I've been spending time researching the Cloud Computing pattern in the last week or so and I must say I am learning a lot. I've been a big fan of Nick Carr since I saw him speak about 3 years ago, and have long appreciated the possible financial benefits for large organizations of a utility model for computing. However I have the same feeling about some of the distributed technologies that are starting to spring up as I had when I first encountered the Internet back in '93. In other words I think we are in for a really big paradigm shift with a lot of innovation (and I'm not talking about Social networking!). Of course I could just be getting carried away with the hype but I think not, and this is why:
- Lots of bandwidth and always on connections mean it's finally realistic to distribute computing tasks.
- There are a whole bunch of smart newcomers who treat the Internet as their platform (rather than an OS plus bits like MS)
- The technology stack has matured to the point where the basic foundations are already in place and mainly available as Free and Open Source Software (OS, browser, programming languages, dev environments, content management, dbms, web protocols) making it cheap and easy to start building neat things on top... i.e. you don't need a massive budget and 100's of man years of effort to put your ideas into practice.
- On the client side the technologies are at a point where you can deliver a pretty rich user experience within a browser environment.
While there is the potential for some real security benefits, they are uncertain right now, and the compliance implications could be massive especially for larger organizations who have to worry about these kinds of things more. For this reason I think there will be a much faster adoption curve amongst SME's and Consumers. A lot of the security pieces of the jigsaw are just not in place yet. I found that when I went through the controls catalog for the pattern I am building there were many cases where I could not assign controls, or places where it was obvious there would be need for another service provider to step in and address a basic need.
Because of these unfulfilled needs I suspect we will see a number of start-ups in this space, who essentially provide Security as a Service for complex webs of providers, and give organizations a way of managing the risks. It will not be enough to simply get a SAS-70 or equivalent certification and consider the job done in anything other than the most simple situations. Relatively simple tasks like Identity Management become very interesting when you have a large number of cloud services interacting to fulfill a business process. How do you broker identity amongst providers and ensure that access rights are managed effectively? This and many other areas have yet to be resolved.
More thoughts as the pattern develops.