Cloud … the rushed migration every enterprise is racing towards!

Cloud… everyone wants to be in it, everyone wants it in their CV and everyone knows one probably wont survive the next decade without it. Everyone is rushing into cloud trying to be not too late to join the elite club, not to miss out.

Why is cloud such a hyped up concept?

Prior to cloud, every organisations hosted their own infrastructure, stored their services and data in their own servers, maintained them, monitored them, patched them and kept them running. I doubt anyone would know the trouble of purchasing a server, transporting it to your facility, building the optimal temperature and humidity to install it in another 5–10 years! It consumes a lot of manpower, lot of money and a lot of overhead that does not go well with the rapid changes businesses need to go through to keep running. Cloud takes off a bulk of enterprise IT management overhead away from an organisation. With cloud one doesn’t need to manage and maintain their own servers. They could simply rent a server in the cloud, use it as long as they want and decommission it. The best part is you only pay for the duration for which you used the server and the portion of the server you used. Sounds interesting doesn’t it? But like every good thing has its risks, cloud too comes with its own share of risks. While these risks are definitely less than running your own servers in-house, if not managed properly the consequences of not managing these risks could be devastating.

Because when you use cloud, “your data leaves your organisation !!”

You are handing your baby over to someone else! When you do that you need to carefully evaluate the external entity (the cloud provider), you need to understand the ‘shared responsibility model!’ which states who is responsible for what. You need to be confident beyond doubt that the cloud provider is competent enough to handle their portion of the responsibility and that you are competent and ready to take on your portion of the responsibility. Therefore, when using cloud, your leg work in provisioning your own servers, running and maintaining them reduces, but your workload increases elsewhere where you need to define policies, do risk analysis, perform meticulous planning and recruit competent work force that know how to process these newfound risks! (the shift in required skills in employees for the new millennium finally makes sense doesn’t it?)

So where does cloud governance fit in? Cloud governance is a set of rules that defines and prescribes how you define and manage cloud in your enterprise. It is a framework in which you define your policies, your practices and define the standards you want to follow, it determines the guidelines you want your employees to follow and the minimum expectations you have of your systems. It defines how you perform the risk analysis, understand and determine what is important to you in moving onto cloud. It defines how you implement and configure the way you use cloud to achieve what you want with cloud. Is it the availability of your information and services for your internal staff and clients? Or is it the confidentiality of your information? Or is it the integrity of your information? When you ask these questions, it must be obvious to you that there are some unavoidable trade-offs across these three principles. When you make your data readily available, you will have to compromise confidentiality and integrity to a certain extent. When you make your data extremely confidential, that would hinder the easy access to your data. That is why you need to carefully draft your cloud governance policy. While it is of utmost importance that you move your enterprise IT infrastructure to cloud to reduce cost, you need to take your time and plan well to ensure that you do it right.

After all, understanding which of these three principle is most important to you has nothing to do with cloud, even without cloud your internal infrastructure need to be implemented in away that aligns with your business requirements. But with cloud, it is imperative that you understand your grounds, your basics, and the most critical aspect of your business. Because if you lose what you need the most in cloud, the results could be devastating and irreversible. Imagine for you confidentiality is the most important aspect. Then imagine you lose a good portion of your data in the cloud in some server located somewhere on the other side of the planet, that could be accessed by just anyone!. It is way more serious than losing a hard disk within the office. You cannot lock your gates, and ask your security guards to search everyone who exits the building to ensure your data doesn’t get into the hands of unwanted parties!

So, take your time, sit down with your senior employees who are aware of your business. Think what you would lose when you shift your point of operation within the triangle of confidentiality, integrity and availability towards the principle you believe to be most important. Determine your balance. Then draft your policies around it. If you are willing to accept some risks in availability to achieve confidentiality, make sure you define a tolerable service downtime, a tolerable delay to access information, and that your policies in encryption and data storage are capable of providing data within that delay you are willing to accept.

While this sounds pretty simple and basic, this is the fundamental principle on which all your cloud governance policies are going to be based on. If you miss this fundamental analysis and make your move to cloud, few years down the line you would be too late with all your policies and processes in place driving your business in another direction! That is because when you determine one of the CIA principles to be important to you, you base all your policies to ensure that principle is achieved at the cost of others, and then the other principles are expected to be tolerated and is expected to be acceptable within your business environment. Your clients’, business partners’ and internal stakeholders’ requirements need to align with it. The future of your business is going to depend on it. Your business strategy is going to develop based on that.

Once the point of operation within the CIA principles (confidentiality, integrity and availability) is determined, the next steps is building the cloud governance model. Your security and privacy controls need to be developed accordingly, your monitoring strategies and escalation policies need to be crafted accordingly and finally your employees need to be recruited and trained accordingly.

This is going to transform your business. So take the opportunity and make the transition right! Take your time! think thoroughly! involve competent people! A good balance between experienced staff who knows your business, and knowledgeable staff who knows the legal and technical background of information security and cloud is required to make these decisions. No matter how big or small the business is, taking the steps slowly and making the transition carefully would ensure that you can proudly say “I’m using cloud” and know that you are getting the maximum benefits out of it!