Main content

A SaaD future knocking over honeypots? Onymos CEO Shiva Nathan on why the cloud has been set up wrong

Martin Banks Profile picture for user mbanks July 1, 2024
The CEO of Onymos is no stranger to poking the IT industry’s darlings in the eye and is doing it again – and may even have opened a whole new line of thought. Read on

honey pots

Software as a Service (SaaS) has become so well-embedded in the infrastructure of most businesses these days that is fair to speculate that most of those businesses would rapidly, and probably permanently, implode if, by some unkind miracle, all SaaS implementations were ripped away.

The impact would certainly be huge, not least because it is a way of delivering brute capability of just about any type of computing functionality, almost on demand from the get-go. Users can sign up for powerful, functionally-rich applications in the morning and be running first pilot tasks by the afternoon, rather than staying with the traditional legacy option of buying a license for the runtime and waiting weeks/maybe months for the vendor’s team to turn up and install it, test it, optimize it, tweak it and give it a final polish.

Yes, SaaS is now the de facto dominant way for many businesses to build and exploit their software portfolios, which in turn means that cloud services providers are now the focus of most IT resources, and most business data, meaning that user businesses now directly manage less and less of the workload their businesses generate. Therein, however, lies an increasing problem, at least in the view of Shiva Nathan, CEO of Onymos.

Cloud as a collection of honeypots

Nathan has a bit of a reputation for having interestingly different views on some of the accepted wisdoms of IT management and operations, as demonstrated by the approach taken by Onymos to the issue of cutting into the wasted developer resources lost on the still-standard 70% maintenance costs, while gently poking the Open Source approach in the process. This time the target is not SaaS per se, but what can be seen as a rapidly growing and potentially serious weak-point – honeypots.

That is the term Nathan uses to describe the way that many users now exploit SaaS applications and services. He sees much right with it, of course, in particular the way it has defined the notion of Infrastructure as Code, allowing users to construct new ways of exploiting virtual machines – creating a ‘virtual anything’ environment of great flexibility. As an example, he refers to the way healthcare hardware has combined with healthcare applications software to build new entities, noting:

So your Apple Watch picks up just few of your health parameters, then software can do lots of different things to make it a lot of different things. So it's software as a medical device.

This ‘Software as a Device’ (SaaD) model is likely to be the most beneficial legacy of cloud computing in the long term – but for now it comes with a weak point. To be successful, even in that small scale device application of using a watch as an observer of individual healthcare, it has to be able to use a variety of different applications code and the data those applications generate, and the easiest way to do that – increasingly the only way – is via SaaS.

In itself that is not a problem, but the way that most users have engineered their exploitation of such a capability has meant that much of their valuable data – especially the live data that is part of the current operational workload – is moved to the cloud to be adjacent to those same applications the business has subscribed to.

In other words, the cloud compute resources become the holders of many businesses vital and most current data – and in Nathan’s view, huge honeypots of live data that are likely to be irresistible to those of a malicious persuasion. The quickest of online searches will bring up a long list of cloud services that have been hit, especially by ransomware attacks. And last October, there was a distributed denial of service attack on Google Cloud, AWS and Cloudfare that was said to be the largest yet. Such claims will, of course, can only be a challenge to the malicious.

Nathan’s fundamental premise is that SaaS has been implemented incorrectly, in that as well as paying money to access the compute resources, users also have to part with their data as an integral part of the process. He argues:

If you think about it, all the SaaS vendors have not only taken the money, they've taken the data of all of the customers, becoming a honeypot for hackers. Why do you think that SaaS companies are getting hacked? If you had your data in your personal storage, and I had my data in my own personal storage, there is not so much incentive for a hacker from a different nation to come and attack your country. There's no incentive for a nation state to spend billions of dollars to you or I. But when everyone's data is collected into a SaaS offering it's a honeypot waiting to be hacked.

A touch of the edge

The Onymos response to this situation is to create an operating model is a version of the edge computing model, where SaaS applications come to the user – and the user’s data – rather than the user moving their data to the compute located with the cloud service provider.Nathan’s analogy is buying something reasonably expensive, such as a car, using a bank loan. He explains:

The bank says upload your last two paychecks, three months of bank statements, savings details and the rest and the bank collects all this data then runs an algorithm to find out how creditworthy you are. It then tells you your interest rate - 10% If you're a bad credit risk or three percent If you have great credit worthiness. But the point is that now the bank has become a honeypot of users’ financial data. But your data was sitting in your computer, and all the bank does is send a programme to crunch the data in that computer. What it gets back is your credit worthiness - A- plus or C-minus, and they just offer 10% or three percent. They don't get to really see your data at all. It's a completely different paradigm.

This is, obviously, then very dependent upon the systems the users are running, but it is Nathan’s contention that the majority will be running fundamentally the same standard systems as the major cloud service providers. On that basis it should not matter technically whether the data physically goes to the compute or the compute goes to the data. It may well matter to a user however, where the data is residing.

These days, of course, data can reside in a wide range of places ranging from on-premise to spread across a range of cloud services such as dedicated co-location facilities through to low-cost, slow back-end storage, which would seem to prejudice the way in which the Onymos solution operates. However, with the growing number of tools that provide options for pulling together data relevant to a particular task or workload from all those repositories, combining their capabilities with what Onymos is providing here could give users both choices on where an application is run coupled with greater data security.

My take

At first this may seem a little off the wall, or too focused on the security aspects of cloud service providers. However, its similarities to edge computing models and reasoning suggest it may well have a serious role to play in future architectures – especially where the Software as a Device model becomes the way of specifying and implementing future systems architectures. This will be an era when the word `device’ is used to encompass a single entity, function or requirement that stretches from the smallest monitor at the deepest, darkest edge of a corporate network to the heart of the real-time back office management system.

A grey colored placeholder image