Last year, I was asked to co-write a book with Ravi Das on risks and data protection in the public Cloud. I saw this as an interesting opportunity: for a start, I’d never co-authored a book, so that would be a new approach to writing I didn’t have experience in. More importantly, it let me delve deeper on a variety of topics to deal with protecting data in a public cloud, or leveraging public cloud to supplement data protection. It was also very much an interesting excursion into some of the risks and considerations businesses have to pay attention to before even moving a workload into a public cloud (or for that matter, creating a workload there).
I don’t believe public cloud is for every workload in every situation. There is undoubtedly a cheap drip-drip-drip approach to public cloud spending which can make it seem cheaper at times – a $3,000,000 up-front capital purchase for infrastructure intended to last at least three years may be difficult to bear, but $102,000 a month over 36 months, even while it’s more expensive in the long run, might be something the business can do.
Companies that lose big on public Cloud do so for one or more of three key reasons:
- Not adopting an appropriate architecture when putting workloads in the Cloud
- Not appropriately securing workloads in the Cloud
- Not appropriately protecting workloads in the Cloud
Businesses have literally blown through an entire year’s IT budget in a few months of run-time in public Cloud – those stories are well known in the IT industry but obviously few companies go on the record to admit such a mistake. How does that happen? Lift and shift. That’s where the assumption is made that just because you can run the workload virtualized on-premises, you can run it virtualized in the Cloud. Yes you can, of course, but if it’s not optimized for running in the Cloud, it’s going to be costly. Consider for instance, email services: how many businesses virtualize their Exchange services and run them in AWS or Azure? More likely a business that’s thinking of moving email into the public cloud will instead subscribe to Office 365 – that way they don’t have to manage all the fiddly bits. The fiddly bits cost you time and money.
Your systems need to be secured wherever they are, of course, but when your workload is running somewhere that you don’t have physical systems control, there should be another layer of paranoia than you might exhibit otherwise in your own datacenters. (You might get undressed at home with a fair assumption of privacy and security, but if you’re going to get undressed in a store to try on some clothes, you need to do it a little more carefully.) There are always new security breaches coming out, there’s always new privacy breaches happening. Governments are tightening their requirements around breach reporting, but they’re hardly any better themselves. Billions of personal records world-wide are exposed every year just by companies failing to apply appropriate security standards for data they place in a public cloud. What’s more: Stop—before you put that workload in a public cloud, have you even considered whether it’s legal to do so?
And the big furphy of course is that by putting your data in public cloud, it’ll be protected. Spoiler alert: if you don’t do anything to protect it, no-one else well.
That’s where Protecting Information Assets and IT Infrastructure in the Cloud comes in. You’ve either got workloads in public Cloud now, or you’re contemplating it. What risks are there for your business? If you’re not thinking about things like data privacy and sovereignty for anything you’ve got in the public cloud, you probably need to step back and do some checking. Why can’t you just rely on the public cloud provider to make sure your data is OK, once it’s out there?
If you’re interested in understanding a bit more about data protection considerations for workloads in public cloud, you can buy the book from Amazon and the publisher, CRC Press.
So that’s three books, now. I guess that means I might know a thing or two about data protection, right?