Cloud computing isn’t really that new of a thing anymore. By now, many organizations are familiar with what it is and may even be considering migrating portions of their operations. But what we’re saying a lot of times is that, even though they may want to move to the cloud because it’s the cool thing and everyone’s doing it, they may not know the real risks and advantages of doing so. So we’ll run through some key considerations when moving to the cloud. By reviewing the advantages and risks at a high level, hopefully it will your organization in making an intelligent business decision when considering a move like this.
Advantages of Cloud Migration
- Cost – In general, the cloud is a much more cost efficient venture when compared to purchasing and maintaining on-premise hardware. You don’t need the same size facilities to house all this stuff, you aren’t worrying about cooling a datacenter, and you don’t need a massive IT team to manage it all.
- Scalability – You can use as much or as little storage and processing with the click of a button. It allows for cost efficient scaling that many organizations, from start-ups to established enterprises, are taking advantage of. This amount of flexibility gives an organization a lot of freedom.
- Disaster Recovery/Resilience – One of the big advantages of the cloud is the “built-in” resiliency. Besides the redundancy and physical controls that most providers are employing (which are probably much better than any 1 individual organization could do), the ability to quickly and easily snapshot, back-up, and restore should be very comforting.
- Data Mobility – Accessing data that is on-premise when your users are remote can be complex. Applications and data in the cloud can be accessed from anywhere on any device (for the most part). This meshes well with the current computing environment that most organizations are working in, with a large remote work population. But that mobility comes with a price, as attackers can access these applications/logins from anywhere as well.
- Security – Cloud providers often offer advanced security features that help in protecting your data, given the risk associated with the additional accessibility offered. This can be a great thing for organizations that may not be able to afford or have the resources to implement these controls themselves.
Major Considerations When Moving To The Cloud
- Location of Data – This is the obvious one that everyone loves to talk about when it comes to cloud. You don’t even know where your data really is! This is definitely a paradigm shift, so I understand why it makes some people uncomfortable. Depending on the type of data you are storing/processing, you’ll want to make sure your contract with your cloud provider includes provisions to restrict your data to certain geographic locations (if required) and includes a commitment that they will the comply with any applicable privacy laws.
- Data Separation – Probably the biggest risk associated with your data in the cloud is that it is sharing space with other organizations’ data. You’ll want to understand how your provider is segregating all the data they are storing, how they are controlling access, what their security practices are, etc. Encryption may be a piece of this puzzle, but besides simply the use of encryption, you really want to be asking about their key management practices (different keys for each customer, stored securely, compromise of one customer doesn’t affect another) and their access control practices (make sure their not using the same credentials to manage all of their customer environments).
- Privileged Access – The cloud provider you’re working with is going to have privileged access to your computing environment, including your data. This is just the reality of the situation. So you’ve got to make sure that you trust your cloud provider and you’re verifying that they’ve got a robust security program, both before engaging them and during your relationship. You should be asking to understand their hiring procedures, oversight of employees, and security controls.
- Compliance – Any regulatory standards that your organization is expected to comply with, your cloud provider has got to be compliant, too. And it is your responsibility to make sure that is the case, prior to engaging the cloud provider and throughout your relationship. Any incident of non-compliance is ultimately your responsibility.
- Organizational Viability – This is something you want to understand with every vendor you do business with, but it’s especially important for cloud providers. Is this provider organization going to be around for a long time? Are they stable? You are centering some aspect of your business and infrastructure around them so you want some assurance here. Additionally, no matter how viable the organization is, you want to make sure your contract has provisions to retrieve your data in a usable format should they go out of business.
- Disaster Recovery – Pretty self-explanatory, but make sure your cloud provider has let you know what happens with your data in the event of a disaster. You should have contractual service-level agreements (SLAs) for how long it will take them to regain operations and a maximum tolerance for data loss.
- Forensic Support – In the event of a security incident or data breach, you should understand how your cloud provider is going to help you. If there are no contractual obligations for them to assist in an investigation, that should be a huge red flag.
So as with any big decision, there are certainly a number of pros and cons. If you are moving to the cloud or have recently moved, you should consider a security assessment if you haven’t already done so to make sure all your bases are covered. Cloud applications and devices have a different level of exposure, different risk profile, and require different types of expertise for those deploying them. If you want to talk more about your specific situation and figure out your next steps, we’d be happy to chat!