Cloud computing is disrupting IT spending to an extent not seen since the early days of the digital age, according to Gartner, which predicts more than US$1 trillion in IT spending will be directly or indirectly affected by the shift to cloud between now and 2020. Furthermore, the public cloud services market in the mature Asia Pacific region, which includes Australia, New Zealand, Singapore, and South Korea, will rise to $12.4 billion by 2019, according to Gartner.
Organisations are attracted to cloud for its many benefits, such as the ability to pay only for the resources the organisation uses, when it uses them. This lets businesses scale their computing and storage resources up and down according to actual requirements, rather than having to pay for excess resources upfront in anticipation of future needs.
The pay-as-you-go model also lets businesses transfer many IT expenses into operating expenditure as opposed to capital expenditure. It also reduces other costs such as the need to maintain hardware and infrastructure on-premises, and dedicate office space to the on-site data centre.
Businesses are looking to achieve ever-greater levels of productivity and profitability. The cloud fits this bill, supporting growth and adding flexibility while reducing costs.
However, as cloud offerings continue to grow and become more attractive in coming years, so will their associated risks. Businesses should include in their project and migration projects the time and effort to understand and plan for several key factors before moving sensitive systems, data, or applications to the cloud.
There are three key factors for businesses to consider when developing a cloud transition strategy:
The cloud typically consists of one of three major architectures: Software-as-a-Service (SaaS); Platform-as-a-Service (PaaS); and Infrastructure-as-a-Service (IaaS). Security and regulatory compliance procedures are directly tied to the model chosen.
• SaaS: The most common example of the cloud, when using this platform a company simply leverages an application completely controlled by an external provider. Examples include webmail and social media. However, when using SaaS solutions, a company has little opportunity to conduct a security review, with risks predominately managed through the contract. Particular areas to closely evaluate include availability, ownership of liability, and the processes and responsibilities of the cloud provider during a data breach.
• PaaS: This cloud solution typically involves the movement of an application to a cloud vendor, with this third-party provider then providing the business with the required virtualised server and connectivity needed to operate the application. Vendor risk is still managed through contracts however, the company needs to keep in mind they are still responsible for maintaining the application.
• IaaS: This solution takes existing physical or virtual servers and transitions them into a cloud environment. The vendor’s main responsibility when using an IaaS solution is to manage the connectivity and security of the fundamental infrastructure, with the organisation maintaining responsibility for securing applications and operating systems.
There are three types of cloud solutions available for organisations to implement: public cloud; community cloud; and private cloud.
• Public cloud: Public cloud encompass platforms including Gmail and Dropbox. When using this solution, all customers are in the basic environment and generally have basic security controls.
• Community cloud: Designed to meet a specific industry’s security and regulatory demands, examples of community cloud solutions are designed to meet the standards and requirements set by the Australian Signals Directorate. With more specialised security requirements, community cloud options tend to be more costly than public cloud.
• Private cloud: Organisations with extensive internal information technology capabilities can choose to deploy a private cloud solution within their internal environment. This solution delivers complete control over security details and compliance demands, but carries the most expense.
Representing the most significant risk, zombie systems result when an original application or underlying operating system is not maintained. Once an organisation transitions a system, application, or business process to the cloud, it is often assumed that the original assets will deactivate rather quickly. However, studies show that the sun-setting process takes an average of two to three years.
This delay typically occurs due to linkages to the original system that cannot be broken without interrupting critical business processes. Also, often as soon as cloud migration occurs, the attention of IT teams is diverted from original systems to the new cloud solutions. However, those legacy systems still exist and can contain sensitive data. As these systems do not necessarily receive the same security maintenance and updates, they can be highly vulnerable and present significant risks to the company.
To guard against zombie systems creating potential exposures in the IT environment, the business’ cloud migration strategy should include full maintenance and tracking of these systems until they are officially removed from the network.
As cloud solutions become more readily available for small- to medium-sized businesses, Australia can expect to see a continued increase in businesses moving to the cloud or adopting a cloud-first strategy. While this approach delivers significant, measurable benefits, businesses must plan strategically to ensure they get the maximum value from cloud while minimising the risks. It’s essential to fully understand all of the cloud options available and choose the option that best aligns with the business’ regulatory demands and risk appetite.
The bottom line is that organisations should evaluate their potential cloud architectures and models to develop a cloud roadmap that will let them reduce their technology vulnerabilities while creating a competitive advantage.