‘Trust’ is an interesting word in this context; there are over 20 definitions of the word, but I think the most appropriate is "to rely upon or place, confidence in someone or something". I often hear people saying that they can’t trust a cloud platform with "enterprise grade" workloads, and there are two main areas where this lack of ‘trust’ exhibits itself – security and reliability.
Security always tops the list of reasons given for not adopting cloud services, and even the most recent research from the Cloud Industry Forum shows a massive 75% of organisations that haven’t adopted cloud citing this as one of the primary reasons. Bizarrely this concern doesn’t seem to match the experience of those who have adopted cloud, nor the view of many security experts.
I recently ran an industry roundtable discussion on the topic of cloud security. Participants were made up of two groups; those from cloud companies, who may therefore be biased, and respected security officers or legal consultants – two categories that would normally be considered over-cautious.
Despite this, not a single participant at the roundtable felt that a cloud infrastructure, even a public cloud, was inherently less secure than an internal customer datacentre. This seems to match the results of the Cloud Industry Forum’s research which found that 99% of respondents had never experienced a data breach when using a cloud service.
Strengthening this argument, research from the Central European University showed that during the last nine years over 50% of data breaches were caused by the breached organisation’s own internal vulnerabilities, and had nothing to do with a malicious external attack.
This shows that security is primarily defined by people, policy and process. If policies and processes are properly deployed then a cloud-based infrastructure can be as secure as any other deployment model, but the opposite is also true. And this fact seems to be strangely overlooked by those so fearful of security in the cloud.
The other main area of concern is the reliability of cloud platforms; while this topic needs serious consideration by anyone looking to deploy on cloud, there are many instances where this apprehension is being driven by less justifiable reasons.
Fear often seems to be driven by a misunderstanding how hyper-scale (Mode 2) public cloud platforms have been designed to operate, or concern caused by a previous unsuccessful attempt to deploy a legacy application on an inappropriate cloud.
When using a hyper-scale public cloud your application architecture needs to be designed specifically to accommodate the underlying platform in order to achieve ‘enterprise’ levels of resiliency. This process might include aspects like decoupling application components, deploying across multiple zones or regions, and implementing automatic component-level recovery from failure.
Going forward, micro-services application architectures will accommodate this model much more seamlessly. If a legacy application is not designed in that decoupled way already, then a more traditionally designed (Mode 1) IaaS platform is likely to be a better fit, and as a result will be much more reliable. These platforms have resiliency built in at the hypervisor layer, rather than it being expected at the application layer.
As is often the case, the answer is to make sure you choose the right solution for your organisation. Matching your application requirements to the right kind of platform should ensure reliability and help you overcome these blanket fears. That said, due diligence is still important and you need to conduct appropriate research on the provider in question, but this is the same for any IT project.
So, can we "rely upon or place confidence in" a cloud platform? If the above factors are taken into account I believe we can. In (the right) cloud I trust! –