FUD Farming

FUD Farming: the practice of selling expertise based, primarily or solely, on negative (or FUD) based messaging.

I'd like to include a new term into the lexicon: FUD Farming.  Over the years I've seen the following attempt to sell used over and over again

X is a complete and utter disaster, X will lead to the destruction of modern society and ultimately Armageddon.  X doesn't work like it should, you really don't want to use it, none of your competitors are using it and if you do use it how do you know it won't cause everything else that you have to stop working?

FUD as a term is apparently over 90 years old (as is my Gran, happy 92nd Birthday for tomorrow Gran) and has a rich and ignoble history in IT.  However what I've noticed with the wave of social media 'experts' and specialist consultancies that FUD appears to be the only thing they are selling.  I receive emails with headings like

Do you know that your employees are sharing sensitive information on Facebook

How competitors are using Twitter to damage your brand

How Social Media is undermining your current marketing strategy

Almost all the messages and lead paragraphs are plain old FUD and the answer is of course to employ the expert/specialist consultancy who really understand this FUD and can therefore help you. Its this approach which I'd like to christen FUD Farming which  allows us to call such individuals "FUD Farmers", these are the individuals whose primary or indeed only approach to selling is based around creating FUD, throwing it around as fact and then utilising that as the way to solve the problem that didn't really exist in the first place.  This later is a critical point, most of the FUD comes down in the end to 'have a sensible engagement policy that is communicated to your staff' or 'your staff are doing this, you can't stop them so educate them' and guess what here is just the $$$ course to do that.  Of course as a company you knew that already but thanks to the FUD you've been sold a pup by the FUD Farmer.

You stole my flashing lights

"I don't understand the hardware, I don't understand the software, but I can see the flashing lights"

This sums up the basic problem with cloud adoption and over the last week or so its been even clearer while chatting with some clients and journalists around the issues of cloud.

Simply put the current regulatory, compliance and security world is basically based around that statement.

Security folks don't understand what your application does, but they understand networks, networks are physical things, they understand SSO and how to VLAN and physical LANS and they love the physical separation as its obvious how the security is maintained.

Accountancy folks don't understand any of this but they can look at the data centre, count the flashing lights and know all is good. They can also "audit" this physical environment and feel happily secure that the flashing lights are kept safe by a good bunch of process that makes sure that the flashing lights don't talk to the wrong flashing lights.

Lawyers are retarded by the legal lag that in many cases appears to struggle with the idea of the computer and digital information let alone the concept of the internet and cloud computing. Again its about the physical separation as this is what makes it easiest.

Hardware manufacturers play to the flashing light meme as well, I was in a DC recently and made a comment about the compliance challenges and how people seem to like flashing lights and the chap said "Good point, I mean we even put them on the BOARDS for some reason and in a rack you can't even see those lights".

This is the world that cloud computing really comes against. Worries that "one virtual machine could break into another one on the same processor", concerns that virtual separation is just like stabbing a condom with holes, concerns that because you can't physically audit the separation and that some of the cloud providers won't allow you to stomp around their data centres that in fact everything is insecure.

Before FUDmeisters jump up and scream about "being safe" let me ask you this... when was the last time you demanded a third party audit of your electricity supplier to prove that they wouldn't blast you with 300MV at 1MA? When was the last time your asked for a third party audit on your telco provider to prove they were not eavesdropping on your calls? What about the postal service or delivery company that ship your packages?

IT is of course completely and utterly different.... or is it just that because people have been beguiled by the flashing lights and the physicality and don't want to recognise the new challenges that they really should be addressing. Armadillo security (hard on the outside, soft on the inside) has long been a flaw in many company security approaches and virtualisation just makes that approach more obviously flawed. Approaches like Jericho aim to address the problems of business interaction.

The larger challenge however is in the audit and legal areas, being blunt many of the rules laid down today by legislators or auditors are based on a lack of understanding of the mid-90s and have no hope of applying to the new distributed IT environments. Take the need for an independent 3rd part audit of a cloud providers data-centres including how they provision, manage security and ensure availability. The problem is that IT is treated not as a utility, which is what cloud aims for, but as a physical asset that must be proven in the same way as oil reserves or cash.

The shift to treating IT as a utility needs to overcome these legal, accountancy and security objections and those of the intenral IT department. But to be clear these objections are already being worked around and in time will be overcome. The four FUDMeisters of the cloudpocalyse will lose this battle overtime but the quicker that the regulatory and accountancy rules are changed to recognise the shift of IT into a utility the better.

They can't have the flashing lights, and they need to deal with their loss.

Technorati Tags: SOA, Service Architecture