Author Archives: Martin Dvorak

Hybrid Cloud Complexity Risks

Companies are concerned about integration of their hybrid cloud environment. Becoming a hybrid IT from the hybrid cloud, companies take the advantage of digitalization through containers, Identity Access Management, networking, security and other aspects where vendors can offer cloud solutions which support a next generation of cloud capabilities.

When companies use artificial intelligence or machine learning for their applications, it is a risk moving the whole application to the cloud. They can use these features in the cloud and download the calculated models and integrate them in their applications, i.e. in a smartphone app. A prerequisite though is that the cloud service provider offer artificial intelligence and machine learning models in their cloud.

Because the hybrid cloud is a blend of on premises infrastructure combined with cloud hosted infrastructure, it makes securing and safekeeping more complicated for companies because the different cloud service providers have different capabilities and configurations and using virtual machine instances across multiple cloud servers.

With the increasing use of the hybrid cloud, companies no longer have visibility what is internal and what is external to their systems. Companies must assess whether risks and vulnerabilities exist across servers, network, infrastructure components, and endpoints, and then continuously monitor them. In other words, companies need to be able to trust their own infrastructure as well as a cloud service provider infrastructure.

Remember that software interfaces, API’s and data transfer between a company’s own infrastructure and the cloud service provider infrastructure is one aspect. The other important thing is that by storing data and applications on the servers of the cloud service providers, companies give full trust to their providers and they have to ensure the safety and security of company’s data and applications.

The hybrid cloud should offer the benefits of public clouds, private clouds, on premises and take the advantage of the architecture in the existing data centers. It is therefore vital that IT, business and cloud service providers cooperate and align on an infrastructure that supports continuous data transfer between all of these different platforms and service providers.

Hybrid Cloud Costs Risks

Since public cloud providers can offer enormous economies of scale and automation, they can manage at a good price, however, when scaling performance, your cost per hour fee will rise which results in higher operational expenses.

With adopting to the cloud, where you do not need to invest in hardware, software and other IT infrastructures, you rather go for a pay as you need service fee by shifting from a CAPEX spending on IT hardware and software to an OPEX third party leasing spending model. However, by just moving spending from capitalization with write offs over a period to monthly service costs does not necessarily mean that you are reducing your spending.  The more complex the hybrid cloud environment is, the bigger the risk that OPEX costs could explode.

The spending predictability has become more complex and challenging. Costs need to be monitored and controlled at the whole hybrid environment, per location and globally consolidated. Focus is on monitoring bandwidth, networking and load capacity. Traffic or usage are the cost factors.

The vendor’s pricing schemes need to be translated and cost of services like getting data into the cloud and out of the cloud need to be fully understood before the Service Level Agreement is signed with the vendor. Prices vary where the data is run and stored (location based). As companies expand their cloud usage and leverage their locations infrastructure, it results in additional product and solutions which makes it more difficult to keep cost control.

With a consolidated cloud cost monitoring, companies are able to identify which parts of the company are the heavy spenders of cloud resources services and can initiate the necessary cost adjustments.

But not only that. Companies need to make sure that the services they subscribed are also used. In the Service Level Agreement, it is clearly listed for what the customer is using and paying. Companies have to make sure that they are actually using those services which they are paying for. Servers which are managed on premises can be easily switched off when not used. However, in the cloud, you do not manage servers anymore.

For example, if the IT department needs to use a virtual machine for a specific business requirement and once deployed to the production system, the data stays in the virtual machine and is not used anymore but the customer would pay for the services for this virtual machine not using. Companies need to ensure they update their policies with shutting down infrastructure not used in the hybrid cloud.

Cost risks appear when the workload moving to or from the hybrid cloud is not taking advantage of flexibility and elasticity. It is often cheaper to run stable and static workloads on premises instead in the cloud. Especially withdrawal data from the cloud to on premises applications can become expensive. In addition, moving data between different countries and locations can become expensive too.

Companies also need to compare “what-if” CAPEX scenarios against OPEX business cases. This means that you need to define an end of life service fee, calculate capital investments, maintenance and upgrade costs from your CAPEX spending and then coming up when the OPEX spending becomes higher than the CAPEX case. With this comparison, you may end or replace this service or move it back to your own on premises data centers.

Cloud technologies change rapidly with an enormous pace. Companies face a cost risk if they keep what they are doing without checking better and more cost effective solutions. Cloud providers come up with innovation quite often and companies should review their use of the cloud on a regular basis to check if there are new features or cloud services which will decrease service costs.

The number of cloud providers is also a cost factor. As easy as it is to onboard for example a new SaaS vendor, the more complex and expensive it gets to handle and integrate multiple vendors. The number of vendors should be small, however, it should not prevent companies to add a new vendor when this can solve a particular problem or business requirement.

Choosing a private cloud where you can use a dedicated cloud infrastructure, it has higher costs than using a public cloud. Whether you manage it yourself or hire a cloud service provider, and whether you host it in your data center or off-premises, you are still responsible for operating and maintaining your data center, hardware, software, security and compliance. Companies should ensure that cloud costs are transparent, knowing which services are used by whom and why, so that cost surprises get avoided. Believing that everything moving to the cloud is cheaper is an illusion.

