Safe in the cloud? The Devil is in the Detail by James Forbes-May, VP of APAC Sales, Barracuda Networks
Moving business applications to cloud brings with it many benefits. In medium enterprises it is often a business driven decision rather than an IT driven decision to make the move to cloud.
If you look at the business case, on the surface it looks very clear cut. In medium enterprises IT staff tend to be stretched much too far, taking responsibility for all aspects of IT as opposed to large enterprises where IT has the luxury of specialists: the network guy, the server guy, the backup guy etc.
Moving infrastructure and applications to cloud means that the generalist IT professional can focus on managing the cloud provider and enhancing quality of IT services back to the business. Instead of fixing problems with a band aid , cloud enables IT professionals to focus on enhancing IT to support the business much better. As an example once email is managed by a cloud provider, there is still some admin for your in house IT people to do, but it is massively reduced. Instead they can turn their attention to things like adding relevant productivity applications to compliment your email system and help improve business productivity
This sounds like a utopia, and done correctly it can really deliver amazing benefits. However, the done correctly part is critical.
One of the biggest potential pot holes is what I have to refer to as “blissful ignorance”. Once people cross the hurdle and move onto cloud, its amazing how quickly they get comfortable with it. Far too many IT and business executives make a very dangerous assumption. It equates to “Cloud doesn’t fail, and my data must be secure because the cloud provider does everything so well.” It's the out of sight out of mind mentality. Fundamentally it's still your data and still your responsibility.
In my view this is one of the big “gotchas” of cloud. Executives enter into the contracts in the same way they did with shrink wrapped software of old. No-one ever read the license before they tear open the cover. Because Cloud usually has no or very limited tie in, companies click the license without due diligence, in the belief that if they don’t like the service they can just drop back out of the cloud. Again, it’s a great model, but here is the bit that far too many people miss – Service levels on data security and protection.
In my role as VP of Asia Pacific Sales at Barracuda I unfortunately come across far too many people that did not check these SLA’s and have had cause to be very shocked when something goes wrong. In many cases cloud provider contracts absolve them of anything other than making best effort to secure and protect your data. Put another way that means if your data gets hacked or lost or deleted and cannot be recovered, the only obligation on your cloud provider would be to say “We are really sorry, we tried hard to stop that happening but hey that’s life!”
Bottom line is putting your data and applications with cloud service providers means variable risk when it comes to protection and security. When your data is on premise your IT manager knows it’s his responsibility to keep it safe. When it moves to the cloud you might think the cloud provider takes on that responsibility, but contractually they may well be finding ways to reduce or even eliminate it.
I see part of my role at Barracuda is to ensure business executives understand these liabilities and of course advise how Barracuda can assist.
Our approach is simple, outsource the work, reduce your CAPEX but be actively involved to retain ownership of your data security and protection. Make the necessary investment to compliment the data security and protection offered by your selected Cloud Provider, challenge them, ask them the products they are using to protect your data in the cloud. With an on premise solution you select best of breed based on the budget you have access to, so why should the cloud be any different?