookings Institution. Therefore, he writes in part, the feds should probably clarify what it means to read regulated email or electronic documents on your phone while overseas.

Please, dear god, no. Do not do that. I’ve seen federal data standards in action. I know people with two phones and three computers they have to use for different federal requirements. They have to fill out paperwork if they send an email from the wrong device. It’s like Kafka meets Cthulhu and the end result torments your soul in non-Euclidean email shape for the rest of eternity.

I’m missing the jump from using three different devices to Kafka and HP Lovecraft. And then to prayer? Seriously. I use dozens of devices for different requirements every day and if I make a mistake that involves risk to others’ data, then I’ll be filling out paperwork. It makes sense to me when regulations reflect appropriate ways to deal with risk. I see the 50% risk reduction from seatbelts and I take the time to put mine on, even without the fine.

Incidentally, religion and god…very regulatory.

I could tell all my clients to just trust me and keep their audits and regulations to themselves, but that’s not going to compete very well when there are others who agree to the common practices of transparency and disclosure in their work. In other words, and to turn it around, those who want to compete on a level playing field will appreciate rules that embody common practices to reduce risk. Restaurants who keep their kitchens clean to protect the health of their customers also do not want to be disadvantaged against their competition for doing the right thing (whitelist).

As much as I would like to say that I find the author’s playfulness with language amusing, instead I find his style has too much emphasis on apathy and impatience. Compliance is “extremely boring”?

Two items in the extremely boring but very important arena of federal regulations came up this week that touch on cloud computing…

[…]

If you think that reporting on, reading about or examining federal regulation of the IT sector is hot stuff and not boring, I do not want to come to your cookout. However, it is incredibly important right now, in the same way a truck is incredibly important when you are standing on the highway.

Oh no, risk mitigation is coming. Hide the kids before the risk reduction measures are here. The truck simile makes no sense.

I’m sure he would turn down my invitation to a cookout, since I would have put it the other way. If you think everything and everyone should get out of the way of a truck just because it’s barreling down the highway…then you either don’t believe in the market for brakes and suspension products or you under appreciate how exciting it can be to help save lives and create prosperity. The nightmare is a world that has no way to stop giant trucks from running us over.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.