A short history of modern business IT might report that the Noughties were all about taking baby steps in cloud applications such as Salesforce, Google Apps, Taleo, Ariba and NetSuite. The 2010s saw clouds proliferate as pioneers took a ‘cloud-first’ stance and used platforms including AWS, Microsoft Azure and Google Cloud Platform to pilot, test and run services. In the 2020s, we can be confident that businesses will attempt to harness their existing cloud investments, formalising multi-cloud and hybrid cloud strategies and clawing back control via consoles that offer visibility and manageability over increasingly disparate estates.
There are still some unmanageable areas where cloud hasn’t yet permeated but progressive companies today are asking ‘why not cloud?’ instead of ‘why cloud?’ It’s the default deployment mode for the new IT but does that dependence on a deployment model incur a risk? The short answer is ‘yes’. Innovations to IT dependencies have traditionally incurred more risk since those steady days of the IBM mainframe, as they have typically added more silos and IT has become more distributed. In tandem to this pace of IT change has been a rapidly evolving cyber threat landscape which now can produce threats and undermine security on every infrastructure imaginable.
Cloud isn’t infallible
Cloud computing is mushrooming and we are entering a new era where tactical investments are becoming strategic and there is a return to order that’s seeing more CIOs attempt to reign in what they have and introduce controls that reduce siloes, bring down costs, and mitigate risks. We now depend on cloud services even if we don’t realise where our data is residing or travelling at any given point in time. We luxuriate in the notion that our data is somehow safe, looked after by the internet and cloud giants so we build our trust up and up. But, an inconvenient question appears: what happens when it all goes down?
Cloud services aren’t immune from outages, hacking, acts of God or worse. In 2019 alone, we saw Office 365 Exchange Online go down, shortly to be followed by other Microsoft services. Then there was Google Gmail and Drive, Azure, Google Cloud, Salesforce, AWS and more consumer platforms such as Facebook, Instagram, and Apple Cloud. If these mega-forces can go down, anything can, so we need to have a plan to rapidly restore when the worst-case scenario strikes.
Who’s responsible for what?
Per a recent McAfee report, 69 percent of CISOs trust their cloud providers to keep their data secure, and 12 percent believe cloud service providers are solely responsible for securing data. The truth of the matter is that cloud security is a shared responsibility. In an effort to educate cloud customers on what's required of them, the cloud provider giants have created a cloud shared responsibility model or SRM for short.
Simply put, the SRM denotes that customers are responsible for protecting the security of their data that resides in the cloud, just as they are responsible for it on-premises. This doesn’t change for a different cloud deployment type. Customers are wholly responsible for protecting the security of their data and identities, on-premises resources, and the cloud components you control (which varies by service type).
By 2022 it’s believed that at least 95 percent of cloud security failures will be because of customer error, essentially not upholding their part of the SRM. So, in the context of a major cloud-based service having an outage, a customer really needs to know how much of the responsibility and heavy lifting for recovery is on them.
Cloud 2020: Getting your house in order
What’s required is a web-scale design that can consolidate all workloads, data, and apps (regardless of whether they are on-premises, in the cloud, or both), onto one platform for recovery. This moves companies away from being vulnerable to a single point of failure. De-duplication, indexing, and search are required too or there is a high chance of “bill shock” when you suddenly realise that all those low-cost cloud services can add up to very large sums if not managed wisely.
In 2020, having a recovery backstop for if (read: ‘when’) your cloud service provider has an outage is important for business continuity and data and regulatory governance. But why is backup data only used as an insurance policy? It typically sits idle most of the time, but could be used for business benefit. Progressive organisations are finding ways to use their backup data, rather than put added strain on the production environment. Uses include threat prevention, test and dev work, analytics, verification, and reporting.
“Today, it takes on average five separate vendors to provide data management across on-premises and multiple cloud environments,” according to Enterprise Strategy Group. That needs to change. As we move from a world where cloud is adopted in an ad hoc way to one where the cloud is IT, we need to rethink its surrounding support infrastructure and the responsibility model associated with it.
The conversation around securing your data and infrastructure has inevitably shifted with cloud services arriving and maturing, and has now moved on; how a customer manages its data both on-premises, in the cloud and the edge and the subsequent protection dictates the success of its IT strategy.
When the next major cloud outage occurs, the enterprise IT team is still responsible for maintaining IT services to its users. And if you’re reading this and asking yourself the question ‘what do we do if our biggest cloud provider goes down?’ you need to start thinking about answers. For it is the enterprise mission success that’s on the line in the event of a major cloud outage, not just the cloud providers.