You’ve been sitting on the fence long enough. You’re now ready to embrace the public cloud. But before you do, though, you need to make sure your enterprise is ready to tackle the challenges that will confront you when preparing your migration to the cloud. Here are five of them.
Growing concerns over data security has increased the need of many organizations to meet requirements imposed on them by outside agents — government regulators, industry groups and legislatures. For example, in healthcare, organizations need to meet the demands of HIPAA — the federal Health Insurance Portability and Accountability Act. If an organization handles credit card information, it must comply with the Payment Card Industry Data Security Standard (PCI-DSS). In addition, there are laws on the books passed by Congress and state legislatures that impose standards or authorize regulations on data handling. For example, Massachusetts has a privacy law that requires personal information be encrypted when at rest and in transit, up-to-date and that firewalls be deployed to protect data.
Complying with these kinds of requirements must be taken into account when getting ready to move to the cloud. Compliance used to be more challenging in the past because cloud service providers often dumped it on their customers. Making matters worse, compliance agencies didn’t acknowledge the cloud when making their data protection rules and standards. Both those conditions have changed now. Cloud Service Providers (CSPs) figured out that if they wanted to grow their business and land larger clients, they needed to be more helpful to customers with compliance requirements. Meanwhile, regulators and industry standards bodies began to read the handwriting on the wall and started offering guidelines about safe cloud usage. For example, in 2013 changes to HIPAA allowed cloud service providers to act as designated “business associates” of healthcare providers, which opened the door to use CSPs as long as they met HIPAA compliance rules.
When preparing to tap into a public cloud, organizations need to consider a number of key factors that affect compliance. It has to know what information it’s storing on a system, where the information is stored, who has access to the system, what can they access and what access is appropriate. Some of those factors are easier to nail down than others but they all need to be ironed out with a cloud service provider or an organization could find itself in hot water with compliance watchdogs.
Although cloud service providers can provide better security for an organization’s information assets than many organizations can provide for themselves, security continues to crop up as a main concern among executives, although it’s a greater concern among those without cloud deployments than those with them. A recent survey of security personnel by Enterprise Management Associates, an independent analysis firm, found that nearly half the infosec pros (47%) “simply trust” their cloud providers to meet their security obligations without verification.
Trust without verification is not a good idea. That’s especially true when preparing an enterprise for a public cloud deployment. What are some security areas of concern in the cloud? Multitenancy — the fact resources are shared among users in the cloud — is often brought up as a security challenge. Care has to be taken to learn what a cloud provider is doing to make sure one user can’t access another’s data. For example, does the cloud provider support Virtual Private Clouds, which are one way to address concerns over shared access of a public cloud.
Typically, a cloud service provider will encrypt all data to protect its clients, as well as meet compliance requirements. HIPAA, for instance, requires all data stored on hard drives — including a CSP’s hard drives — be encrypted. If a cloud provider is encrypting data, it’s wise to find out what kind of encryption is being used and when it’s being applied. Some cloud service providers will allow customers to encrypt their data before sending it to the cloud and retain control of the encryption keys. If an organization takes that route, it’s essential that it protect those encryption keys from compromise. It’s important to remember, though, that organizations are ultimately responsible for their data, no matter where it’s stored.
There are a number of other security considerations when preparing an enterprise for the cloud. Since compromised credentials are commonly used to break into systems, making sure some kind of two-factor authentication is in place can help lower the risk of credential compromise occurring. APIs, which are used to access cloud services from the Internet, can also be a point of attack so it’s a good idea to explore with a CSP the issues of API confidentiality, integrity, availability and accountability. In addition, organizations need to be diligent about detecting Advanced Persistent Threats to their data. Cloud service providers often have advanced systems to detect such threats, but that doesn’t let an organization off the hook for protecting its data. For example, Amazon Web Services uses what it calls a Shared Responsibility Model which advises users of its cloud services: “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.”
