In our line of work, we see how the true cloud offers unrivalled power, security and flexibility to businesses – but we also see how the cloud is probably one of the most over-hyped and misrepresented technology innovations we are ever likely to encounter. This has even led to the term “cloud washing” due to the popularity of the term “cloud” and its frequent inappropriate use leading to a lot of confusion.
Following on from Mark Loane’s post “Secure your future in the cloud” in 2015, it’s clear that confusion still remains, particularly in the primary jurisdictions that we operate in – Jersey and Guernsey.
This blog aims to highlight and debunk the myths that we encounter the most – and everything is backed up by credible, third party sources, so you don’t just have to take my word for it!
Myth 1: Your data is less secure in the cloud
This is an easy myth to dispel; the sheer amount of financial, technological and human resources that the large public cloud providers have at their disposal means that their data security far surpasses the vast majority of on-premises options.
For example, Microsoft hires teams of ‘hackers’ to constantly ‘attack’ their cloud for vulnerabilities, a process they call red teaming. This ensures their cloud security is constantly being tested and updated by the best in the world. They describe this process as “the data protection equivalent of hiring a UFC fighter to attack you at random, unexpected times… It’s saying: Let’s assume the worst and act accordingly. Because even if you never get invaded, it’s nice to know the army is training for every possible scenario.”
A private cloud usually consists of bespoke infrastructure developed and managed for your business either by a local data centre or in-house.
In the above example, private clouds are either On Premises or Infrastructure as a Service.
Technically the “cloud” term could be used for both an On Premises environment or a hosted environment, however there are significant differences between anything hosted on-premises or in a private cloud in a local data centre, and using the public cloud.
The following table lists the differences between hosting on-island in a private cloud, and, for example, in Microsoft’s Azure and/or Office 365 public clouds:
|Area||On-premises or locally hosted||Microsoft Azure or Office 365|
|Elasticity – ability to scale||Limited to the hardware originally specified and/or capabilities of the virtualisation software||Unlimited|
|Compliance||Difficult and/or expensive to achieve compliance with certain standards.||Compliant with ISO 27001, EU Model Clauses, HIPAA BAA, and FISMA|
|Security||Reliance on security professionals conducting regular checks, penetration tests, patching of servers and firewalls. Expensive to maintain Multi-Factor Authentication.||Dedicated teams maintaining the highest possible levels of security by default. Multi-Factor Authentication available for free or cost-effectively.|
|Cost||A lot more expensive||A lot cheaper|
|Patching||Requires regular maintenance and downtime||Included by default in the majority of cases (all SaaS options and most IaaS options)|
|Data Protection||Risk assessment||Risk assessment|
|Availability||Requires significant investment to achieve 99.9% availability||Financially-backed 99.9%+availability for the majority of services. Uptime
reports for Microsoft are available which demonstrate a higher than 99.9% availability for the past 2 years.
Myth 5: Data in the cloud is easier for law enforcement to access
There is a common misconception that if data is stored with Microsoft, for example, that law enforcement agencies can snoop on the data easily.
Microsoft in particular is extremely transparent about requests for access to data by law enforcement; the numbers are quite surprising, published in the Transparency Hub:
“How many enterprise cloud customers were impacted by law enforcement requests?
In the second half of 2015, Microsoft received fourteen requests from law enforcement for thirty-five accounts associated with enterprise cloud customers. In nine cases, the requests were rejected or law enforcement was successfully redirected to the customer. In four cases Microsoft was compelled to provide responsive information regarding five accounts to law enforcement. One case is still outstanding and pending a resolution.”
As can be seen from the numbers above, the vast majority of law enforcement requests and disclosures do not relate to enterprise customers – they are related to consumer services (e.g. Hotmail, Xbox, consumer Skype services) as opposed to Azure, Office 365, CRM Online etc:
“What is the difference between a consumer and an enterprise customer?
A consumer service is generally one subscribed to and used by an individual in his or her personal capacity. Some examples include Hotmail/Outlook.com, OneDrive (which was previously called SkyDrive), Xbox Live and Skype. For purposes of this report, “enterprise customer” generally includes those organizations or entities (commercial, government or educational) that purchase more than 50 “seats” for one of our commercial cloud offerings, such as Office 365, Azure and Exchange Online and CRM Online.”
In procuring any service, whether technology-related or not, it is sensible to conduct due diligence.
The unfortunate common practice of cloud washing means this due diligence is a little more difficult to undertake; however with the myths dispelled in this blog, hopefully making those choices will be more informed and a little easier. Microsoft has also published a list of 10 questions: Top questions you should ask a cloud service provider when you are considering the cloud for your IT services which may help you assess the options and conduct due diligence on all options.
As always, if your business is going through any changes and you’re exploring your cloud options, don’t hesitate to get in touch at Aonghus.Fraser@c5alliance.com.