Nephophobia: Cloud Computing Fear, Uncertainty, Doubt, and Myth

nephophobiaI have a dog that is an early warning detector when it comes to things that are different. When we walk, if a rubbish bin is out of place or a tree branch has fallen across a track, then it is to be barked out with great vigour. Anything that is new gets this treatment (god forbid we ever move any furniture) and it can take some time before the change is accepted.

Likewise humans. When the British Rail service told the public it could build a train that went faster than forty miles per hour, the scientists of the time were shocked. The human body, they said, was simply not designed to travel that fast. If people got on a train that went faster than forty miles per hour their bones would likely turn to dust as they were crushed by the high speed.

Nephophobia is the fear of, well, clouds.

I remember when Cloud first appeared some years ago. An enterprise architect at at the customer I was working with said “We will NEVER move to Cloud. It is a fad. It is insecure. It is dangerous. We will ALWAYS buy our own infrastructure.”

The fear, uncertainty, and doubt (FUD) around Cloud is largely due to that most wonderful of human things; ignorance. It is also used by sectors within the ICT Industry, enterprise hardware sales for example, to keep their customers buying their “stuff.”

I wanted to take a broad look at some of the FUD and Myths that are out there and put a different light on them because my belief is that they are paper-thin walls holding us back from utilising Cloud services.

Before I start that, I want to talk about risk.

Unqualified and unquantified risk is where FUD starts. For example; “Cloud is insecure!” So let’s qualify that. How insecure it is really? What services does your Cloud Services Provider (CSP) have to ensure security? Ask them! Then, match that risk against how you do it today. Do you have all those services? Are your firewalls and systems all up to date and patched? Do you have active intrusion detection?

The point is this; risk has to be objectively qualified against what you do today.

Cloud is Unproven

The idea has been around since 1950. The first services were born in 1991. It’s been around for twenty two years. In it’s most modern form, its been around for six years in a mature form (Amazon). In New Zealand, IaaS has been around for several years. It’s not going anywhere as the number of devices that attach to Cloud, the Grid, and “The Internet of Things” continue to drive massive growth. Amazon early this month passed two trillion individual objects.

And yes, you need to choose a provider with a good track record.

Cloud is proven.

Privacy Concerns

Privacy is not an ICT problem.

Privacy is a set of legislative and legal business requirements. There is this belief in New Zealand that privacy should be managed by the CIO and that security and privacy are one and the same.

Privacy is a set of requirements that ICT might have a solution for in both the application and security areas. The problem is that the business tends to assume that security solves all their privacy requirements when it absolutely does not. This current fascination by the New Zealand Privacy Commissioner with ICT, is not helpful. Privacy must be driven from the board, down through CEO, through the leadership teams, and into the business of which ICT is a part.

Privacy is not a concern when it comes to Cloud.


Security is the oft touted (I get sick of hearing about this one) highest risk and reason for NOT deploying Cloud. However, it is likely, that your CSP has better security than you do. Let’s consider three aspects:

Firstly, your security. Ask yourself these questions; when did I last update all the software & firmware for my security layer, how do I detect intrusion, do I have a policy for security breaches, what international standards to I conform to, when did I last carry out penetration testing, do I encrypt my data onsite, how do I manage anti-malware & anti-software, who has administrative access to my date, when was all of this last audited from a business perspective, and how much does it cost me to maintain this security level?

As a second aspect, go and ask your CSP all the same questions. A mature provider will be able to answer them all. I will bet a decent bottle of wine that 99% of the time, it’s better, cheaper, faster, and more in-depth than your security. If you look at Amazon Cloud Services Security, as an example, it is extremely in depth. It is health certified and the CIA has just signed a $650m USD deal with Amazon to build hybrid / private Clouds.

Last, its too late, the horse has bolted. More than 76% of staff surveyed at the end of last year admitted to using Cloud services and storing their employer and customer data on them. Likewise, over 50% of business had started utilising Cloud services without talking to the ICT organisation. Standing around and adamantly stating the gate is still closed when it is clearly open, is something an ostrich would do.

Cloud is more secure, generally, than what you do today.