Almost every new technology for the enterprise that’s ever been introduced claims to be a cost-saver but with the cloud, an organization really does have to be prepared to save money. In a recent survey of 505 IT infrastructure decision makers from Germany, the United States and the UK released by UBS, more than one in three users reported cost savings in excess of 40 percent after year two of cloud adoption and nearly all users had savings of more than 20 percent after two years of usage. What’s more, the UBS researchers found that more than half the executives in their survey (55 percent) expected costs to remain flat or decline by 20 percent — even though they expected the price of cloud services to increase.
Cost savings from a cloud move can be maximized by optimizing the cloud services used by an organization. One way to do that is by developing a vigorous governance strategy. Governance can contribute to efficient cloud use by determining who should access a cloud service and how a cloud solution should be applied, thereby cutting down on inefficient use of resources. Another way to optimize a cloud deployment is with analytics. Cloud analytics can paint a picture of how, when, where and by whom cloud resources are being used — valuable information for improving cloud efficiency. Other ways to optimize cloud usage are to carefully choose the service set offered by your cloud provider and to architect a cost smart design.
Along with analytics, cloud monitoring platforms can also contribute to optimizing a cloud deployment by giving an IT team insight into how cloud resources are being used. By monitoring metrics like regions, instances and subnets, an organization can quickly see how cloud component failures can impact overall service delivery and address those failures.
Integrating applications is another aspect that needs to be tackled when preparing an enterprise for a cloud deployment. Integration enables applications to share data in the cloud and has a number of advantages over traditional approaches. For example, it allows users to access data in real time from any device or any Internet connection. Users can also share their personal information across a set of apps, such as calendars and contact lists. In addition, an application set can be accessed with a single login, a convenience appreciated by users; control messages can be more efficiently passed among applications; and data integrity can be maintained by avoiding data redundancy.
However, problems can arise when integrating apps with the cloud. In fact, a 2013 study by Dynamic Markets found that the use of at least one cloud app was abandoned by nearly one out of every two cloud adopters (48 percent) because of integration issues or problems associated with integration. For example, defining metadata that can be understood by both the cloud and local data centers can be a problem. That’s why it’s important to define a data integration strategy before embracing the cloud. Bandwidth considerations must also be taken into account. Moving from megabytes to gigabytes an hour is a big change and not only creates latency issues — the bane of all users — but can create cost issues as well. Bandwidth can be a very nettlesome problem if an organization is running big data apps in the cloud that are being fed operational data from the enterprise. Error-handling is another issue that will need to be addressed. When linking systems in the public cloud with those in an enterprise data center, errors are bound to happen. When they do, they need to be fixed or they could lead to data quality and availability issues. That’s also why error-handling routines need to be included in cloud-to-enterprise integration tools.
As with any great change, it’s important to make sure that knowledge is distributed efficiently and effectively among those working on a cloud move — project teams and consultants — and to those who will be working with the new cloud environment. Creation of a knowledge-transfer plan can smooth an organization’s ascent to the cloud. So, too, can working with a partner who knows how to transfer knowledge to the people in an organization who will be managing the cloud solution or, alternatively, have the capability to monitor and manage the system remotely. Depending on the size of deployment, it may be valuable to assign a “shadow” from IT to continually extract knowledge from consultants working on the project. In addition, there’ll always be cultural conflicts between internal teams and partners, but they must be identified early and managed throughout the planning and deployment process.
A knowledge transfer plan should include a comprehensive skill development and training plans. Skill development, training and filling resource gaps should be started early the transformation process. Proper training and knowledge transfer enables those working with the new system to be self-sufficient and to get the most out of the new offering. An email with instructions on how to use the new system won’t do. Workshops should be planned, as well as “hands-on” sessions, which are more effective than simple presentations. It should be kept in mind that an organization is better served by spending time and money on knowledge transfer than on incident resolution. Nevertheless, an organization may want to make the first people versed in the operation of the new system to be help desk workers because they’re going to be where the rubber meets the road when the switch is flipped and the system goes online.
Moving to the cloud is not without challenges, but with proper planning and due diligence, an organization can be ready for those challenges and overcome them with a minimum of pain.