If you’re still thinking “private data center” and don’t have an ironclad regulatory reason for doing so, you should really ask yourself: Why?
Fewer and fewer companies are holding out. They’ve had to navigate many wants and needs, from security and regulations to enabling digital platform strategies to extending the life of existing infrastructure investments. Analysts predict that most will settle on hybrid clouds as the end game that balances the pieces.
But with so many enterprises adopting hybrid architectures, the question rears its head again: If you’re not tethered to a private data center by an immovable regulatory requirement, what’s holding you back? The obstacles may be more easily surmounted than you think.
In my work with companies navigating transitions to the cloud, I’ve found that when companies worry about hybrid, hesitancy often boils down to two main areas: data security, and latency and performance.
Latency: Quick solutions to slow clouds
Latency is a legitimate problem – users won’t tolerate slow apps! – but more and more, if you can identify potential sources of latency, you can also find a hybrid cloud option that architects around them.
Consider proximity. Digital assets exist in virtual space, but the machines hosting those assets sit in the physical world, and the bigger the distance between machines, the higher the potential for latency problems. An organization can often reduce latency simply by choosing a cloud service provider whose facilities are in the same region as the organization’s data center.
A more technical example: Suppose an enterprise wants to keep backends and APIs in its own data center while running management and analytics services in the cloud. While more cost-effective than doing everything in-house, this approach can introduce latency, as round-tripping the APIs to the cloud and back can slow down operations. For this problem, many enterprises are employing lightweight, federated cloud gateways that keep API runtimes in the data center while asynchronously pushing analytics data to the management service provider’s cloud.
Security: Focus on internal threats
So, if latency is a largely manageable issue, that means concern about hybrid clouds becomes mostly about data security. According to Gartner, “38 percent of companies who don’t plan to use the public cloud cited security and privacy as the main reasons.”
But in a July webinar presentation, Gartner Research VP Jay Heiser noted “no evidence indicates that [cloud service providers] have performed less securely than end user organizations. Quite the opposite.” He added, “Generally speaking, public cloud computing represents a more secure starting point than in-house implementations.”
This “more secure” starting point may mitigate some concerns – but it isn’t absolute. Some clouds are more equipped than others to extend corporate data centers while meeting regulatory and security requirements. It’s important to consider SLAs and redundancy agreements, and whether the provider submits to third-party audits and has been awarded industry certifications. That’s just the tip of the iceberg, of course – you should also consider whether the provider has expertise delivering to your needs and goals, whether it ever directly accesses your data, and so on. But the point is, a lot of threat mitigation in the hybrid cloud world involves proper vetting of partners.
This vetting extends to physical security, too. Our fears are often defined by remote attackers who hack into a network – but in practice, many threats involve close-proximity attacks rather than network break-ins executed from afar. Think how Stuxnet, the malware associated with knocking Iranian centrifuges offline, is believed to have spread primarily through USB flash drives, contractors and equipment compromised while in transit. Against these sorts of threats, cloud providers often possess technical resources and data center management expertise that would be difficult and expensive for many private enterprises to cultivate internally. Many top clouds boast a variety of physical, on-site security mechanisms, such as data center access limited to very few individuals via biometrics, and machines custom-built to detect whether they’re booting appropriate software.
Threat mitigation also requires that companies take seriously the role of internal threats. Some of these involve nefarious intent, such as an ex-employee stealing intellectual property, but many stem from simple user error, such as sloppy password management or susceptibility to phishing scams. Indeed, Gartner predicts that through 2020, 95 percent of cloud security failures “will be the customer’s fault.” The takeaway is that many of the threats perceived around cloud have little or nothing to do with vulnerabilities intrinsic to the technology itself – and much more to do with a company’s internal security and governance processes.
CSPs Run on user trust
A final note: Successful cloud service provider models are almost necessarily built on a foundation of preserving user trust – an unspoken contract that manifests in CSP reliability and security investments whose scale exceeds what most in-house operations are capable of.
As cloud providers have continued to earn this user trust, they’ve demonstrated that many of potential customers’ most pressing fears involve abstract anxiety as much as – or more than – demonstrated dangers. The majority of organizations are now embracing the cloud, especially hybrid flavors, as they’ve realized key concerns may be more manageable than anticipated – which again begs the question of those still holding out: Why?