In this blog post, I’ll talk about the risks and benefits of moving some or all of your information technology to a cloud provider.
Cloud computing. Cloud storage. Cloud infrastructure. Everything seems to be moving to the Cloud and everything in the Cloud is better. Right?
Often people make the assumption that moving their computer hardware (servers, switches, firewalls, applications) to the Cloud brings all of the benefits – everything is secure and safe “up there” and a lot of your security problems are fixed, there is nothing to worry about now!
Not so fast there, partner.
As with so many things in life, it’s more complicated once you get into the details. If idioms like “God is in the details” or—conversely—“The Devil is in the details” come to mind, feel free to choose which one works best for you.
The reality is that things can be more secure when outsourced to a cloud provider, but that is not always the case. You need to be very clear and precise when you sign a contract with your cloud provider (AWS, Azure, GPC, or a local provider) so that you get the functionality that you want, need, and expect.
To start, ask yourself two fundamental questions before you sign on the bottom line.
1. What do you want to outsource to your vendor partner? Your data center? The day-to-day operations of your IT department? Your nightly backups? The patching and updating of your software and hardware?
2. Are you trying to defer risk or lower cost by using a cloud vendor? If so, what risk? The risk of a power failure taking your computer systems offline for hours or days? The risk that a tornado will destroy your computer facilities and take you offline for weeks or months?
Let’s look at the first question.
Depending on your level of commitment, you can realize a range of benefits by moving to the Cloud. For some of you, the desire is to get the hardware out of your current space and move it to a trusted, more physically secure space that has good backups, redundant power supplies, a generator, etc.—that is to say, a secure cloud environment.
In this case, you are outsourcing the physical hardware to a third party so that your IT staff can focus on the software and applications you need to run your operations. This is a good choice if you have a limited staff because then they can focus on making sure the operating systems and applications stay patched and up to date. You can also transfer capital costs to your operations line, which can help with your budget. Instead of spending $100,000 or $500,000 (or more) every three years to upgrade hardware, you have a fixed fee for a fixed period of time (3-5 years), which makes it easier to budget. This is often called Infrastructure as a Service (IaaS).
In other cases, you need to outsource more than just the hardware. You want to outsource the hardware, software, licenses and your applications to a trusted vendor partner. As a result, you can remove several lines from your capital budget (CapEx) and perhaps some from your operations budget and turn them all into operations expense (OpEx). This can be very helpful for the CFO and the finance departments for budgeting. It can also improve the return on investment or cash flow and pay dividends (real dividends) to your stakeholders. You now have a Platform as a Service (PaaS) to operate your business and you don’t need your IT staff.
You can also outsource just parts of your IT operations to improve efficiencies, ensure critical functions happen when expected (backups, patching, vulnerability scans), and document that you are meeting compliance requirements.
Now we can look at the second question.
Most people move to the Cloud for one (or both) of two reasons: to lower costs (which doesn’t always happen) or—more often now—to defer risk.
Downtime? If the goal is to minimize the risk to your company or organization from a power outage or a natural disaster, ensure your vendor partner has five nines (99.999%) uptime in the SLA for those guarantees that the site (or sites) will not be down for hours or days if you lose power or a flood or hurricane hits.
Keep in mind that moving to the Cloud will help minimize the risk of downtime from a natural event, but human error can be as big a factor in terms of taking a site down for hours or days. If you have granted too much privilege to a user who does something bad—either intentionally or accidentally—you can go down as easily as if your site was hit by a tornado. Make sure you have clearly identified the risk you want to mitigate. Review your risk assessment and mitigate that risk based on the value of the asset or assets. You don’t want the cost of the control or protection of an asset to exceed the value of that asset.
Read more: After the Smoke Clears – What we can learn about risk management
The answer to that question is a very firm maybe. Just like the cost of a car depends on the features you want, the cost of moving to the Cloud depends on what you want from your cloud environment.
A high-end sports car costing upwards of $130,000 or more will get you to the grocery store, but do you need that high-end sports car? Probably not. It will look cool and go fast, but a small SUV might be just as good to get the groceries, and that small SUV might only cost $30,000.
There are other questions to ask, but these are a good start as you evaluate your move to the Cloud.
It will help a lot if you have your risk registry strategic plan in hand so that you make good decisions based on data. Moving your IT operation—even just a portion of it—to the Cloud is not a decision that should be made quickly.
Now that you know all the benefits, over the next few weeks, I will cover the major cloud providers and the risks that you need to consider with each of them along with the general risks inherent with moving to the Cloud.
Read more from John Bruggeman:
2022 Cybersecurity Predictions
Cyber Insurance, part 1: What is Cyber Insurance and do I need it?
Cyber Insurance, part 2: Getting ready for the insurance company questionnaire
Cyber Insurance, part 3: Filling out the questionnaire
Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?