Hybrid Cloud Risks

As hybrid clouds become more common, the complexity and related risks increase significantly.

Using just a lift and shift approach is not enough to exploit the advantages of the hybrid cloud. It takes some homework before to understand and design a cloud migration. At the beginning, it should be clarified why the new technologies are being used, what requirements result from them and who is building up or providing the necessary skills.

An extended infrastructure using on premises and cloud applications requires proper mapping and needs to be controlled to ensure business continuity combined with accurate and reliable IT systems.

Companies aim to find the best way to combine on premises applications, public cloud services, private cloud services and services from multi cloud structures. It is often not easy to adapt and change quickly to remain agile in the digital business transformation since business critical and security sensitive applications are mostly to remain on premises. The same applies to services which are regulated under law and not all services can be obtained from the cloud.

In order to adapt the business needs and choose wisely which cloud model fits best, an overall hybrid cloud operating model is required. IT departments face the risk to diverge infrastructure and applications and missing the holistic approach. For example, the infrastructure sponsors favor Microsoft’s Azure and the application sponsors favor AWS because of their artificial intelligence or machine learning capabilities.

Shadow IT Risks

An organization may end up with a multi cloud strategy by accident, via a shadow IT. That is technology adopted by business units independently of the IT department, which may subsequently be ‘reined in’ for oversight by the CIO.

Often in the past, single subsidiaries or regions choose services from the cloud on their own initiatives to transform their business more quickly. This resulted in a shadow IT, diverged from the corporate IT strategy, with a mess of different and unaligned SaaS products.

The extent of shadow IT revealed by McAfee’s 2019 Cloud Adoption and Risk Report is startling: 1,400 IT professionals in 11 countries were asked to estimate the total number of cloud services in use in their organization and came up with an average of 31. The actual average figure was 1,935:

Estimated versus actual levels of cloud service usage. Source: McAfee

At this point, companies recognize the need for a sourcing strategy. It forces you to understand why you want to go to the cloud.

No one should move a well-established on premises service to the cloud just because the cloud seems cool and modern.

There is no value if the services remain the same. The service from the cloud should contain new and transformative results which bring benefits to the customer.

Security Risks

Choosing a public cloud means less control over data security. Risks are mainly about data transfer, data leaks and data privacy. You depend on your vendor in which country and under which regulations your data is managed. All the data is travelling on the internet between the company’s network and the cloud service provider’s network. Secured channels must be ensured.

The risk analysis depends on the workloads, contractual controls with the public cloud service provider, architectural controls in the software and application environments and technical controls regarding the IT infrastructure. Just migrating to the cloud does not mean that companies become more vulnerable. It depends on the right architecture and how the cloud security tools are integrated.

The data which customers upload to the cloud is with their own responsibility. Cloud service providers take care about the cloud but not what is inside the cloud because customers configure the applications, they define access control and data sharing rules.

Companies should pay attention to the following questions before going to the public cloud:

  • Can the public cloud service provider meet the companies information security needs?
  • Does the contract with the cloud service provider and the terms and conditions ensure the companies and security standards?
  • Does the cloud service provider guarantee international governance standards such as the ISO 27000 series of security and privacy standards, especially ISO 27001 and ISO 27017 for IT security, ISO 27017 for cloud services security and ISO 27018 for cloud services related to data protection such as privacy and GDPR compliance?
  • Does the cloud service provider follow architecture standards such as ISO 17789 for the cloud computing reference architecture, ISO 18384 for SOA reference architecture, ISO 24760 for ID management architecture and ISO 29101 for privacy architecture framework?
  • In what extent is the cloud service provider liable for data leaks?
  • How does the cloud service provider handle information security for its own staff and data centers?
  • How well is the software configured where the data go to the cloud, especially when workloads are running on both private and public clouds?
  • What cloud workload protection solution does the vendor offer? What are the further protections apart from endpoint protection platforms?
  • Where do we have lack of skills to understand the new environment and architecture of the hybrid cloud?
  • Which API controls exist to monitor and regulate the data flow between on premises servers and the public cloud?
  • What kind of Hardware Security Modules (HSM) are in place to ensure trustworthiness and integrity of data in the hybrid cloud?
  • What Trusted Execution Environments (TEE) does the cloud service provider offer to ensure a secure and trusted runtime environment for applications? This relates both to cyberattacks and Identity Access Management (IAM) questions.

The biggest risk is during the migration to the cloud, however, as functions and services will change over the time, the risk analysis is a repetitive task and the international standards provide minimum audit cycle recommendations.

A high risk threat for cloud workloads is related to misconfigurations. Incorrect set up of Identity Access Management (IAM) systems and weak data transfer protocols increase cloud workload vulnerability. As the code of cloud applications change, the permission changes too and this can lead to more misconfiguration. Outside attackers focus on accessing data through phishing emails by targeting cloud workloads as they are exposed though the internet. Companies need to set up mechanism or check with vendor to detect malicious code in their productive hybrid cloud environment. Cloud workload protection is critical and the new threat model against cloud workloads is new and different from protecting on premises environments.

