Esteban Kolsky on Why Fearing Cloud Is Nonsense

It’s hard to say whether Esteban Kolsky is a contrarian or everybody else is just plain wrong. Over the course of this three-part interview, Kolsky, a well-known technology consultant and former Gartner analyst, has debunked pretty much every commonly held notion related to cloud computing and its underlying infrastructure.

When we asked, for instance, whether “private cloud” is more secure than “public cloud,” he retorts, Private “cloud” is not cloud at all! 

In previous installments, Kolsky defined true cloud architecture and compared its properties to other architectures mistakenly assumed to be cloud. He then spelled out the economic incentives of cloud adoption for providers and consumers.

Here we pick up the conversation with Kolsky explaining why cloud vendors are moving to provide industry-specific solutions under the nom de guerre “industry cloud.”

Logikcull: What’s driving Salesforce or Oracle or whoever to deliver industry-specific solutions is that there are newcomers coming into the market that are developing cloud solutions tailor-fit to specific industries, and they have to compete.

Esteban Kolsky: Exactly. Usually when you go to verticalize solutions, financial services, healthcare and government tend to be the first three (because they are highly regulated), and then you see evolution into other areas. Now we have some movement in retail. We have some movement in manufacturing. And the likes of Salesforce are going to be left behind, so they need to be able to compete more effectively and that’s why they’re refocusing their efforts in those areas with branded solutions.

Logikcull: It’s interesting because industries like healthcare and financial services are traditionally resistant to cloud. Is there some kind of correlation between that resistance and those sectors being the focus of this first wave of industry cloud solutions?

Kolsky: I see what you’re getting at, but there’s a bit of a twist. Those industries aren’t resistant to cloud. They just can’t embrace public cloud due to compliance issues. That’s the easiest way to say it. If a provider comes along with a hybrid public-private whatever model that makes sense and leverages the value proposition of the cloud, and delivers the value that they need, and fits within their compliance framework — which is part of the focus of an industry-based application — then it makes sense for those industries [to adopt cloud]. And that’s what these [cloud providers] are doing — they’re going after the industries that make sense.

You mentioned healthcare and financial services as being highly complex in compliance, which is true. But at the same time, they’re also the industries investing the most money in this. So if you have an industry that invests money, you might as well deliver something to them that makes sense.

Logikcull: Let’s talk more about compliance and regulatory issues. Doesn’t the cloud have the potential to be more secure?

Kolsky: Yes it does. It has the potential, but it’s a very different security model. And if you are an organization that’s invested over the last 20 years in building a secure — a supposedly secure — model, you don’t want to have to start again.

[On-premise] vendors use security as one of the boogiemen of cloud architecture. “Oh, if you go cloud, you lose control of your data! You lose control of security! You don’t have access to this; you don’t have access to that.” That’s what they say to scare people.

But if you look at computer models and security models for cloud architecture, cloud is far more powerful, far better, far more easier to use. We’re just not at the point where people understand that yet. They’re just starting to get there.

“On-premise vendors use security as one of the boogiemen of cloud architecture.”

Logikcull: So what exactly don’t people understand? What are the incumbent vendors pushing in terms of fear that is really just nonsense?

Kolsky: Data residency is the biggest fear for people. People think that if they don’t have the data in their own databases or on their own servers in their own locations, then somebody else can go and steal it. People think, “If I don’t know where my database is, if I don’t know where my data is on my server, it’s going to be stolen.” But that can happen either way. If you have it on your location but you don’t have the proper security levels, your data can still be stolen.

None of these data breaches that we’re seeing are cloud-based. Which one do you want to talk about? Target? Walmart? Even the government. They’re the ones that are so adamant against public cloud, and they’re also the ones who lost the most sensitive data! So it is not a question of where the data resides, or who owns it or who stores it. It’s a question of building and maintaining the right security levels. And the inherent capabilities of the cloud-computing architecture provide a far more secure model than if you have a database that anybody can access.

“None of these data breaches that we’re seeing are cloud-based. Which one do you want to talk about? Target? Walmart? The government?”

Logging ID and password against the database does not make it secure. A tokenized model, which is used in cloud computing, is very secure.

Logikcull: Esteban, you mentioned that the private cloud is a stepping stone for organizations moving, or evolving, as you put it, to the cloud. Is that due to a perception that it is more secure?

Kolsky: It’s not [more secure], but yeah — that’s the reason. I used to say — and I was taught never to say this again — that private cloud is internet for lazy CIOs. Because that’s what they do. They deploy the internet and call it a private cloud. Private cloud doesn’t have any of the capabilities of a true cloud computing architecture, but you pretend that it does because it runs through a browser. So it doesn’t have the security models of cloud, but because you’ve been using it for 20 years and you’ve had some level of success, you think that because you use your own database, and your own server on your own location, that it’s much more secure than if it was somewhere else.

You think that if the data is transmitted over the internet, it’s subject to being picked up by anybody and anything can be done to it. But in reality, look at the Target data breach. The [hackers] picked up the wireless network Target was using that was registered to the server in the back and they took all the information that way.

So in that case, everything was on-premises, but it was much more exposed than it would have been on a public cloud, where the levels of encryption would have been higher.

“I used to say — and I was taught never to say this again — that private cloud is internet for lazy CIOs.”

Logikcull: Could we say that the private cloud is actually less secure than a true public cloud?

Kolsky: Yes, of course! It’s not that the private cloud is less secure than the public cloud. It’s that private cloud is not cloud. You’re comparing an on-premises model with a cloud architecture model. All the weaknesses of the on-premises model — they translate to the private cloud, versus the public cloud that has encryption and security models that are far more advanced.

Logikcull: Well, with a private cloud that is essentially an on-premise solution, you have all kinds of access points. When you move to the public cloud, you reduce the number of entry points, don’t you?

Kolsky: You do. Once you reduce the complexity of the application because you don’t have to worry about all the things that are inherent to a client server or intranet-based model, the less complexity makes it easier to secure.

Logikcull: Can you think of verticals that would benefit more than others from the cloud?

Kolsky: Not really. You know, I’ve been doing this type of research for a couple months. I can say that some verticals will benefit differently, but not more or less. It’s just a question of leveraging the computer models better or worse.

Logikcull: It seems, though, that more data-intensive professions or industries could benefit more from cloud.

Kolsky: My research has led me to believe that the cases where you have to move more data and have more [data-intensive] functions benefit much more from a public cloud architecture. And the reason for that is because you pay less for access. You pay less for transactions. And you secure more data.

Logikcull: Where is this trend leading? First we had cloud for general services. Now we have industry cloud. What’s the next wave?

Kolsky: Well, we haven’t gotten anywhere near [mass adoption] of public clouds. “Cloud 2.0” would be getting over this stupid hybrid and private cloud stuff and start embracing public cloud architecture for what it is — a computing architecture that delivers value. You start realizing the benefits of public cloud and go from there. That would be Cloud 2.0. Cloud 1.0 is what we call legacy SaaS and hosted applications. Cloud 2.0 is embracing true cloud computing. Cloud 3.0 is taking it to the next level, where you’re doing all work on a cloud computing architecture. But timeframe-wise, we’re talking seven to 10 years to get to Cloud 2.0 and 10+ years to get to Cloud 3.0.

As told to Robert Hilson and David Austin of Logikcull. Robert can be reached at

To learn more about the risks associated with on-premise eDiscovery technology, check out the whitepaper below.