By John Iliadis, PhD, CISSP-ISSMP, CMgr MCMI, CRISC. John is an IT Infrastructure Manager; he also serves as a Board Member of (ISC)² Hellenic Chapter. Opinions expressed herein do not express the views or opinions of any third party or employer.
Cloud migrations probably evoke emotions of love and hate at the same time, to most cybersecurity professionals. Going cloud (or not) presents a kind of dilemma that was first expressed some 400 years ago. Hamlet was the first one, To Cloud or Not to Cloud?
The past ten years have been a turbulent period. Global financial crises emerged, while the Great Digital Transformer (aka COVID-19) doesn’t want to part company with us; at least not yet. “The greatest danger in times of turbulence is not the turbulence; it is to act with yesterday’s logic,” according to P. Drucker. During this turbulent period, we seek the holy grail of business transformation, adapting our logic to current, emerging needs.
This is probably why cloud has come to attract so much attention; it seems to provide a unique transformation opportunity. The year 2020 was the first time cloud spending surpassed, by a lot, on-premises spending.
Are there any side-effects to our newfound love for cloud? There’s a concise (ISC)² article about that. Key points: according to a Trustwave research the volume of attacks targeting cloud services more than doubled, while according to a Tripwire survey, 76% of participants said it’s difficult to maintain secure configurations in the cloud. Besides that, a shortage of qualified people in cloud security is proving to be a large impediment to cloud adoption. These issues should probably be factored in the decision of going cloud, especially during a period when cyber risks surpass even the types of lending and liquidity risks that led to the Great Recession in 2008, according to Federal Reserve Chairman Jerome Powell.
To confront with some of these issues, enterprises have started requiring cloud security certifications, like the CCSP from (ISC)², for certain security roles within the organization. At the same time, the top area of professional development that cybersecurity professionals are pursuing is cloud security.
What’s interesting, if not bizarre, is the fact that there are organizations that return to the on-premises world, cutting short their public cloud journey. There are no hard facts to identify, beyond a shadow of a doubt, the root causes for this return to on-premises. However, such business moves could be attributed to not-so-informed decisions about going cloud, inadvertently creating unpredictable OpEx costs, while having market value being lost due to cloud impact on margins.
We have probably been treating public cloud as a panacea, while in fact public cloud is only a means to an end. An organization has to decide first what is the business goal and then decide on the means to achieve it. For any organization, public cloud is like any other infrastructure investment; it’s a tool, like a screwdriver, that can be used to serve a specific, predetermined (business) purpose.
Before embarking on a public cloud journey, a business case must be agreed upon, taking into consideration strategy, risks, TCO, ROI, etc. Cloud providers have even formed detailed adoption frameworks to prevent customer churn, and nudge organizations towards following said frameworks to the letter. These adoption frameworks can be used while the business case is drafted, to investigate whether public cloud is the right tool one should use as a means to achieve the business goals that have been set.
If there’s a solid business case that takes into consideration factors like the aforementioned, public cloud can potentially be transformed from a simple tool to an opportunity that must be exploited and a strength that must be leveraged. If no such business case exists, public cloud is just another tool. Even worse, it can become a threat and a weakness for the organization that will embark on a public cloud journey, having exercised cloudy judgment with no due diligence.
Perhaps Hamlet was wrong, there is no cloud dilemma, after all.