Gartner Blog Network

Toxic Clouds: A virtual pig in a digital poke?

by Jay Heiser  |  February 1, 2010  |  5 Comments

Computer Meltdown?When the global financial services firms melted down in late 2007, much of the blame was attributed to an over-reliance on a highly-leveraged financial abstraction called a Collateralized Debt Obligation (CDO). As described in a recent blog entry by Gartner analyst Andrew White, Cheap money, sloshing around the place, feeding an insatiable growth in demand for property, by people that had little or no ability to support the creative mortgages on offer, managed by creative new financial instruments that spread risk around the globe. Those ‘creative new’ things melted, leaving behind puddles of toxic loans.

I don’t actually expect cloud computing to experience the spectacular meltdown that the financial service markets did, but I can’t help noticing multiple similarities between that situation and the reliance of today’s enterprise on ambiguous ‘black boxes’.   Parallels between the near fatally-high levels of trust in the integrity of CDOs by banks and the growing use of public cloud computing  include:

  • Hype: Market urgency encouraging everyone to jump on a new bandwagon or risk losing their competitive edge.
  • Complexity: Abstracted and virtualized products that are impossible to fully understand, making it impractical to carry out customary and proven forms of risk assessment. Even the maker can’t anticipate emergent risks.
  • Free Lunch: Products offered as providing better returns at lower risk in comparison to traditional products.
  • Non-transparency:  Minimal information as to the constituent elements, which change in significant ways on a real time basis.
  • Formal Risk Ratings: Large, expensive and prestigious audit/assessment firms provide standardized ratings pronouncing risk to be acceptably low. Assessments are performed by inexperienced staff,  addressing only a subset of the risk factors.
  • Significant Providers: Size and visibility of providers is taken as evidence of product reliability.
  • Your People Aren’t as Capable as Our People: Business critical decisions and activities outsourced to abstract chains of providers, instead of relying on trusted and experienced employees to do planning, acquisition and service maintenance.

Would you buy a new car without actually driving  it, or would you just trust that it will be exactly like the ‘brochure’ on the web site? Would you buy a house without a positive report from a home inspector? Some people do buy pigs in pokes, and sometimes the pig turns out OK, but if my business depended on having a meaty and healthy pig, I’d want to inspect him thoroughly before accepting delivery.  Commercial cloud computing offerings remain undocumented black boxes.  Most of them are actually nested black boxes, and some are a pyramid of black boxes from multiple providers.

Of course, just because these virtual pigs are in cloudy pokes doesn’t mean that the provider actually is hiding something from you.

For background on the role of financial derivatives in the economic crisis, a Harvard Business Review article summarizes the results of a Harvard Business School study, “The Economics of Structured Finance,” explaining that it “offers a close examination and clear explanation of how the process of securitization transformed trillions of dollars of risky assets into securities that many considered to be a safe bet…the paper analyzes the difficulties of rating structured finance assets and the perils of relying on ratings to determine prices.” (Note that the irony of the use of the word ‘security’ in the context of finance.)

Category: cloud-computing  risk-management  security  

Tags: cdo  cloud-computing  cloud-risks  cloud-security  risk-assessment  vendor-viability  

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Thoughts on Toxic Clouds: A virtual pig in a digital poke?

  1. Ron Knode says:

    There is a strong similarity to what you describe and what is referred to as “presumptive security” in the August 2009 research report available at Many of the same dangers (and especially those related to the absence of transparency) that are suggested in your note are hinted at, though your comparison to the financial industry is particularly intriguing. Such dangers are occasionally compounded by the zeal (on the part of cloud consumers and cloud providers) to “affirm” the safety and security of “our cloud” without ever giving any evidence that can back up an affirmation. Simply declaring that processes, certifications, or broad attestations exist does not deliver transparency. In fact, such declarations often just confuse everyone about what security and assurance might really be in place. For example, merely “having” a SAS70 audit performed is not the same as giving evidence of client policy compliance as a result of the SAS70. Claims alone are not sufficient to generate transparency. Evidence-based confidence is needed.

  2. […] This post was mentioned on Twitter by Ben Tudor and Cloud Blogs, Toshio Matsuda. Toshio Matsuda said: [Gartner] Toxic Clouds: A virtual pig in a digital poke?: When the global financial services firms melted down in … […]

  3. Gene Spafford says:

    What a great analogy! I agree that Cloud Computing is severely overhyped.

  4. Better you than I…

    When I made that exact analogy at a security conference, all I heard were moans.

    What was not apparent was whether the sounds of exasperation were due to the proximity of said event or the fact that it’s accurate.

    Great post, Jay.

    One of the reasons I’m so passionate about is because we need consistent, visible and well-defined language for making these assertions about “security,” “trust,” and “risk” in the Cloud.


  5. Jay Heiser says:

    Well-defined language for making assertions? We can’t even agree on what a cloud is. 😉

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.