The cloud is not the answer to all business technology questions

In the last few years there has been an increasing hype regarding cloud-based offerings, from outsourcing the office file or mail server to powering entire complex web sites, collaboration and outsourcing of voice over IP, CRM, and even  providing off-site backup services.  The term cloud has come to mean just about anything not on your local network.  The broadening definition combined with the reduction of reliability, security and accountability is a troubling trend, to say the least.

What is a cloud?

Let’s start with the basics.  Just what is a cloud?   The cloud actually used to be a graphical cloudcomponent of classic network diagrams to show areas of a network that were either very complex or untrusted (such as data traveling over the Internet vs. a local trusted network).    More recently the definition has expanded (and changed substantially).   A cloud is in essence a cluster of servers whereby the user is given limited access to accomplish a specific function or task.   A cloud can be something as simple as a single server off-site or something as complex as a data center full of servers hosting a product like Facebook.  The problem is the term cloud doesn’t really mean anything specific because it has come to encompass so many products and services.  As a result of this dilution the definition of what exactly a cloud is cannot be described other than what I mentioned above.

What isn’t a cloud?

That’s a great question.  Dedicated servers where the administrators have granular control are not considered part of the cloud  In addition we consider our local network infrastructure (switches, routers, workstations, servers and other equipment on the premises) to not be part of a cloud.  These localized components are not part of the ethereal infrastructure that is considered ‘cloud computing,’ as they have key distinguishing features that allow them to be more closely governed.  A subject we’ll talk about in more detail later in this article.  So in a nutshell the cloud is not anything you can see, touch or gain low level access to (local network components or part of a dedicated hosting system).

What are the advantages of the cloud?

The biggest advantage, and perhaps the only real advantage, is cost.  One can certainly get more and pay less using so-called cloud services.  Part of this is the theory regarding economies of scale.  Most cloud providers buy large amounts of computing power, divvy it up among their clients and keep the difference as a profit margin.  The cloud may also be beneficial for content distribution.  Let’s say you have a company whose web site is hosted on the East coast, but they have customers in Europe, West coast USA, etc.  Having a content distribution network closer to your customer could improve their web experience.  The cloud can also be useful for redundancy.  Extra DNS, e-mail and other services can be run as backups through cloud-based solutions to improve reliability.  The cloud, when used responsibly, can be beneficial.

What are the disadvantages of the cloud?Modern-Data-Center

The saying you get what you pay for rings true here.  Let’s say, as an example, you’re using a cloud server to run a website selling widgets for ABC company.  One day ABC company’s  cloud server gets hacked, the website defaced and the original content destroyed.  Because the majority (if not all) of cloud providers have minimal if any accountability or audit trail, it may prove impossible to review logs and determine where the hack came from, what may have been stolen or if the security issue was a fault of the provider or the server administrator.  There is, in essence, a lack of transparency.

This is compounded by a lack of security because when one is running their services in a shared hosting environment (which the cloud is, hence the lower prices) there is absolutely no guarantee of security in terms of your data being hidden from prying eyes, being manipulated or even erased.  Indeed, ABC company’s widget website could have been compromised by an insecurity in the virtualization software, rather than a fault of the server admin.  But ABC company will never know because their cloud host didn’t keep such records (a common practice to reduce storage costs and computing overhead).

But the disadvantages unfortunately do not stop there.  Another large problem for cloud-based services is reliability.  Not only have there been numerous reports of crippling outages, but there have also been widely publicized reports about data getting lost and the providers either not willing or able to find it.  These issues have occurred within major cloud providers and have proved to undermine trust of those effected.

Is your business protected?

Finally, another significant disadvantage is bottlenecks.  There’s a reason we have local area networks, and that is for efficiency, security and speed transferring data back and fourth.  Once we move a local office to using the cloud to share files back and fourth all of a sudden what used to be a local, quick operation turns in to a journey.  The data that once traveled within the confines of the same office now has to go out to the (untrusted) Internet, potentially exposing the contents of whatever is being shared, and then get routed to your cloud provider, back through the Internet to your office.  This problem produces a number of potential bandwidth bottlenecks that can hinder performance and also expose sensitive data.

Is there any recourse when your cloud service is hacked or data is lost?

In a word, no.  There generally is not.  Most of the service level agreements stipulate limited liability when it comes to uptime (reliability), security and data continuity.  This means that even though you are a paying customer, you may not have any guarantees about the service you have subscribed to.  To analyze a hack a good forensic information security expert needs access to logs, direct access to the server and the ability to have granular control of the server’s functionality (i.e. single user boot, kernel debugging, hardware interface access, BIOS/firmware access, etc).  Most of the time this functionality is not enabled for cloud servers.  Thus limiting both proactive and responsive measures regarding information security.

Imagine if you are an attorney, accountant, doctor or another profession that needs to keep your client’s data private.  How can your firm claim to do that while hosting the data in an environment where there is absolutely no guarantee of privacy, security or accessibility?  What happens if one day your cloud service is down and you cannot access client records?  Worse yet, what happens if it is hacked and all your accounting recordss are made available to extortionist hackers?  None of these are far fetched situations.  In fact, they occur on a routine basis.

What are the alternatives?

It’s curious, really, that one day some genius marketing and sales folks conjured up the term “cloud” and all of a sudden IT had to drop everything and adapt to this new paradigm.  The reality is that the alternatives are the solutions we’ve relied on for previous years — and worked well.  Hosting a server (either locally or dedicated through a hosting company) where you have greater control of its security, backing up its contents, troubleshooting it should a problem arise, is a good bet for an established company that needs reliable access to their data.rack_server

A number of my clients maintain local file servers, host their own dedicated servers or otherwise avoid the cloud, maintaining a higher degree of security, granular control of their servers and better reliability for themselves and their customers.  We assist in these endeavors by providing consulting to ensure their configuration is redundant (backed up / fault tolerant), secure and stable.  This approach gives them a guarantee of business continuity because they have control of their technology assets.

Final thoughts

I believe that the term “cloud” has become too broad, and encompasses too many products and services.  On top of that, I feel strongly that the cloud, as it exists now, is not secure, reliable or robust enough to be marketed as the best solution for all problems.  I do believe cloud-based services have a place in the information technology professional’s repository, but they shouldn’t always be the first destination and sometimes they shouldn’t even be considered at all.

Posted in Cloud, cybersecurity.