It’s Not Always Sunny in Cloud Computing: A Look At The Risks
With so many organizations moving to some type of cloud model, we’ve been able to gain greater visibility into the design, maintenance and security of cloud computing. A well-planned cloud deployment can serve a company very well. To accomplish this, there has to be thorough planning and a solid use-case for moving towards a cloud platform.
Steering Clear of Drawbacks
Unfortunately, there are some issues to manage in the cloud model. Truth be told, there are still some inherent drawbacks and weaknesses to a cloud model’s security or design. Not everyone utilizes cloud best practices. And, expecting too much from a cloud provider can lead to overuse and improper utilization of cloud resources. The bottom line: it’s not always sunny in the cloud computing world.
Although we’ve come a long way with cloud design, there are still some concerns and issues to overcome. There are so many moving parts that create a cloud environment that sometimes, not all of the pieces fit together entirely well. In looking at cloud computing, consider some of the following dangers and cautions.
- Security. This is still absolutely an issue. In fact, it’s a growing issue. As cloud computing becomes more popular, cloud infrastructure will become the target of more malicious attacks. No single environment is safe and every infrastructure must be controlled with set policies in place. Take Dropbox, for example, which recently had a security breach which forced people to rethink just how secure the cloud really is.
- Data loss. Allowing users to get into the cloud is one thing. Accessing applications through a cloud model is a powerful way to allow end-users to work remotely. However, what happens when users start uploading files to the cloud? Many organizations don’t have a Data Loss Prevention (DLP) system plan in place. This means that a user, even non-maliciously, might post some information or upload a file which can contain sensitive company information to a less secure environment.
- Outages. Many organizations view the cloud as a truly distributed model with multiple redundancies built in to maintain the highest uptime possible. Well, these organizations aren’t quite correct. No entity is 100 percent safe from some type of disaster or emergency. In fact, a powerful storm in June knocked out an entire data center which was owned by Amazon. What was hosted in that data center? Amazon Web Services. All affected AWS businesses in that data center were effectively down. Cloud-centric companies like Instagram, Netflix and Pinterest were all made production-ineffective for over six hours. To paint a clearer picture, there was a recent study conducted by the International Working Group on Cloud Computing Resiliency. This report showed that since 2007, about 568 hours were logged as downtime between 13 major cloud carriers. This has, so far, cost the customer base about $72 million.
- Learning curve. Cloud computing isn’t easy. That’s why we’ve seen such a huge jump in demand for cloud computing architects and engineers. (See 2013: The Year of the Cloud Architect.) Building a successful cloud model takes knowledge around multiple technological disciplines. Once that plan is in place, however, managing it also can be an issue. Working with private cloud technologies with an untrained staff is certainly not a good idea. However, even in the public cloud, organizations need to know what their infrastructure is doing and how it’s operating. “It’s working” isn’t an excuse not to understand the details of a given cloud model.
- Vendor lock-in. This problem extends well beyond cloud computing, but it can still be an issue. Migrating a cloud environment from one vendor or provider to another can be a very tricky business. Furthermore, not many organizations actually think about this step until they’ve outgrown their current environment and are in trouble. Planning a cloud environment must include some future thought. Where will the business be 3-5 years from now and can the current provider support that growth? Still, in the future, the migration process looks to become simpler with better migration strategies and more powerful cloud APIs.
- Compliance. This is certainly an issue for many organizations. Relatively open public cloud technologies like Dropbox are considered a big no-no for compliance-driven companies. This is why the rise of other technologies with increased security like ShareFile can be seen. These new models are trying to help the enterprise company by storing “cloud” data both on premises and remotely. Creating zones for data means that the information not only stays in the country – it can be configured to stay in the state. So, users can still have a “Dropbox-like” experience, but have the environment be on-premises. The other issue is that many providers aren’t too keen on penetration testing within the cloud environment. The problem there is that conducting a “pen-test” is one of the requirements to be PCI compliant. So, organizations have to look for community or hybrid cloud models to stay compliant – and this can be more expensive. Similarly, regulations around FISMA, HIPAA and SOX can potentially lock a lot of cloud providers out of the mix. Still, there are a few, like Rackspace, who are in fact, PCI-compliant because of their unique cloud model.
There have been many, many articles touting the power of the cloud. They’re right. However, every organization must consider the downside of moving towards a cloud model. The idea is to understand your current environment and see how components of it will behave in the cloud. Even when designing a business continuity plan or a DR environment with the cloud in mind – treat it like any other IT infrastructure. This means using best practices, working closely with security teams, and maintaining constant control and visibility over the entire environment.
Although there are some cautions around cloud computing, public and private cloud environments can still be a powerful tool for your enterprise. Still, like any technology there needs to be due diligence in the planning, deployment and control of any cloud initiative.