Bank of England CIO: ‘Beware of the cloud, beware of vendors’ The Bank of England is loosening up on IT delivery and recruitment, but not its resistance to public cloud. John Finch, CIO of the UK's central bank since September 2013, Wednesday ruled out the use of any public cloud by the bank for the foreseeable future. Cloud has however crept into the Bank’s IT margins, where it’s been …
The only way I allow any data on the cloud is via placing a Bestcrypt container file on the cloud, and then mounting the container. That way my data is locally encrypted/decrypted & transmitted/recieved. All the cloud sees is the encrypted container file and another encryption layer in the traffic.
“Particularly in technology we want to recruit people who we wouldn’t normally recruit – specky, geeky kids hacking in their bedroom,” he said. The philosophy is fresh thinking and ideas will flow from diversity and cause disruptive change for the Bank.
Why, because all your staff are handsome, strapping and athletic? Not the best way to attract the kind of people you obviously need, resorting to passive-aggressively offensive stereotyping of your target employees.
Twat.
Not the best way to attract the kind of people you obviously need, resorting to passive-aggressively offensive stereotyping of your target employees.
Yes, quite.
I had, perhaps mistakenly, though we'd put this sterotype to bed back in the dot com boom.
Pay attention MBAs: The guys [1] driving about in the flash motors, enjoying far flung vacations, while making out with sooo many girls; that's us, the IT geeks. Well, it was, before I got married and settled down anyway.
Why? Well, because while training for a marathon takes about three months of evenings (I've done a few) and literally anyone can do it, training to understand code architecture, networking, etc etc takes years and a good deal more intelligence. We're smarter than you, better educated, we earn more, and we enjoy better lives.
"..specky, geeky kids hacking in their bedroom" Sure, I have glasses, so you've got me there. But the rest of it? Suck. My. Balls.
I'll still come work for you at the BoE, but only if I can't find any real work to do, and now I'm going to charge you 20% more.
[1] Guys, girls, whatever.
Please take a quaalude, maybe even three.
He's making a joke and contrasting one stereotype against another. It's what people do when they want to punctuate a point. And if he's working to undo a monoculture of three piece suite types, it's exactly the counterpoint that gives the most contrast.
Yes, I am a geek and I'm weird. I wouldn't have it any other way. If you're ashamed of being weird, change. I don't care if you go full mundane or just lose the 'tude, but change.
"He's making a joke"
No he isn't. He's a humourless twat incapable of that. He has a very distorted view of the people who deliver and support the IT services of a business.
To Finch IT people are worthless, tradeable commodities - lines on a spreadsheet - to be got for the lowest price, and screw the quality, experience and value they deliver.
Run people. Run away fast.
"Why, because all your staff are handsome, strapping and athletic? Not the best way to attract the kind of people you obviously need, resorting to passive-aggressively offensive stereotyping of your target employees."
I'm not sure how it works in England, but most highly-compensated bank employees here in the US are drawn from the Ivy League old-money crowd. So, I would expect there is a little bit of a monoculture going on... The opposite stereotype could be the loud-mouthed ex-fratboy i-banker in the $2000 custom suit lighting his cigar with a $100 bill while driving his Bentley with 2 supermodels in the back. :-)
"I'm not sure how it works in England, but most highly-compensated bank employees here in the US are drawn from the Ivy League old-money crowd"
I think it's fair to say that the something similar applies here in the UK too, although I suspect very few of the "old-money" crowd would do something as boring as working for a bank, the "new-money" folks seem to be well represented though.
Finch is a twat.
He'll hire lots of cheap inexperienced labour, sack all the experienced IT staff, get paid a massive bonus then fuck off as it all unravels, leaving years of devastation in his wake.
Trust me - if you work for him, plan your exit strategy fast.
Everything you need to know about his contempt for people is in plain sight.
Management really don't get virtual, do they? Data doesn't need to have a specific server to link it to reality, just like I don't really need the same bank note back from the bank that I put into my savings account.
The answer is PaaS. Let someone else worry about the boring stuff, like the hardware, the backup, the power, the patch management, the security - all you want to worry about is your data - and it doesn't matter where it is, as long as nobody else has access to it in an unencrypted form. You do encrypt everything you do, don't you?
The hardest part of learning about containers is to know anything about IT from before 2000 and still firmly believe its relevant to today's infrastructure.
The answer is PaaS. Let someone else worry about the boring stuff, like the hardware, the backup, the power, the patch management, the security - all you want to worry about is your data - and it doesn't matter where it is, as long as nobody else has access to it in an unencrypted form. You do encrypt everything you do, don't you?
You would seriously be happy with a bank that, when their IT goes TITSUP, can only respond to you by saying, "Oh, it's not our problem, there's a third party provider dealing with it"?
Bearing in mind that the 3rd party company probably don't give a shit about the data, or the bank's users, but just the "boring stuff".
Accountability is the problem, SLA's have no real meaning, as any large cloud provider is not going to care if the Bank of England (or any other company) can't get at their data for 3 days, the penalties (if any) will never cover the real cost of an outage.
Indeed. Managing third parties is not the strong suit of IT teams I've met during my 30-plus years in IT. The core rules are simple, though: Ensure you're in control, do not outsource your brains. Ensure you know where your data is. Ensure you're secure. Ensure you understand your contract, in gory detail. Ensure that your third party needs you a lot more than you do. If you cannot lock down the latter, do not go there.
The hardest part of learning about containers is to know anything about IT from before 2000 and still firmly believe its relevant to today's infrastructure.
An attack surface is an attack surface no matter which year it's from. A local service has a smaller attack surface than a cloud setup.
