I sometimes have conversations with people who don’t know me well and think I’m nice (or even “too nice”). Depending on the nature of the conversation, I may correct them. I intend to be kind, which appears as niceness but is fundamentally different. People sometimes draw a false equivalence between the attributes of kindness and those of niceness. Someone can be kind but not particularly nice. As I’ve written elsewhere, it can be kind to give someone extremely blunt feedback, but it may not feel nice to the person receiving it. Similarly, something that is simple, or made up of simple components, is not necessarily easy. For example, the idea of climbing a mountain is simple to comprehend but potentially very challenging to execute.

What do I mean when I say Cloud Security is simple? The principles that drive Cloud Security are really straightforward. First, have a good governance structure. Ensure that your identity and access management practices are based on least privilege and maintain that stance. Ensure visibility everywhere in your environment. Put appropriate controls in place to segment your Cloud platform so that a compromise in one area is contained. Deploy technology using patterns and maintain your configurations through constant checking and automation. Detect unusual events quickly and provide actionable information to critical stakeholders promptly. Automate heavily. These are simple concepts, even for non-technologists.

However, the execution of Cloud Security at scale is anything but easy. Let’s take the area of entitlements, for example. Maintaining a consistent view of all of the entitlements held by every human and machine identity at scale is incredibly challenging. While the emerging product field of Cloud Identity and Entitlements Management (CIEM) intends to tackle this challenge, the solutions and market are immature. Microsoft’s recent acquisition of CloudKnox, now rebranded as part of the Entra product family, is a case in point. Entra is an interesting product providing information on Role-Based Access Control (RBAC) entitlements for Azure and other Cloud environments. Still, it does not yet give a view of Azure Active Directory entitlements. The combination of roles and entitlements between Azure AD and Azure RBAC is a critical view to have to identify potentially undesirable (toxic) combinations.

Without appropriately mature tooling, it is practically impossible for any Cloud Operations or Cloud Security Operations team to understand all entitlements held by any single identity or security principal. Given the number of breaches caused or facilitated by overprivileged credentials, this area desperately needs improved capability.

So Cloud Security is not easy, even if it is conceptually simple. An analogy struck me relating to DNA. The four bases that form DNA are relatively simple components. However, combined in an incredibly variable manner, they can create hugely complex organisms, ranging from a blue whale to a human to a fruit fly. Similarly, the variability of the underlying services in a Cloud environment and their combinations make securing Cloud solutions at scale incredibly challenging. Simple components build towards extremely complex “organic” ecosystems. As the line between IaaS and PaaS solutions becomes ever more blurred, the combinations increase in variability and complexity.

In a DNA-driven world, how the bases combine is governed by straightforward principles—Adenine pairs with Thymine, and Cytosine pairs with Guanine. During DNA replication, enzymes check to ensure that the correct bases have been added to the chain. If there are errors, they are removed at the source before the DNA is “written”.

In Cloud Security, we can keep our organisations focussed on the simple principles that will help us manage complexity at scale. From a practical perspective, we can ensure that we build environments using Infrastructure as Code (IaC) which is version controlled. We can wrap IaC templates with Policy as Code pre-deployment checks. We can validate from a post-deployment perspective that what we intended to build is actually running using posture management and workload protection tools. And we can continue to educate our broader organisations that what appears simple is not easy. The lure of the Cloud is powerful, and the concepts of it are simple. However, the reality of how to get there safely is highly complex and requires the appropriate preparation, training and tooling to avoid disaster.

The human brain loves patterns. We identify patterns everywhere, even where they don’t exist. In the past, this has been of evolutionary benefit. Being able to recognise poisonous tree frogs or tigers or gaps in a forest floor, or tribe members who look like us have all been helpful to our survival. The brain is an expensive engine to run, and any heuristic that helps us be more efficient saves us energy.

Until quite recently, we thought we were the rulers of the world of broad pattern-matching. Sure, animals could recognise patterns for the same evolutionary reasons we could, but from the point of view of image-based pattern matching (as in Recaptchas where one has to recognise all of the images with traffic lights, for example), or being able to create relationships between language, images and sounds (the word “cat”, a picture of a cat and sound of a cat), we pretty much had the mountain peaks to ourselves.

