Dear privacy
Only a few years after pay-per-use, the business world is facing a new shock: privacy has its price in the Public Cloud PaaS.
Basic privacy in the pre-Cloud world
Legacy information systems have always taken basic privacy for granted, for the simple reason that premises are not shared with anybody: everything is privately owned and dedicated. For a Business owner, consuming IT implies that privacy concerns are already built-in; they are not subjected to extra fees.
The legacy model does not prevent more elaborated forms of privacy breaches like unauthorized staff accessing the data, but at least the staff is briefed, trained, and is reporting to a management line.
The pre-Cloud world also includes outsourced IT activities: in this situation it is usually not possible to have fully dedicated hardware (the network layer is a typical example), but at least the workload-running hardware can be dedicated. Custom contracts with strong oversight guarantees on the outsourcing provider help keep basic privacy a closed circuit matter. The perception CIOs and CFOs have had on outsourced activities is that it is a prime way to make savings (since the buildings and the outsourcer’s staff are shared across several tenants).
The new world
The advent of the Public Cloud and its pay-per-use model is shaking on-premises and outsourced models. IT infrastructure, whether insourced or outsourced, has joined the ranks of liabilities next to data centers in the mind of IT executives and pets have become cattle in the mind of developers.
This trend opened up avenues for refocusing the IT workforce towards more business-centric/resilient/frugal activities. How has basic privacy fared in this new world? Two interesting things happened in a short time frame...
Cloud privacy in the early days
In the first years of IaaS and PaaS, privacy concerns were addressed thanks to co-residents segregation (compute isolation, data & flows encryption, security groups, private IP addressing) and per-resident connectivity (Express Routes, Direct Connects, site-to-site VPNs).
That sounded like a good start, but
Cloud providers did not anticipate the need for customers to prevent data exfiltration and public endpoints exposure.
Consequently, pay-per-use was biased because it did not account for novel privacy needs tightened to the very nature of Public Cloud computing.
Some corporations compared their IT capital and operational expenditures (let's call this cost c-infinite, for future reference and to express that one cannot imagine to pay more) with pay-per-use (let's call it c-zero in contrast, to express the hope for huge savings): they came to the misleading conclusion that the Public Cloud was even cheaper than it really was and hastily shifted their workloads to the Cloud. Other corporations, however, shied away from the Public Cloud when it came to manipulating sensitive data because they spotted the privacy gap between on-premises and in-Cloud.
Regulators did not remain idle either: with privacy abuses being more and more advertised, new impact assessments on both ‘basic privacy’ and ‘elaborated privacy’ sprouted all over the world (FEDRAMP, GDPR, ..., California's CCPA being the latest one)
This put huge pressure on businesses running a high concentration of consumer data like the Cloud providers themselves: they were fast to understand and work on the issue.
Cloud privacy as of today
As a result, Azure and AWS started to release train after train of basic privacy-preserving features (the following links refer to the LinkedIn articles I published when the features were released): Azure firewall, Azure Policy, Azure Private Link Services, Azure PIM, Azure Lockbox, Azure Confidential Computing, AWS Resource policies, AWS VPC Endpoints and Gateways, AWS VPC ingress routing, AWS Nitro enclaves.
All these candy bags do not come for free, though: in most of the examples cited above, processing power must be brought about, maintained and able to scale in or out within short notice.
In terms of pay per use, this means a fixed price plus a variable price. We will name the incurred cost c-one. (Recall that c-zero represents the exact same model but without privacy). The variable part depends on many parameters but there is one that stands out for our discussion, let me call it the friction: the more workloads you have transformed, the more inter-dependencies you are likely to have knit on and off premises, and the more traffic you are now likely to carry. This increase is not linear, it depends on the square of n, where n is the number of intertwined applications. Friction is a weight on your bill that is not specific to privacy-friendly services, but they are quite sensitive to it.
The privacy shift
Should basic privacy-related expenses have been known right from the beginning of the Cloud adventure, executives would have not gnashed their teeth so loudly (the unpleasant sound is precisely to be heard at the privacy shift point in the diagram below).
Now that Cloud providers have reached a good level of maturity as far as basic privacy is concerned (and also a good level of 'elaborated privacy', but this is another matter), it should accelerate the transformation, not slow it down.
Educate your executives if you can, but for your own good don't show them the diagrams...