Blog post

Does Fake Cloud Matter?

By Anton Chuvakin | April 11, 2019 | 4 Comments


Following on the cloud theme from “Psychoanalyzing Security Cloud Fears”, here is another one: does fake cloud matter?

First, what is FAKE CLOUD? The classic and most crisp fake cloud example (that used to be called “cloudwashing”) is traditional software hosted … well… somewhere else. Like in your uncle Bob’s often-flooded basement, say. Or say at a neighborhood Bob’s Used Car Garage and Totally Secure MSSP franchise. Or even right at your tool vendor, Bob’s Incompetent Dev But Worse Ops shop.


Funny enough, the above visual is not true for real cloud (like say for a modern PaaS), but very much true for fake cloud.

So, does fake cloud matter? Chances are some security tools you use today are delivered via “fake cloud” delivery model. But does it matter for you, operationally? How is “fake cloud” inferior to a native cloud application? But, more importantly, is it?

I think the answer is SOMETIMES. For example, when we did our SaaS SIEM research (paper), we learned that most people who wanted a SaaS SIEM simply hated the need to manage the SIEM boxes (appliances, software, storage, etc) above all other challenges. In this case, fake cloud or hosted, single-tenant legacy SIEM will suffice and will in fact deliver on THEIR VIEW of cloud benefits.

However, fake cloud has a tendency of being more – not less – expensive that buying software and running it on-premise. Now, my point is that it is NOT obviously cheaper, it can go either way. For example, if your “cloud” SEM vendor needs to store data inside a public cloud provider, guess who is paying all that cost, plus vendor margins on top? A fake cloud vendor is more likely to not use efficient cloud-native storage methods, BTW, that tend to be pricier (e.g. instance storage vs S3 vs Glacier, etc)

On the other hand, you may want such real cloud properties such as auto-scaling, elasticity, self-provisioning, usage pricing, etc. You may want to send 10 log entries today to your cloud SIEM and send 10,000,000,000,000 entries tomorrow and have it work just fine. You may also want to do this without paying for the 10 trillion events for both days. And without calling the vendor to “scale you up” a month in advance so they can buy new servers… And without getting the “sorry, we are upgrading your SIEM version today, hence you are down, cloud be damned.” You may also want a vendor that makes use all the data they have, to train their AI (do they have it?) and to build better analytics for all their clients. In this case, avoid fake cloud tools based on your requirements.

To summarize, I’d venture a guess that some people will prefer cloud-native tools, while other will justifiably go for fake cloud, especially if it happens to have all of their required benefits (such as not having to patch Linux on their security appliances).

Possibly related blog posts:

Comments are closed


  • Who's asking? says:

    1. You seem to have a disdain for “vendors” is this just you opinion or Gartner’s?
    2. The “real” cloud is also just someone else’s computer
    3. Even Bob can have a top notch expandable solution in his basement

    • #1 Hmm… neither. Gartner does brisk business with vendors, and among other analysts on the team I have comparatively many vendor clients. We do like each other 🙂 But, yes, in this job we see a lot of iffy vendors and some cynicism develops over time.

      #2 Ah, an excellent point that is worth a debate. Until recently, I was a rabid proponent of this view of “cloud = somebody else computer” but lately I’ve been in much doubt. Perhaps this piece is not great but I think some ideas for why not are relatively (and I mean it generously) well described there. All in all, at this time I am uncertain

      3. Solid win, you are exactly right! 🙂

  • @securityskeptic says:

    Anton, hello,

    Thanks for the dose of pragmatism. It’s disappointing to see the #fake tag being used frivolously, ruthlessly, and with disregard to fact or context in infosec.

    Nearly everything “security” begins with risk assessment and is tempered by CBA. So your “maybe” is spot on.

    • Thanks for the comment. I meant FAKE very narrowly here, i.e. “claims of CLOUD that don’t match accepted/standard/common definitions in IT”

      E.g. fake Rolex = not made by Rolex
      Fake caviar = caviar made from egg whites and color.