We learn about patterns by experience. Ray Dalio writes in Principles about the benefit of being able to identify “another one of those” based on the study of past events or past experiences. This recognition of patterns aids in decision-making and provides comfort that we’ve seen this kind of problem before.

We sometimes misidentify patterns. Humans mistake correlation for causation so frequently that it’s truly not funny (although the site Spurious Correlations has some really great examples on it, such as the relationship between the divorce rate in Maine and sales of margarine).

Visual patterns can be tremendously appealing. The arrangement of a honeycomb, the fronds of a fern, or the shapes of snowflakes can all be delightful to us. The rule of thirds is a pattern in photographic composition that is almost universally accepted. Similarly, patterns in mathematics or music can be hugely satisfying to our brains.

We’ve communicated these patterns and their ramifications through language, art, science, music, and culture throughout the generations. Being able to recognise patterns is of importance in all sorts of fields. Biologists can use pattern-based knowledge to identify pests. Medical experts can use them to identify human diseases through visual identification or the description of symptoms and their spread. Technologists can use patterns for short-cuts in code or for speedier troubleshooting. This use of patterns has been a huge advantage to us – and we are very good at it.

Max Tegmark, in Life 3.0, argues that we may be losing that evolutionary high ground. Computers are now faster and more effective than humans in identifying patterns in key areas. Self-driving cars have comprehensively demonstrated the capability of AI-driven visual pattern matching (along with many other complex decision-making algorithms).  In addition, despite some highly publicised incidents (and one in which Tesla’s Autopilot feature failed to differentiate between the side of a trailer and the brightly-lit sky), self-driving cars are arguably safer than human drivers.

In the medical arena, AI is proving to be as good as, if not better than, trained radiologists and other specialists at identifying injuries and disease.   Articles on selective inattention such as this one describe how trained experts missed the image of a gorilla inserted into medical images, despite looking right at the gorilla. This paper was based on Daniel Simons’ Monkey Business Illusion, which I was gobsmacked by when I saw it first.

The ability of AI to identify patterns in large amounts of information is considerably better than ours. We don’t have the processing capacity or “attentional” capability to review very large volumes of data.  We become tired, we lose focus, we become distracted. Computers can run 24 x 7 processing trillions of bits of information without fatigue or mistake.

So does this mean we’re irrelevant, and doomed to be jobless?

I would argue strongly that the answer is a resounding no. There are still areas where human expertise has not been outstripped by the use of computers. We are able to interpret patterns of human behaviour and the demonstration and expression of emotion and develop appropriate responses. Human-human interaction is still a huge part of how the world operates (without it we would clearly not exist). Our ability to excel in the workplace and elsewhere should not be threatened by the addition of AI – it should be enhanced by it.

In my opinion, the most interesting writing about AI at the moment is not focussed on how computers will displace us, such as the many sensationalist “AI is coming for your job!” headlines. It is about how we can leverage AI to improve our capabilities in partnership with technology.

We’ve lost the pattern-matching crown (in some areas many years ago), just as we lost the automotive construction battle, and the chess-playing trophy, and as we will cede many other areas to technology in the future. The great thing about humans is we always find new problems to solve (or failing that, create them for ourselves).

So why am I concerned now, and should you be?

The trigger for me writing this piece may seem strange.  DeepMind AI  agents recently won the majority of a series of StarCraft II Real Time Strategy (RTS) games against top professional players, beating the humans 10 out of 11 games.  RTS games can be pretty complex, and while we’ve seen human champions (for example Kasparov and Ke Jie for chess and Go respectively) fall before, this is the first time that the complexities of Starcraft II have been mastered by an AI agent. Why is this significant?

Unlike in a game like chess, the playing area in StarCraft II is large, and due to “fog of war” (a veil over unexplored areas) at the start of the game the contents of the map are invisible to the player. In other words, you can’t see what your opponent is doing until you’ve explored the map or their units show up in your part of the map.  There are a huge number of variables in choosing which strategy to adopt – there is no “best strategy” for victory – early rushes, where a low-tech, high volume army charges and wipes out the opponent’s base can be successful, but similarly, long, drawn-out matches are common.

Poor resource management decisions early in the game (e.g. planning to invest in one technology and neglecting others) can have long-term implications.  And the variability in capability and unit strengths for each of the three races also impacts how a strategy is built.

