Weighing the risks and benefits of moving to the Cloud, part 1

February 25, 2022
John Bruggeman
Consulting CISO

In this blog post, I’ll talk about the risks and benefits of moving some or all of your information technology to a cloud provider.

Cloud computing. Cloud storage. Cloud infrastructure. Everything seems to be moving to the Cloud and everything in the Cloud is better. Right?

Often people make the assumption that moving their computer hardware (servers, switches, firewalls, applications) to the Cloud brings all of the benefits – everything is secure and safe “up there” and a lot of your security problems are fixed, there is nothing to worry about now!

Not so fast there, partner.

As with so many things in life, it’s more complicated once you get into the details. If idioms like “God is in the details” or—conversely—“The Devil is in the details” come to mind, feel free to choose which one works best for you.

The reality is that things can be more secure when outsourced to a cloud provider, but that is not always the case. You need to be very clear and precise when you sign a contract with your cloud provider (AWS, Azure, GPC, or a local provider) so that you get the functionality that you want, need, and expect.

To start, ask yourself two fundamental questions before you sign on the bottom line.

1. What do you want to outsource to your vendor partner? Your data center? The day-to-day operations of your IT department? Your nightly backups? The patching and updating of your software and hardware?

2. Are you trying to defer risk or lower cost by using a cloud vendor? If so, what risk? The risk of a power failure taking your computer systems offline for hours or days? The risk that a tornado will destroy your computer facilities and take you offline for weeks or months?

Let’s look at the first question.

What do you want to outsource to your vendor partner?

Depending on your level of commitment, you can realize a range of benefits by moving to the Cloud. For some of you, the desire is to get the hardware out of your current space and move it to a trusted, more physically secure space that has good backups, redundant power supplies, a generator, etc.—that is to say, a secure cloud environment.

In this case, you are outsourcing the physical hardware to a third party so that your IT staff can focus on the software and applications you need to run your operations. This is a good choice if you have a limited staff because then they can focus on making sure the operating systems and applications stay patched and up to date. You can also transfer capital costs to your operations line, which can help with your budget. Instead of spending $100,000 or $500,000 (or more) every three years to upgrade hardware, you have a fixed fee for a fixed period of time (3-5 years), which makes it easier to budget. This is often called Infrastructure as a Service (IaaS).

In other cases, you need to outsource more than just the hardware. You want to outsource the hardware, software, licenses and your applications to a trusted vendor partner. As a result, you can remove several lines from your capital budget (CapEx) and perhaps some from your operations budget and turn them all into operations expense (OpEx). This can be very helpful for the CFO and the finance departments for budgeting. It can also improve the return on investment or cash flow and pay dividends (real dividends) to your stakeholders.  You now have a Platform as a Service (PaaS) to operate your business and you don’t need your IT staff.

You can also outsource just parts of your IT operations to improve efficiencies, ensure critical functions happen when expected (backups, patching, vulnerability scans), and document that you are meeting compliance requirements.

Key things to remember when reviewing your options for either PaaS or IaaS:
  • Purchase just what you need but make sure you can grow or shrink as needed.
  • Make sure you have service level agreements (SLAs) for the services you purchase. Do you need 99.999% uptime or 99% uptime? There is a big difference in price.
  • Have a way to get your data back if/when you want to change vendors.
  • Assume nothing; confirm everything in the contract.

Now we can look at the second question.

Are you trying to defer risk or lower cost by using a cloud vendor?

Most people move to the Cloud for one (or both) of two reasons: to lower costs (which doesn’t always happen) or—more often now—to defer risk.

What risk do you want to defer?

Downtime? If the goal is to minimize the risk to your company or organization from a power outage or a natural disaster, ensure your vendor partner has five nines (99.999%) uptime in the SLA for those guarantees that the site (or sites) will not be down for hours or days if you lose power or a flood or hurricane hits.

Keep in mind that moving to the Cloud will help minimize the risk of downtime from a natural event, but human error can be as big a factor in terms of taking a site down for hours or days. If you have granted too much privilege to a user who does something bad—either intentionally or accidentally—you can go down as easily as if your site was hit by a tornado. Make sure you have clearly identified the risk you want to mitigate. Review your risk assessment and mitigate that risk based on the value of the asset or assets. You don’t want the cost of the control or protection of an asset to exceed the value of that asset.

Read more: After the Smoke Clears – What we can learn about risk management

Other kinds of risk you might want to defer by moving to a cloud solution:
  1. Reliability of your current IT infrastructure: Your hardware might be old and unreliable.
  2. Managing your current environment might be hard or impossible due to poor or limited documentation. Your current documentation might be out of date or lacking detail that makes it hard to manage or audit for compliance or change management purposes.
  3. Growing your IT infrastructure might be hard or impossible to do because of the constraints of the current environment (for example, the server room might not have enough power to add more hardware).
  4. Physical security could be hard or impossible to implement due to where the hardware is deployed. Making sure only the right people have access to the servers and switches can be difficult when IT growth is organic and not planned.

Is it possible to lower costs if you move to the Cloud?

The answer to that question is a very firm maybe. Just like the cost of a car depends on the features you want, the cost of moving to the Cloud depends on what you want from your cloud environment.

A high-end sports car costing upwards of $130,000 or more will get you to the grocery store, but do you need that high-end sports car? Probably not. It will look cool and go fast, but a small SUV might be just as good to get the groceries, and that small SUV might only cost $30,000.

You can spend $130,000 a month (or more) on cloud services, but do you need everything all that spend buys? It depends. Ask yourself these questions as you begin your journey to the Cloud:
  1. What am I spending now for IT? Namely, what do the servers, switches, storage, processing power, cooling, and electricity cost on a monthly basis?
  2. Do I need everything I have now? Do I need 20 TB of storage or is some of that data legacy data that can be deleted as part of my data retention policy?
  3. Do I need redundant servers or the amount of capacity I have right now? Can I retire that legacy technology and consequently reduce my recurring spend?
  4. Do I have duplicate services for my information processing needs? Do I have one system for CRM, or do I have the “main” one and another department has a duplicate system? Can I remove inefficiencies from my information technology stack?

Decide which benefits of moving to the Cloud are most important to you

There are other questions to ask, but these are a good start as you evaluate your move to the Cloud.

It will help a lot if you have your risk registry strategic plan in hand so that you make good decisions based on data. Moving your IT operation—even just a portion of it—to the Cloud is not a decision that should be made quickly.

Taking your IT systems out of your realm of control and placing them with a trusted third party is a strategic decision, so take time and think it through.

Now that you know all the benefits, over the next few weeks, I will cover the major cloud providers and the risks that you need to consider with each of them along with the general risks inherent with moving to the Cloud.

Stay tuned!

Read more from John Bruggeman:

2022 Cybersecurity Predictions

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire

Cyber Insurance, part 3: Filling out the questionnaire

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

Subscribe to our blog