Outside the Bristol Zoo, in England, there is a parking lot for 150 cars and 8 coaches, or buses.
It was manned by a very pleasant attendant with a ticket machine charging cars £1 (about $1.40) and coaches £5 (about $7).
This parking attendant worked there solid for all of 25 years. Then, one day, he just didn't turn up for work.
"Oh well", said Bristol Zoo Management - "we'd better phone up the City Council and get them to send a new parking attendant..."
"Err ... no", said the Council, "that parking lot is your responsibility."
"Err ... no", said Bristol Zoo Management, "the attendant was employed by the City Council, wasn't he?"
"Err ... NO!" insisted the Council.Sitting in his villa somewhere on the coast of Spain, is a bloke who had been taking the parking lot fees, estimated at A£400 (about $560) per day at Bristol Zoo for the last 25 years. Assuming 7 days a week, this amounts to just over A£3.6 million ($7 million)!
So what's the point here? Without governance controls anyone can come in and rule the roost. There is no accountability, control or record. I know I've been harping on this a lot lately, but it just seems to me that if controls are not in place and a means for reviewing the implementation and usage of the controls, anyone can walk away with the keys to the kingdom as it were.
This is much like what happened with Abdirahman Ismail Abdi or even Terry Childs, both of whom I have commented on before. If either one of them had been subject to some sort of governance process it would have been much more difficult for them to execute their schemes.
After all, you know what they say, "a million here, a million there and soon we're talking about real money."
3 comments:
And now for the topic of the moment that I have been reflecting on - how does Governance fit in "The Cloud"?
You are essentially trusting a 3rd party selling commodity computing infrastructure to enforce security controls that you are responsible for.
"The Cloud" sounds a lot to me like "securitisation" of IT services. A vendor packages up services with risks that they may or may not be aware of and they are sold on to corporations as "Cloud computing".
I would suggest that even if a "due diligence" takes place, in many cases different standards will be applied to external vs. internal controls.
So is "the Cloud" really another set of sub-prime risks, packaged up in a AAA-rated wrapper?
Well that's kinda the million dollar question: Once you go out of infrastructure that you control what happens?
It will all come down to the relationship between the identity providers and consumers of the (supposedly) federated relationship.
I'm afraid until we have some strong means of authentication in widespread use this will be more of a legal/paper concept than an operational/IT one.
But that opens a whole new issue... How do you prove your identity in the cloud?
I know you'll all be surprised that the acutal story this article is based on is an Urban Myth.
http://www.thisisbristol.co.uk/news/Urban-myth-Bristol-Zoo-parking-attendant/article-1073841-detail/article.html
I don't think that invalidates the argument though...
Post a Comment