Enterprises continue to flock to the cloud, anxious to eliminate huge capital expenses in data centers -- but should we demand more from cloud providers?
It’s no secret that cloud services providers are prime targets for hackers, and that they can also make mistakes that invite security breaches and data theft.
In 2020, disgruntled Amazon employees released a number of Amazon customer email addresses to third parties. In 2021, Microsoft warned thousands of its Azure cloud computing customers about a vulnerability that left their data completely exposed for the last two years.
Stop the breaches!
Many cloud providers include disclaimers in their contracts for any data loss that clients might experience. If you are a small or mid-sized company, you don't have much leverage to renegotiate these boilerplate provisions, so you are left in a position of both trusting the cloud provider and hoping that your data isn't exposed.
It wasn’t that long ago that a public cloud provider shared with me that cloud services platforms were notorious for shortcutting on security and governance practices. So where does that leave their clients?
One step cloud users can take is to ensure that their own liability insurance covers a data breach incident on the cloud. Another step is to thoroughly review a cloud provider’s guarantees on security and governance before entering into any contract. A third step is to play a more active role in managing and enforcing your own security and governance over your IT assets in the cloud.
All of these steps assist in bullet-proofing cloud users from the cloud security breaches that could occur in the future.
The message for cloud providers is to improve their security and governance practices so clients can feel more comfortable.
Help me know what I'm paying for
The complexity of cloud pricing models can make CIOs long for the days of the internal data center with its fixed, discretionary and amortized costs.
“Let’s take a look at AWS Lambda as an example,” said Shanks. “Imagine you have a web application using the CloudFront CDN [content delivery network]. When a user interacts with the application it triggers a HTTP request through an API gateway that invokes a Lambda function that takes in the data and stores it in DynamoDB.
The requirement here seems quite straightforward. However, you're now consuming four AWS cloud services: CloudFront CDN for caching, API Gateway for routing the HTTP requests, Lambda for execution and handling the request, and DynamoDB for storing data based on that request made by the user. Each of these has its own pricing structure, with some free tiers mixed in.”
Needless to say, it’s difficult to decipher the bill and to understand what you’re really paying for -- and it’s a major reason why one-third of companies are overrunning their cloud budgets by 40%.
Cloud services providers should simplify billings so clients know what they are paying for and can make informed decisions at budget time.
“The process for managing a cloud budget as it stands wastes tons of time and resources,” said Shanks. “It’s riddled with frustrations and inefficiencies that are damaging to morale and the operation of teams.”
How can I manage my own resources?
Many organizations offload resources to the cloud and then let cloud services providers manage these resources. When companies make these decisions, they have no guarantee that the cloud provider will manage their resources with the same best practice and security/governance guidelines that the companies would use themselves if they managed these resources in-house.
“I don't know why companies complain about this,” said one major cloud provider spokesperson to me in this year. “If our clients looked at all of the ways and tools that we give them in the cloud to manage their own security and governance and took advantage of these tools, there wouldn’t be a problem.”
The spokesperson is right. There isn't a single major cloud platform that doesn’t offer a plethora of security and governance tools that clients can use.
The problem is many cloud clients aren’t aware of these tools.
Cloud providers can help by discussing the security and governance tools that are available to clients at the time that contracts are entered into or renewed.
What if I change clouds?
Hybrid computing, characterized by a mix of on-premises IT and multiple clouds, is here to stay. Within this fluid environment, it will be necessary for companies to move from cloud to cloud and in some cases, to terminate cloud services.
The challenge here for companies is the same challenge that they faced whenever computer “brands” are changed: vendor lock-in.
Companies can help themselves by continuously backing up data that they cloud-host, so they have a current copy of the data that is non-cloud-resident; or by ensuring that multiple copies of the same data are on multiple cloud platforms. For this strategy to work, data must be kept in a standard data format that most clouds understand.
As for cloud providers, it is to their advantage to coexist with other cloud platforms, because their clients certainly will.