According to one of the Deloitte Reports Cloud ranks No.1 amongst the emerging technologies for the past 3 consecutive years. COVID-19 effect pushed the digitization wave further, making Cloud even more prominent. With this, even the highly regulated industries such as Financial Services and Pharmaceuticals are now keen on Cloud adoption.
The key questions that we keep hearing are :
Is Cloud as secure as our on-premise Data Centers?
Can we trust a third party in storing sensitive data?
How do we ensure compliance with regulations such as GDPR(General Data Protection Regulation)?
To answer these questions, we need to look at the following key factors:
Is migration to Cloud carefully crafted: When you are migrating from your on-premise Data Center to a cloud service, rearchitecting your IT set-up is a must-have. If you have done a “lift and shift” Cloud migration then the possibility that your on-premise Data Center would have been more secure than Cloud. In addition, the Cloud migration, as well as the new application set up on Cloud needs to be placed under well-crafted Governance.
Cloud vendor reputation: Although it is hard to inspect a public cloud vendor physically, there are third-party attestations available especially on NDA (Non-disclosure agreement) for assessment ahead of vendor selection. Organizations need to perform due diligence on vendor sustainability from financial, technical and regulatory aspects to ensure security aspects are covered. Also, need to look at whether the selected vendor has the major regulations covered. Please do note that even if the vendor services (such as Infrastructure as a Service) are covered under a regulation (example: GDPR, HIPPA etc.), the applications you build should also comply with the applicable regulation. Pass through coverage is applicable as far as your applications are built on the top of covered infrastructure adhering to specific applicable regulations.
What do you want to store in Cloud: Data classification should be effectively used to determine to ensure whether certain types of data can leave your premises (or country) to limit risk exposure within an acceptable tolerance. For example, business services offered in certain countries require you to store data within the country b borders. In this case, you might have to look for in-country hosting or set up your own in-country Data Center.
The answer to the question - whether Cloud setup is secure or on-premise Data Center is a better choice depends on business requirements as well as design aspects. While this goes back to a broader strategy aligned to overall corporate strategy, multiple considerations need to be taken into account to arrive at the decision. For example, Cloud could be the first choice from an organization-wide IT strategy. Is that the reason why you are migrating to Cloud or is it the cost considerations or is it for the time to market reasons? Once we made up our minds for the Cloud migration, the next step is to finalise the approach. There will always be time pressure as well as push to retain the status quo. This is where we need to be extremely careful articulating to our stakeholders the pitfalls of hurried lift and shift cloud migration. The lift and shift approach potentially might lead to security issues as well as non-delivery of business benefits. The other aspects are around the kind of data that gets into the Cloud. The business and regulatory impact of data breaches and fallback approach needs to be in place ahead of making Cloud migration decisions. At the same time, hosting on a company-owned Data Center doesn’t guarantee 100% security. Due to economies of scale, Cloud platforms generally have a high availability/fault-tolerant set up to take care of adverse events, while replicating the Cloud platform-style redundancy could be extremely costly on company-owned Data Centers. In summary: it is not a simple yes or no answer to the question- whether Cloud is secure or your company-owned Data Center.