Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How are you doing today? On this episode of the show? We're gonna talk about cloud computing costs, your perception of those costs and how they actually relate to security. Now, a few things trickled across my feed that generated this topic. The first was uh coverage of a survey survey done by rights scale that looked at organizations perceptions around their uh cloud computing spend.
And the second was the IP O paperwork or pre IP O paperwork from Lyft. Now, when Lyft filed their paperwork, everyone kind of went what is going on? They have a commitment, contractual commitment with AWS to spend uh $300 million at least between 2019 and 2021 that works out to be around eight plus million per month.
Now, a lot of people freaked out and said that's a lot of money and rightfully so that is a significant amount of money, but it needs to be properly contextualized. So you can just cherry pick that number and say it costs so much in the cloud. Why is anybody moving to the cloud?
There's so many problems, costs are through the roof and if you read through the right scale survey, you may actually agree with that. So, right scale survey pulled out a whole bunch of things around. Uh basically sticker shock for organizations when they started to really get rolling on their cloud adoption.
They were quite surprised at the size of their bill. It didn't match their expectations. Now, there's a little bit of caveat here or actually it's a really big complicated caveat. Um, cloud billing is really difficult to understand. There are a number of tools from Aws, from Google, from Microsoft to help you understand your bill.
Um There are entire third party partners who work to try to help you understand your bill. Um There's consultants around understanding your bills in the cloud uh of note, um uh Twitter uh Phenom Antihero uh Corey Quinn makes his uh business, his primary business is helping people understand this bill because this is really, really complicated stuff and I get it if you ever actually looked at your Aws or your Google bill, not just the nice PDF they send, but the microtransaction sheet, it's nuts because you're being billed a penny per hour for this.
You're being billed a fraction of a penny per microsecond or millisecond um of execution time. Here. You have a year long commitment here that reduces the bill by 30% for this particular instance type in this particular region. There's a lot of factors for all of this consumption pricing.
Um But at the end of the day, you do get a number and that number, according to this survey was a big shock to a lot of people. Um So there's a few ways to take this, you know, a we fully understand and uh except that cloud billing has a long way to go as far as um being easy to understand.
Um being easy to forecast, being really easy to kind of grasp, but more importantly, and this is where it starts to tie back to security is that it needs to be contextualized in the business. So that big number from Lyft, the eight plus million a month, the 300 million overall, uh uh up to 2021 works down to 14 cents per ride, 14 cents of overhead per ride.
Um that are people are taking uh through the lift network. That's actually a really low cost because rides are not a dollar, rides are significantly more than a dollar. If the it overhead to generate that ride is only 14 cents, that's a pretty good spend, right.
They've kept that cost really, really low. They've been able to keep it low because they're in the cloud using on demand resources now where I see in my experience talking to organizations around the world where the sticker shock comes and they're genuinely surprised at the size of their cloud bill.
What the way to counteract this is? Ask them. Ok. Well, what about your previous data center? Bills your previous it budget. What happened is that we never had this level of detailed tracking. We hold a whole bunch of assumptions about how we were spending money on it within our organizations and they were probably completely off base, but they were associated to one budget item line at the cio level saying, you know, we spent 38 million per year but you don't know what you're getting for that.
Whereas in the cloud, you know, down to the penny where you're spending a fraction of a penny, what you're spending it on and what you're getting back. So how does this tie back to security? You know, we're four minutes into the episode. How does this tie back to security?
Well, it's pretty straightforward, you need to know the value of the data and how much you're willing to spend on that data to protect it. So if the company has determined, right, and determining the value of the data can be really, really tricky. But one partial proxy is if you know how much the company is willing to spend to generate that data or to process that data, you can start to get an understanding of the ballpark of the importance of that data.
Um Right, same thing with Calcul in potential fines calculating in potential revenue from that. Um You start to get an idea of how much you should be spending from a security perspective because you can't just wildly spend on security. The whole idea of security of defense as a principle is essentially, I'm going to spend enough to stop most Attackers from getting this data, but still less than the data uh is worth or at the level of that the data is worth.
So, if I have something that's worth, you know, $10 to my business, I'm not going to spend $1000 to protect it. It doesn't make any sense. If somebody steals it, you just spend 10 bucks to replace it, right? If it's replaceable. Now, if that's personally identifiable information and the fines are significant, maybe I'm in the EU and I'm under GDPR or the reputation damage or I just, I take on that moral responsibility of customers have trusted me with the data.
I want to spend a lot more than I'm willing to spend a lot more to protect that. Right. And part of these cloud computing cost, I, I really thought it was interesting because for me, that's step one on a security journey. We should have taken a very long time ago.
You need accurate modeling of the application of the spend around the application and the over head. So, you know how much your security controls are costing you to apply as well as the data that they're protecting. There's a lot of challenges here. But step one is to get that data and we've got that when you move into the cloud, you understand how much that application costs how much the overhead is there to run it when you can calculate the people cost on top of it.
Now, you can understand that your security control, if you're spending a million dollars in a security control for an application that's being run for $1000 a year, you need to find a new way to apply security there or a new level of security to apply. Um because that's just completely disproportionate.
Even if the value of the data is huge and worth that type of investment, you need to do better in your security uh implementation. You need to modernize that and push that into the cloud as well some way so that you keep pace. But more information around costing the more accurate is better for everybody.
It's better for everybody in it. It's better for the business, it's better for security and the sticker shock is not the cloud cost so much because it's the exact opposite. The cloud is far more efficient. The cloud is gonna cost you far less. The sticker shock is you had zero awareness or near zero awareness of what you were spending, what you have been spending for years and that applies doubly.
So for security teams that spend a ton of money and aren't really sure the value that they're generating for the business or the return on those investments. So more information is better as always, what do you think? Hit me up online at Mark NC A in the comments down below.
And as always by email me at Mark N dot ca, I look forward to talking to you about this issue and many, many others. I hope you're set up for a fantastic day and I'll see you on the next show.
