“The sun always shines above the clouds,” optimists enjoy telling us. What they fail to mention is that beneath the clouds there’s often high winds, torrential downpours, lightning and the occasional golf-ball-size hail bombardment.
The same is true with cloud computing. On the sunny side, the cloud offers a variety of benefits, including the promise of enhanced reliability, flexibility, manageability and scalability. Look below, however, and you’ll see the cloud’s dark side — a place where a single error, oversight or miscalculation can lead to utter catastrophe.
If you want to ensure a cloud transition that showers your enterprise with benefits rather than red ink and lawsuits, avoid these 10 common mistakes.
It’s dead simple to provision infrastructure resources in the cloud, and just as easy to lose sight of the inadvertent policy, security and cost problems that can be incurred. Here, governance and planning are essential.
“While governance and planning is the goal, it doesn’t need to be tackled in one sweep,” says Chris Hansen, cloud infrastructure practice leader at SPR Consulting, a technology consulting firm. “Use small iterations supported with automation,” Hansen advises. “That way, you can address the three critical areas of governance — monitoring/management, security and finance — to quickly surface issues and remediate them.”
A related mistake is not fully understanding who within the organization is responsible for specific cloud-related tasks, such as security, data backups and business continuity.
“When something goes wrong and these things haven’t been figured out, then businesses could find themselves in a really tough spot,” observes Robert Wood, chief security officer at SourceClear, a security automation platform provider.
Despite a great deal of progress made over the past several years, many applications still aren’t cloud ready. A business can seriously damage application performance, user experience and engagement and its bottom line if it sends something to the cloud that isn’t fully baked or requires complex integration with legacy systems, notes Joe Grover, a partner at LiquidHub, a digital customer engagement specialist.
“Take the time to understand what you plan to gain by making this move [to the cloud] and then validate that you will get what you desire,” he says.
A costly mistake many enterprises make is treating their cloud environment like an on-premises data center.
“If you go down that pathway, your company will end up focusing on things like total cost of ownership (TCO) analysis to make crucial decisions about migration,” says Dennis Allio, group president of cloud technology services for technology integrator Workstate. While cloud services can deliver dramatic cost savings, they also require an entirely different resource management process or you might end up wasting, not saving, money.
Consider, for example, moving a single-application server from a data center to the cloud.
“A proper TCO analysis will take into account how many hours in a day that the server will be in use,” Allio says. For some companies, a server may only be used during normal business hours. In a data center, leaving a server turned on 24/7 adds only a slightly extra cost to the facility’s utility bill. But in the cloud, users typically pay by the hour. “Your cloud TCO analysis likely assumes eight hours per day of cloud usage — which can provide an unwelcome surprise, with a potentially tripled cost, if your cloud systems management group doesn’t include processes to turn off those servers when not in use,” Allio explains.
Top-tier cloud service providers (CSPs) supply every customer, regardless of size, with operational capabilities equal to a Fortune 50 IT staff, notes Jon-Michael C. Brook, an author and consultant who currently co-chairs the Cloud Security Alliance’s Top Threats to Cloud Security Working Group.
Yet, based on the shared responsibility model, CSPs are responsible only for what they can control, primarily service infrastructure components. Many tasks, particularly deploying, maintaining and enforcing security measures, are left to the customer to provide and manage.
“Take the time upfront to read the best practices of the cloud you’re deploying to, follow cloud design patterns and understand your responsibilities,” Brook advises. “Don’t trust that your cloud service provider will take care of everything.”
Cloud cost advantages can evaporate quickly when poor strategic or architectural choices are made. A “lift and shift” cloud transition — simply uploading virtualized images of existing in-house systems onto a CSP’s infrastructure — is relatively easy to manage, yet potentially cost inefficient and risky over the long term.
“The lift and shift approach ignores the elastic scalability to scale up and down on demand,” Brook says. “There may be systems within a design that are appropriate to be an exact copy, however placing an entire enterprise architecture directly onto a CSP would be costly and inefficient. Invest the time up front to redesign your architecture for the cloud and you will benefit greatly.”
Not regularly evaluating the cloud service actually being received against planned expectations is a quick way to waste money and degrade essential business operations.
“An organization should periodically review the established key performance indicators and take proper actions to handle real and potential deviations from planned results,” says Rhand Leal, an information security analyst at global standards consulting firm Advisera Expert Solutions.
Azure, AWS and all other cloud platforms are radically different from the days of a flat, in-house network that can be managed by nearly anyone, “even the CEO’s nephew,” observes Chris Vickery, director of cyber risk research for UpGuard, a cyber security evaluation service provider. “If there’s no budget for hiring someone specialized in cloud administration, then there should be a considerable time investment in training the IT staffers that can be mustered, prior to moving any bits or computation cycles toward a cloud solution,” says Vickery.
Cloud ignorance can easily lead to a security catastrophe. Vickery claims he has discovered hundreds of millions of sensitive business records stemming from hundreds of companies that had no idea they were exposing their data to the public internet.
“If a malicious actor had gained access to this data, the vast majority of those entities could have faced everything from extortion to complete internal network compromise,” he says. “Executives can avoid this potential disaster by spending a little extra on getting the right person for the task or making sure the tech department has sufficient knowledge and services available to do the job right,” he adds.
One of the primary benefits of moving to a cloud-based environment is the automated provisioning and deprovisioning of computing resources.
“For the most part, companies will benefit from any type of automation,” observes David R. Lee, chief operating officer of IT consulting firm The Kastling Group. Yet automated processes that are poorly written, overly complex and not well documented can lead to lengthy downtimes, significantly affecting critical business operations.
“Automated tests for automated scripts in a controlled environment and training for automation recovery could help mitigate this risk,” Lee says.
Cloud services, on the whole, offer fantastic security. “Because they work with every possible type of company, [CSPs] think about and solve security problems that your own company never faces,” Allio says.
Still, CSPs generally do nothing to correct a customer’s poor system management, flaky software development processes or haphazard security policies. “That’s still your job,” Allio states, noting that one of the core issues in the recent Equifax breach was a failure to patch a web server’s software.
“If Equifax had migrated their application to a managed cloud service, those patches would have been automatic and would have stopped the breach,” he says. “This failure to properly implement cloud services can leave gaps in your security.”
Everything put into the cloud is 100% safe, right? Well, um… not always. While it’s true that the larger cloud providers build infrastructure and services with uptime percentages that far exceed levels the average business can achieve, it doesn’t mean they are immune to outages caused by systems and people.
“If you’ve got business-critical processes running in the cloud, be prepared to handle downtime,” warns Tim Platt, vice president of IT business services for Virtual Operations, an IT consulting firm.
Even in the cloud, uptime can quickly vanish. Amazon Simple Storage Service (S3), for instance, experienced a major outage in February 2017 caused by a simple command typo. “That particular service outage had impacts on other Amazon services — and on providers who built their services on top of Amazon,” Platt says.
Many cloud services offer automatic backup and recovery options. “But don’t take that for granted,” Platt warns. What would happen if a malicious hacker or disgruntled system administrator deleted critical data? How would it be retrieved? Are there appropriate backup mechanisms in place? “All the considerations that apply for on-premises systems also apply for cloud-based systems,” Platt says.