In addition, as the name of the game category suggests, all action takes place in real time.  Constantly changing variables mean that there are multiple decisions that need to be made at any point in time, and there is a requirement to constantly adjust based on new information.

Again, “So What?”, I hear the non-gamers out there ask.  Why should you care?  Tim Urban, on his hugely interesting site “Wait but Why” in a two-part post on AI, positions the situation like this – AI will either mean our eventual ascendancy to immortality (something I think is pretty horrifying) or our falling off the evolutionary balance beam into extinction.

The key point in his argument for me is that should AI ever reach the level of AGI (Artificial General Intelligence) it will so rapidly outstrip us and achieve ASI (Artificial Super Intelligence) that we won’t even  be able to comprehend how vastly superior the new intellect (and our new overlord) is.  For a visual representation of what that might look like, take a look at his Intelligence Staircase.

In the context of StarCraft II, the ability of the AI to conduct 200 years of training in a single week (at current silicon speeds) is something that shows the evolutionary advantage a computer-based intelligence has over a human.  To do the same level of training would take a human .. 200 years 🙂  We can’t operate faster than our biology allows.  We’re not able to test, analyse and adjust strategies as quickly or accurately as an AI agent would.  We’re also hampered by cognitive biases, a lack of perfect recall and an inability to execute more than a single task at a time.

We’re seeing real progress in the implementation of autonomous vehicles.  AI-driven assistants are becoming more and more part of our lives.  Deep-learning algorithms are mining the world’s data, driving everything from investment decisions to medical diagnoses. The technologies to develop, for example, lethal autonomous weapons (or killer robots, for our sci-fi aficionados) are all available today.  We have a huge proliferation of ANIs (Artificial Narrow Intelligences) which are good at one specific task or set of tasks.

If we are not intentional about the path we’re following, it is not a huge leap to posit a situation where we inadvertently create an overarching AGI, then ASI, which is neither malevolent nor benevolent.  It will just be Other, and, as with the AI that beat the StarCraft II champions, its decision-making will be largely incomprehensible to human observers.   If you really want to be worried about this, Nick Bostrom’s book, SuperIntelligence, paints a bleak picture indeed.

While there are clearly many advantages to leveraging AI, we need to be much more aware of the implications.  And while the recent developments may seem trivial, they are one step more along a path to humanity no longer being the “smartest” entity on the planet, will all that may entail.

Clearly, in this scenario, retail Public Cloud Providers (PCPs) are the younger member of the relationship – looking to move fast and break things, as it were.  Large, regulated Enterprises are the older partner, looking to put their feet up at the end of a complicated and trying day.  They can’t move as fast as the PCPs, because they have accumulated responsibilities in the form of regulatory and board oversight, and have less agility in their old bones than the more nimble PCPs.

When PCPs are dating/courting startups, or Small-Medium Enterprises (SMEs) in less regulated spaces, the pace of adoption and engagement in the relationship is often faster and less complicated.  This is because the younger organisations in the partnership may have similar interests, with fewer individual areas of specific concern.   The equation is one of best price and warranty for the service provided, and it often ends there.

Newer organisations tend to be more cloud-ready as well – they’ve grown up with modern application methods and technology and are carrying less technical debt.  Many large enterprises have applications that pre-date the foundation of today’s PCPs – and the management of these legacy applications can be critical to the day-to-day functioning of the enterprise.

Larger Enterprises also have a significant overhead in the form of regulations that they are accountable to meet, security and compliance controls to adhere to and boards that may be highly risk averse.

Does this “age-gap” means that the relationship is doomed?

Not necessarily; it just means that the younger partner needs to be more aware of the specific needs of their older paramour.   Some PCPs are clearly very aware of this.  For example, Microsoft Azure is focussing heavily on providing hybrid cloud services, including Active Directory integration and Azure stack for on-premises use to enable the lines between the enterprise and the PCP to be less of a challenge to adoption.

In their turn, the elder partner needs to be aware that contracts and master services agreements may need to be reassessed while still maintaining the appropriate risk management posture.  Workload selection also has to be carefully managed – the “wrong” workloads migrating to a cloud environment will clearly result in unhappy outcomes.

What else can PCPs do to help?  They can make information readily available to simplify the transition to a cloud environment by making compliance resources available, as AWS did recently with their Cloud Compliance center.