Things are changing...things are getting bigger, faster, louder and *shudder* more social; but many of the underlying principles remain exactly the same. Including, amusingly, the tendency in yoof to think you know everything.
because if that was true Google would be doing it. Look around and you will see that it is more important now than ever. What people need to do is simplify the infrastructure so it takes lees work to maintain.
He is correct if you head to the cloud to save money then it will cost you more in the long run as your procedures and process for design are wrong.
No, it's not a fantasy. What it is, is the latest marketing term that's been over-hyped. Truth is, it's been around since mainframes. They've just rebranded it.
While he may be a bit too knee-jerky in rejecting it, for a bank it's not a bad posture. The key to handling it is actually in his statement about needing to understand everything. That's going to apply to your cloud facilities as well, and that may get a bit more complicated than if you run it yourself. Chances are your cloud provider is doing some stuff he regards as proprietary/trade secret and he's not going to want to discuss that. And he's going to push that he's accepting all the risks associated with meeting the SLA so all you have to worry about is the SLA. While there is some truth there, there's also truth in needing to understand his processes so you can asses for yourself whether he can meet the promised SLA.
Properly handled the cloud may be a good thing. Badly handled, it's as bad as anything you can fuck up internally.
So you need electricity to run your servers. Do you produce your own or do you rely in some company to do it? Ah, you have generators to compensate for an eventual outage... For how long will it run? As long as you have petrol? You produce your own?... Get over it guys. Commodity cloud computing it's here to stay. Maybe you can't run all of your workloads on it, but you still have a choice. And it's not all our nothing, geeezzz!
No they don't although most are much more energy efficient than your local datacenter and some already generate part or even all of their energy needs. But that's not the point. The point is that if electricity is a commodity to you why can't you rely on computing providers to be a commodity as well? IMHO it's a no-brainer.
Just like everything. there is a middle ground, and cloud vendors have taken advantage of business folks' tendency to bounce between the extremes as of late. I think businesses love the idea on paper because it lets them get rid of IT assets the same way they like to get rid of permanent employees...and some MBA somewhere says it will save them money in the long run.
What's so crazy about taking the good parts of the "cloud", namely virtualization and flexible provisioning, but not handing your data over to a disinterested third party? Almost no one I know, even cloud haters, advocates installing an OS directly on a physical server anymore, and provisioning applications the same way we did in 2001.
I think right now, the public cloud vendors are stuck in a price war, so rates are going to be low for as long as those vendors want to keep losing money. Once they're hooked, however, I fully expect Amazon, Microsoft, Google, Oracle, etc. etc. to start slowly turning up the prices. Why? Vendor lock-in. Yes, a company can get their data out of the cloud, but switching vendors is a huge pain and inertia will take over.
"What's so crazy about taking the good parts of the "cloud", namely virtualization and flexible provisioning, but not handing your data over to a disinterested third party?"
The problem is there is no such thing as a "disinterested" third party when it comes to buying a platform (or anything else), the third party will want to take as much money off you as possible while spending as little as possible to deliver the product. For that reason it would be very naive to assume that their motives and goals are compatible with your own.
You only have to look at the continual battle to get vendors to fix product defects to see how that works in practice.
"If you are one of these posters, and are aged over 40, then I hope you have already paid off your mortgage."
Weirdly some cloud-skeptic posters over 40 are the only people in their organizations who can keep the show on the road when* the cloud stuff goes tits up. A few of them worked in firms that *rented* time on remote hosts back in the day, so they have some direct experience of the pros and cons of hosting compute & data on someone else's iron.
Note: that's when, not if. Stuff doesn't work forever.
Once all is said and done, you aren't going to be saving that much cash moving to cloud services. You have to bring in consultants to come in and size what you'd need in the cloud to replicate what you get on your current boxes, then you need more consultants to come in and fix your code to work with that new cloud, then you'll need even more consultants to come in to integrate the cloud bits back into your monitoring systems. And during this migration, you'll be paying for both your own stuff and the cloud, which can make for some pretty eye-watering purchase orders...
The cloud is great when you need another datacenter, you have some kid of public-facing service that can get hammered at a moment's notice, or you need some extra boxes while you wait on the delivery of more boxes / DC expansion / network upgrade / etc.
"One of the purported benefits of public cloud is you no longer need to buy and maintain your own servers – they become the responsibility of somebody else."
Oh no they don't - they get to be _managed_ by somebody else, but the responsibility remains firmly in your corporate lap. That actually increases your exposure, as you can't control the screw-ups of your providers.
Yes and no. You can control their screw ups through your contract. The catch is, the contract has to specify it. And how do you specify the controls when you don't know what/how they're handling the data?
Possible, but tricky. I expect most places aren't up to the challenge. And a bank is the last place I'd want experimenting with it.
“Make sure you understand where your data resides, make sure you understand the details of your contract, make sure you understand the security, and make sure you stay in control,” he said.
As I read that statement the first thought that I have is "are you sure he's management?" Because never were truer words spoken about building a good system from start to finish. It applies to The Cloud even more than it applies to stuff you're running internally. On stuff you're running, management might on occasion glide over some obscure details because their IT staff will have to learn it to make it work, or their IT security people will pick it up as part of a routine review. If it's in The Cloud, it's got to be spelled out in the contract, so no glossing over anything.
So John Finch has moved from the BoE after thoroughly f@cking the IT staff over. Shame his new employer didn't carefully check his background and see the trails of damage he's left behind. He was always Charlotte Hogg's glove puppet anyway and now she's gone too. Hogg was clueless too, and she demonstrated that in a very public way. Goodbye and good riddance to Finch and Hogg
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
