Cloud computing is certainly getting a lot of attention lately. It’s definitely a big thing, but it’s not a new thing. I’ve said before (and YES, I’m going to say it again) it’s really just the old “Mainframe with a smart terminal” model. However, it is different in that the Cloud brings together many different assets, with many different owners. If there is anything new to the model, it is the question of trust and reliability. When PC’s began their rise in corporations 30 years ago, many IT departments were horrified. The Mainframes and other systems in corporations were far more secure; PC’s were just too open: too little security, too many hardware manufacturers and software developers. It was just too much to keep track of and ensure that everything works the way you expect. With the cloud, you need to depend on services, sites and systems that you do not physically control. Even if you do negotiate a deal with a Cloud service that gives you everything you need, how do you know that the service is working according to your agreement?
Moving into the Cloud means revisiting a lot of the security and compliance issues that you worked out years ago. At least this time, the PC is a mature technology and the Cloud is offering products that at least claim to address security issues. However, the problem is that the Cloud is going to be made up of a lot of other devices, such as iPads and other slates, a smattering of hybrid data devices (hyper smart watches and computer enabled devices) and smart phones…. especially smart phones. In 2011 more smart phones will be sold than computers. And every one of these 300 million or more smart phones are going to join the Cloud. That’s a big problem for IT, but it’s also going to be a big problem for other departments. Specifically, your Legal department.
In the Post-Cloud world, what will happen when you have to produce documentation in a lawsuit? You would identify the users, collect some hard drives, round-up the servers, copy the data… same as today. But what about those pesky smart phones? Certainly your executives are sending corporate emails over their phones, maybe instant messages and other texting as well. What about junior executives? Being brought up with Twitter and Facebook, they probably combine personal messages with corporate communications on their phones… even if they are provided by the firm. If these are corporate phones… making them that much more discoverable… everyone might have had enough training to know that they are not to blog about clients. What about secretaries? A secretaries’ phone probably isn’t company owned, so it should be excluded from the discovery process, right? Even if it’s taken to work every day, and the boss regularly sends work related texts to his secretary? Let’s recap.
- The Cloud: Time to deal with old problems all over again. Maybe even rethinking fundamental security issues, such as…
- Executives: Get some extra training ready! They need to understand the risks of mixing personal and corporate communications.
- Junior Executives: A generation younger than upper management, they are more technically savvy and more deeply embedded into social networks. They blog, they tweet, and they were brought up to share the most trivial details of their lives. Will they resist the urge to use social media to spread details about work? Maybe, but not on their own! Start developing a re-education boot camp for these users. Be sure to develop concrete rules that makes it absolutely clear that social networking CANNOT feed off of details of work at the office. For regulated industries like Investment Banking, think about adding a boot camp to the Analyst and Associate on boarding programs!
- Secretaries, admins and other support: This is going to be challenging! Did you know that a recent smart phone feature is “tethering”? A tethered phone becomes a wireless hub, inside of your corporation but completely outside of your control. You may already have dozens, and soon hundreds of these new networks inside your facilities. How responsible are you for the data traveling over these networks if they are working on your property, under your employees control? I can’t even imagine what new security busting features are under development! And if your admins are spending their time (during lunch?) to update their personal blog and they happen to mention some amusing details about what a client or executive did today… does this action add this phone to the discovery process? Lots to think about!
This is early thinking, and there isn’t enough precedent to guide us, but you can expect these questions will come up repeatedly. Think about the many millions of social network users out there, some of which must work for your firm. What are they spending all of their time talking about? What are they using for content to fill the millions of blogs and billions of tweets? Answers to this question will, over time, cause ever larger parts of your cloud to be included in the forensic process for every lawsuit your company is involved in. Pretty scary, but… that’s my Niccolls worth for today!