In the March 7, 2011, edition of Network World magazine, John Dix (editor) has a foreword titled “The new cloud tool kit.” I’m always interested in anything having to do with “the cloud” because I see it as the future of computing. One thing that bugged me was his reference to “legacy infrastructure.” Legacy (in IT terms) implies something that is not used much anymore but must be kept around.
Even the smallest organizations have a local area network – a collection of computers (laptops, desktops, servers or any combination of them) along with networking gear (switches, wireless access points, firewalls, routers or any combination of them) that enables users to connect to resources locally and on the Internet. This will never go away as long as employees go to a central location (aka, the office) to work. Remember that proximity helps people work faster. The firm I work for falls into this category – actually, we have four locations, each with a LAN. I've weaved these four (4) location together into a WAN (wide area network). My focus, as a Technology Manager, has been to build out a network architecture that is both stable and flexible. The single point of failure in most organizations (whether they are doing everything in “the cloud,” using on premise servers, or a hybrid of both) is connectivity to the Internet. Most firms have but a single connection to the Internet. What happens when that connection goes down? Sure, you have an SLA with the ISP, but what happens during the time they figure out what is wrong? Buying connectivity from two different ISP is possible, but that can get expensive and add tremendous complexity to your network as you try and “bond” the two Internet connections to your routing gear – trust me, it isn’t easy and doesn’t always work as advertised. Ever heard of Voice-over-IP? That runs on the Internet too. And guess what happens if your VoIP solution is hosted? No Internet access means no calls.
Let’s not forget about Identification, Authentication, and Authorization. A good principle to follow (whether we are talking about IT or anything else) is “trust but verify.” How do you identify who is trying to access important systems & data? How do you extend your current Identification infrastructure to “the cloud?” What happens when you have five (5) different SaaS solutions but none of them talk to each other or share customer data? What happens when a cloud vendor goes bye-bye (just like any other vendor, IT related or not)?
There is still a compelling need to control your computing resources. IT is part of the core competency of every organization these days because no one can do business without IT. Try telling a potential customer you don’t have a website, email address, or phone number and see how long they stay your customer.
It is my belief that there will always be some kind of centralized control around user Identification & Access to important systems & data. Maybe it’s Role Based Access Controls (RBAC) or at the very least it must be Mandatory Access Controls (MAC).
Rob Hiltbrand, MS, CISSP