The metal spike experiment…
Why security matters to cloud providers…
If we placed a metal spike in the middle of the steering wheel of all cars, people would drive more carefully and there would be less casualties.
Every now and then the thought-experiment outlined above crosses my path. And on face value it seems logical. Driving our cars is by far the most risky activity of any day, yet, we get into our cards every day and don’t give it a second thought. Part of this is because we, human, are biased in our interpretation of risk. In his book Beyond Fear, Bruce Scheiner describes five common pathologies that bias our risk perception:
- People exaggerate spectacular but rare risks and downplay common risks.
- People have trouble estimating risks for anything not exactly like their normal situation.
- Personified risks are perceived to be greater than anonymous risks.
- People underestimate risks they willingly take and overestimate risks in situations they can’t control.
- People overestimate risks that are being talked about and remain an object of public scrutiny.
Putting a metal spike on the steering wheel alters our risk perception of driving, because:
- Being impaled by a metal spike is a spectacular way to die that is currently quite rare.
- It makes the risk quite up-close and personal.
- Nobody is willing to take the risk of impalement, just to get to work, especially since this risk depends on other drivers.
Will it make driving safer? Well, I like to think that there will be short term effect at least. Some people will not get in the car, leading to less traffic on the road, and thus less accidents. And, those that get on the road will drive slowly and carefully and cause less accidents. But, the most important contribution to overall road safety will be the fact that traffic will come to a grinding halt, because quite a few people will not be willing to drive a fast as they are currently going. After all, the breaks on your car allow you to go faster.
So, how does this apply to cloud security?
One of the main benefits of cloud, is velocity, the ability to go where you need to go really fast. However, just going fast is not good enough, (cyber)security is a topic of discussion in the board room these days. Since, (almost) nobody will be willing to step into the gunshot seat of a a ultra-fast sports car if a shiny metal spike is clearly mounted in front of them, nobody is willing to adopt a cloud technology that’s is clearly unsafe, and for a long cloud has been perceived as such.
This is where there is another analogy between cars and clouds. Safety sells.
Right now both Google and Amazon AWS are investing quite heavily into their clouds and security features are getting a big share of this investment. Encryption at rest and in transit are standard and many features are deny by default until you enable them.
However, the best engineering cannot protect a person that is deliberately trying to harm himself or just really, really stupid. Just deploying a workload in the cloud without any consideration for security is really stupid.
If used correctly, the cloud and all its safety features help you get to reach a dream velocity.