Loss of Control

Though not stated outright often as fact, this is a key piece of FUD that rattles ICT organisations.

There is a perception that by moving to Cloud services, they will somehow lose control of their destiny, all of their ICT services, and their jobs.

This is nonsense. In fact, you are likely to have a finer degree of control and deliver a better service. Most CSP’s provide in-depth toolsets that the average company couldn’t afford to deploy, for free. Well, its built into the charge, but its cheap as chips.

Let’s get something else straight. Just because you transition your ICT to Cloud doesn’t mean that you are any less responsible for them. At an infrastructure and platform layer you still have to manage all the services, including security by the way, the same as you do today, whether that is internal or external.

Further, in terms of deployment or decommissioning, you have a vastly increased capability. Rather than a six month project to deploy more storage, buy more servers, or implement new software, you just turn it on. Then, when you’re done, you turn it off again.

Cloud gives you far more control over your ICT Services than you have today.

Vendor Lock-In 

There’s a perception that moving to Cloud somehow locks you into a vendor. Again, with a mature provider in a standard environment, the ability to switch on, switch off, and move services should be relatively easy though not without cost.

Vendor lock-in occurs when either the service is proprietary and / or the service contract stipulates long terms & termination penalties.

Oracle would be a good example of a proprietary service where you would be locked in. Let’s just get something else on the table as well though; if that is the service that you want and need, so what if its proprietary?

Any CSP that wants to contract you in for months and then serve penalties on you if you leave before, isn’t really a CSP.

True Cloud services reduce the amount of vendor lock in you have.

Cloud Fails

Yes it does. So does your datacentre, so do the locally New Zealand datacentres, and so does your home PC.

I’ll wager in terms of availability and reliability (which are publicly published by mature Cloud providers) that CSP’s have more uptime than local CSP providers has more uptime than your datacentre has more uptime than your home PC.

Cloud fails less than your service.

Data Sovereignty

A murky area that is somewhat dependant on what it is that you do. My advice would be seek advice from a lawyer, they can help you quantify this risk.

Often raised here is the fact that overseas governments may nefariously access your data and so something with it. 

Let’s examine that for a moment. Let’s assume that you actually have something that is worth stealing or copying. Is the nefarious government agency going to try and hack their way through an in-depth, up to date, Cloud security service then try and find your data in an environment of billions of objects when it has been encrypted? Nope.

What they will do is find your out of date, weak security, single firewall and hack you direct where they know your data is and find it all packaged up and un-encrypted.

The other one I hear is that IRD won’t allow us to offshore anything in relation to tax. While that is in slight debate at the moment, let’s look at a couple of examples.

Xero. Several hundred thousands of individuals and business who’s data is stored offshore.

Weeping and gnashing of teeth! What if Xero fails! You’ll never get your tax records back!

Nonsense. I use Xero. If it disappeared tomorrow then a) I’d be really pissed off with Rod Drury but b) I could rebuild my tax records. I have hard copies of stuff and I have all my bank records. It would be a complete pain to rebuild it, but the point is, I could.

And again, the horse has bolted. You’ll find that some agencies that would be considered relatively sensitive in terms of data are already using Cloud. Which is probably a good thing, given Cloud is more secure generally than home built stuff.

There is only one international internet cable from New Zealand

Yes there is.

It’s part of a fibre ring, which means there are actually two cables and you’d need an event that disabled both at once.

And, let’s look locally, we have two fibre lines in the North Island, they run down either side of the country (for simplicity’s sake) from Auckland to Wellington. And guess what, both have failed simultaneously in the past.

Then, we have a pinch point over Cook Strait, before running to Christchurch, and then (I think this is still the case) a single line runs to Dunedin.

The point is this. The international cable is lower risk and more resilient than the local fibre infrastructure by comparison.


Ignorance of what Cloud computing actually is means that we self-generate FUD to discredit something that we feel will take away our control. FUD is perpetuated by global, and local, ICT vendors that are still heavily reliant on selling hardware and boxed software.

The reverse is true. Cloud computing allows us a more secure, more resilient, better managed, more controllable ICT Service base than traditional ICT.

Risk needs to be verified, qualified, and quantified against what you do today.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: