Whose CAD Is It, Anyway? Part 312 Aug, 2020 By: Robert Green
CAD Manager Column: A recent attack on GPS juggernaut Garmin shows that any company can be vulnerable to potential losses when data is stored in the cloud.
In the last two editions of the CAD Manager’s Newsletter, I posed several questions about how our CAD tools and data are managed, with the core debate being whether the cloud is a good idea or not. I then opened the floor to debate via email and my CAD Managers Unite! Facebook group. The feedback indicated that there is broad debate out there about the inevitability — and trustworthiness — of combining CAD with the cloud.
In this edition of the CAD Manager’s Newsletter, I’ll discuss a cautionary tale drawn from recent headlines, share some great comments I received about cloud-based CAD, and draw a few conclusions along the way. Here goes.
The Recent Garmin Debacle
I don’t know if any of you noticed, but a couple of weeks ago, GPS device manufacturer Garmin was taken totally offline by a ransomware attack. This had the results of shutting down the company’s subscription data services; applications including pilot flight planning, maritime navigation maps, fitness trackers, and a variety of third-party tools that linked to Garmin services were offline for as much as two weeks.
This episode forces me to draw the following conclusions:
- Cloud data corruption/loss/interruption can happen to any company, even a large and well-established one. Garmin is a huge player in the industry, and if it can be taken totally offline, then so can your CAD vendor. In fact, big companies, such as Garmin or Wells Fargo, have been targeted more frequently than small companies.
- Services delivered via cloud can be fundamentally disrupted at high cost to you.Nobody will go broke because they can’t track their bike ride on a fitness watch, but aircraft that couldn’t file flight plans and ships that couldn’t obtain the latest navigation maps experienced profound disruptions. Will Garmin compensate them for their loss? Not likely, given the terms of service in their standard product agreements.
- If your data resides on the vendor’s server, you may lose it. It seems as if Garmin recovered much of their data, but there is conflicting information about whether they did so by paying off the attacker, and nobody knows how much confidential data may have been compromised as a result.
Because of these factors, given the choice between trusting my data to somebody else or securing it and backing it up myself, the latter option seems more conservative. Is this paranoid rambling on my part? Certainly not — this type of incident is happening more and more often. Think on it.
Cloud Security First and Foremost
One of the more pointed responses I received came from J.S., a member of the CAD Managers Unite! Facebook group:
“I think the one big piece of this whole puzzle is the fact that organizations will not be able to continue to work the way they have in the past, with a select few doing the ‘CAD/engineering’ work. The whole idea of collaboration is a major factor in all these decisions related to moving to the cloud. Organizations that learn to utilize all their resources are going to be more successful.
“There are valid points that an organization needs to be aware of and understand, but also in my opinion, owners and leaders of organizations have to build their organizations around the idea that people have to work together to be able to get projects done productively and on time for clients, and even more so today be able to do their work from anywhere and be productive doing it.”
Agreed — but the question really becomes, What is the mechanism for facilitating that sharing? There are many possibilities (which J.S. touches on later), but the fundamental point here is not that we will have to collaborate, but how — and how much the public domain cloud will have to do with it.
“In order to work efficiently, you have to have the compute next to the data. Historically this was easy… plug some systems into a network, put the data on a server, and connect everyone to that data. In the AEC industry, effective and successful firms have found ways to utilize their resources across their entire organization, and sometimes even outside of their organizations. But to do this you have to utilize some form/feature/function/idea of a cloud-based system, whether that be private or public. There are many firms that realized this years ago, and moved the compute next to the data inside a data center and utilized various approaches (software, hardware, clients, etc.) to have everyone remote into the data center. In more recent years organizations have found the ability to utilize the same concept but move to a public/private cloud and again use different software/hardware, etc., to be able to make use of the scalability and features of the cloud to be able to utilize their resources.”
Again, valid points are made here. In my own experience, however, it is only the very large firms that are virtualizing their computing resources and data storage to cloud services (such as Microsoft Azure). The broader collection of companies I deal with still have their own servers and their own shared workstations that are accessed via remote log ins.
My point here is not to invalidate what J.S. says, but just to point out that the move is much slower than many think. And those companies that are located outside the major metro areas, where high-speed Internet is assumed, aren’t moving in this direction yet.
So how to tackle the mix of possible solutions? J.S. opines on that as well:
“The systems that work best are the ones that utilize a combination of the traditional with pieces of new cloud technologies. It’s just another part of the puzzle now and it’s what allows organizations of just about any size to be able to compete with larger organizations, and in many cases allows smaller organizations to be more agile and more productive even than larger firms. No longer are you limited to a certain mile radius to find talent, no longer are you limited to who you can utilize across your organization for a particular project. By utilizing the power of parts of the cloud, or in some cases full use of the cloud, you can find talent and put them to work anywhere. I can now find a designer, project manager, or engineer that is an expert in what they do and put them to work utilizing my organization’s data. This is powerful for owners and leaders of an organization.”
J.S. is exactly right here. But again, what systems does a company use, and how do they secure their data based on the infrastructure they have? And to what extent is changing systems to support a few remote workers really feasible if the bulk of the users are at a central facility (post-COVID-19)? To me, this is where the real uncertainty lies, and I’m eager to hear everyone’s perspective.
And finally, J.S. speaks on risk and mitigation of it here:
“Are you at the mercy of the Internet, or a vendor and their offering? I’d say yes, to a point. Do you need to be aware of licensing restrictions, the standing of a particular vendor? Yes for sure.
"I’d say you are also at the mercy of the electrical company while sitting in your office working on your local computer. If you want to mitigate the risk of that, you would install a generator if it was that big of a risk that you couldn’t be without power. The same applies to Internet and vendor offerings. What are you willing and able to do, to mitigate risk vs. cost?”
I think the operative word in this line of reasoning shouldn’t be risk, but rather liability. Using the Garmin situation as an analog: Garmin had a risk of being hacked and there will be an associated cost of recovering from it — but what is the true liability of the loss?
If your company leaders don’t want to spend $100,000 per year to manage their overall cloud services strategy and choose to place all design data on a cloud-based file-share utility like OneDrive or Box, what would happen if all the data were lost? How long would it take to recover? How many deadlines would be missed, and what would the damages to the company be as a result?
It turns out that managing risk in the age of the cloud is largely about how much of your business you make dependent on it. So while we may all have to deal with the cloud in some way, shape, or form, let the experience of Garmin inform your decision making.
First, I’d like to thank J.S. for such a well-researched response to the last newsletter. J.S. raised great points that should be fuel for debate within your organization.
What are your thoughts on this or other cloud CAD topics? I welcome your email at RGreen@GreenConsulting.com, or you can drop a comment at the CAD Managers Unite! Facebook group post. Until next time.