They can simplify and make more transparent their usage and pricing structures.  For the past few years, articles have been published (e.g. here, here and here) about businesses pulling workloads back from public cloud environments, in part because of “sticker shock”.   (There are other reasons, including availability issues that have been identified as driving the pullback).

In addition, PCPs can put together chains of services that legacy application managers can consume more readily.   For example, AWS Lightsail, Farscape, Beanstalk and Migration Services are a step in the right direction.  These still don’t remove the overwhelming variety and complexity of sub-services that PCPs offer, but compared to e.g. Google Cloud Platform, they provide a friendlier face to newcomers to public cloud environments.

Is this May-December relationship still worth pursuing?  Absolutely – because there can be significant value for both parties if approached correctly.  Large Enterprises can use public cloud environments as a catalyst for application modernisation, risk reduction and capital budget weight-loss (although OpEx clearly needs to be very carefully managed).  PSPs can benefit from the steady, predictable income that a well-funded, firmly established partner can provide (and can learn how to further develop offerings that are suitable to these organisations, growing the business).  As with any relationship, the key is to ensure that expectations are set appropriately at the outset, and then met or exceeded.

Wearable technology is increasingly becoming part of the world we live in.  From ingestible medical devices to AR headsets, from clothing with connectivity to gadgets to make your running smarter, we are buying more and more tech to generate more and more data about our lives.  Allegedly at least, making us more productive, fitter and healthier.

These devices promise so much, and sometimes deliver nothing but broken promises and disappointments.  Even the veterans of the bunch, the fitness trackers, are inconsistent, sometimes temperamental, and occasionally as forgetful as a regular person (“what device was I supposed to be connected to?”).

I’ve had two main fitness trackers/”smart” watches over the past four years, and the experience with both had some of the above shortcomings, but I ended up really loving one of the trackers.

My current tracker is a Fitbit Blaze HR, and, well, it’s ok.  I specifically bought the HR model because, you guessed it, I wanted to track my heart rate while exercising.  Turns out there’s a catch with that.  There are a good number of posts in the Fitbit forums on how you need to move the strap several finger widths up your wrist and tighten the strap when exercising in order for the Blaze to get a good heart rate read.  In practical terms it’s fine for resting heart rate, but not so good for exercise, particularly anything like HIIT or hypertrophic lifts that cause your pulse to spike significantly.

I’ve gone through the stock silicone band since I first started using it just over a year ago – I’ve since replaced it with a metal one, which seems likely to last longer (and gives the watch a smarter look, in my opinion).

Prior to the Blaze, I had a Microsoft Band 2 for two years, and despite its idiosyncrasies it did everything I wanted it to.  It, too, struggled with heart rate accuracy. (Most LED-based trackers won’t hold a candle to a dedicated Polar-style ECG band around the chest, but I don’t like the faff associated with those.  Given how frequently I forget my water bottle, it’s also just one more thing to add to the list of gear needed to have a workout).

The critical difference for me between the two trackers was that the MS Band 2 very rarely lost sync with my phone, controlled music properly (which in the gym is a lot handier than taking your phone out and scrolling through playlists), and displayed just enough notifications to be useful.  The Blaze doesn’t do these things well.  It often loses sync, sometimes to the point where I have to reboot both phone and watch to get sync re-established, and then it only works after several tries. Its battery life is relatively short, and very unpredictable.  And for some reason it just doesn’t make me like it the way the MS Band 2 did.

So why am I using a fitness tracker I don’t like as much as the previous one?  I went through 4 Band 2 replacements under warranty in two years.  Three of the four failed because the wrist band, which was integrated into the face, split during use in the gym.  With some key electrical elements embedded in the strap, that was a fatal flaw.  Microsoft displayed the best customer support I’ve seen in some time – they replaced the failed trackers under warranty with no fuss (they clearly knew they had a problem), and then gave me a full refund after two years use when they acknowledged that they would no longer be able to provide replacements.  Given the responses we’re accustomed to getting as customers in a disposable age, I was really pleased and impressed by this level of service.

As a result, despite my frustrating experiences with fitness trackers to date (and talking to friends and trainers in the gym I know I’m not alone), I will be an eager buyer if Microsoft ever decided to release a Band 3.  Not because I expect the experience to be flawless, but because they have shown that they can provide a great customer experience for the product, and because to me the Band 2 had enough redeeming features to overcome its flaws.