Companies should ensure that the security tools offered are compatible with their operating systems and other applications used from the same vendor. For example, if a company is using Microsoft’s Azure Cloud solution, they offer security tools such as Azure Active Directory, Identity Access Management (IAM) tools, encryption and network isolation services. If the customer does not run the latest Windows operating system, they cannot use the full system management capabilities offered.

Nowadays, cloud service providers respond to the risks by having such high security standards and measurers so that customers would spend much more costs and time to develop those skills and standards in house.

So it can also be seen as a benefit if the in house measures have a lower standard than what the vendor provides.

Risks and Benefits of the Hybrid Cloud

In a hybrid cloud environment, companies started to use a combination of public and private clouds that operated as separate entities but were integrated. Now, companies are expanding their hybrid cloud by more and more integrating on premises applications.

This means that in a hybrid cloud, a customer combines services from a private cloud and a public cloud by being connected through an effective WAN and is sending and sharing data between those different cloud services. The company depends on the availability of a public cloud platform from a trusted third party cloud service provider whereas a private cloud is either at the company’s premises or connected through a hosted private cloud service provider.

Hybrid cloud can include on premises data centers and the customer can still use on premises servers and manage the workloads between different environments such as the public cloud, private cloud and on premises servers.

Originally, the hybrid cloud concept was to extend capacity from a private cloud to a public cloud without using on premises servers. Today, it is a mixture of all three – private cloud, public cloud and on premises applications. This allows companies to be more flexible for deploying workloads, whether it is the best use of on premises for compliance or sensitive data reasons or achieving a higher scale for high volume and low sensitive data in the public cloud.

Depending on their IT strategies, companies tend to go for vendors offering solutions across different technology platforms such as Anthos from Google, OpenShift (Red Hat) from IBM and VMware Cloud from VMware. With this approach, companies are using tools to manage different environments by stretching down services to locations. They manage their clouds at different vendors.

The other approach is to go for vendors who more reflect what the customers already have in their data centers and it allows customers also to control their data centers. Examples are AWS Outposts from AWS, Azure Stack Hub from Microsoft or Cloud@Customer from Oracle like explained in below approach.

For example, a company uses a private cloud environment (i.e. Oracle’s Dedicated Region Cloud@Customer) for a part of its data and outsources other data to a public cloud (e.g. Microsoft Azure, AWS, Google or another public cloud service provider).

The aim is to create real business value by combining services and data from different cloud models through a consolidated, unified, automated and well managed IT environment. Companies take advantage of system interoperability and expect from a hybrid cloud to scale out and quickly provision new resources while being able to move workloads and data between the private and public cloud environments. The connection of a company on premises private cloud services with an external vendor’s public cloud services into a single infrastructure allows a company flexibility for running its applications and workloads.

Reasons to use the hybrid cloud is historically conditioned where companies started moving to the cloud and ended up in a hybrid environment. It can also be from using analytics and workloads in the cloud to using whole applications. Other reasons can be end of life of data centers which require business transformation to the hybrid cloud. Some companies only transfer some workloads into the hybrid cloud whereas other companies take the full advantage of using frameworks with calculation models, artificial intelligence and machine learning, often provided by cloud service providers or dedicated vendors.

Hybrid cloud adoption also depends whether the company is regulated such as finance, insurance and pharmaceutical companies or whether the company is already a digital native company like the ones from Silicon Valley. On the other side you will find a traditional company or a government institution which is more cautious towards the cloud.

In the past, public clouds and private clouds were easily defined by location and ownership.

Today, this became more complex:

  • Public clouds traditionally ran off-premises, but public cloud providers are now running cloud services on their clients’ on premises data centers.
  • Private clouds traditionally ran on premises, but organizations are now building private clouds on rented, vendor owned data centers located off premises.
  • Business wants to obtain services faster and easier instead of investing into hardware, building skills and having administration staff to take care of operations.

The fact that companies can get the full managed service from the cloud is a strong argument for companies for whom IT is only a tool for their core business. Nevertheless, IT has moved more to a consumption based model instead of investing in your own infrastructure. You can buy and use hybrid cloud services as you need them.

For example a company runs basic and non-sensitive workloads on the public cloud and keep business critical and security intense applications and data in the private cloud or on their premises legacy systems, both safely behind the company’s firewall where data can be send to the private cloud and vice versa. The company can leverage their SaaS application and move data between their private or data center resources. Business processes are designed as a service so that they can connect with different private and public cloud environments as though they were a single environment.

Hybrid clouds become increasingly complex infrastructures and in the meantime, companies are challenged to keep operations stable and efficient.  The question remains on how companies decide which part of their processes to manage, purchase and use. To come to the right balance, companies need to define the future state of their responsiveness and flexibility for their business, customers, partners and end users.