One quick look at the cloud computing market gives the appearance that it is quite healthy. In fact, one could go as far as to say that the rapid growth is revolutionizing the global marketplace and IT infrastructures. The cloud is transforming the way people work across all functions of the business. From corporate offices to factory floors, from distribution to data management, from the boardroom to the backroom, cloud-enabled IT infrastructure can be found everywhere.
The technology analyst community agrees. Forrester, for example, expected that half of all global enterprises would be relying on public cloud platforms by the end of 2017. In addition, according to Gartner, the worldwide public cloud services market revenue was estimated to total around $260 billion in 2017, and expected to expand to more than $411 billion by 2020.
When it comes to data centers in particular, the cloud is transforming the data center model as we know it. They no longer consist of simple server banks used for back-ups, disaster recovery, or server processing. Most enterprises are transitioning their infrastructure to become virtualized, or hyperconverged, many spanning multiple geographies, and many have begun shifting workloads to the cloud — all in an effort to find efficiencies in capital and operational expenditures and power demands. While virtualizing is simple in concept, and ultimately a cost-saving and agility-producing measure, there are significant complexities with transitioning IT infrastructure. Migrating workloads from older systems to newer ones, or constantly managing software updates for multiple operating systems and platforms, can create a maelstrom of incompatibilities and security issues — stagnating provisioning and creating performance issues and unwieldly management practices.
All these transitioning data centers and virtualized environments share a common need — the need for consistent data security, from endpoints to Bare Metal Servers to storage to the cloud, and preferably, a single solution to secure it all.
To better understand what’s actually happening on the ground in businesses that choose to make the cloud a key part of their IT infrastructure, , WinMagic worked with Viga to conduct an independent survey of 1,029 IT decision makers (ITDMs) at the end of 2017. This research found that almost all (98%) companies are using the cloud as part of their IT infrastructure. ITDMs reported that, on average, the cloud accounted for half their workloads, which represents impressive growth over the past few years alone. With figures like this, will we continue to see cloud adoption rates climb as anticipated? They may, but not without obstacles to overcome, according to the research.
Data Protection and Security Issues
It’s evident that IT departments are seeing benefits from the cloud, or these kinds of positive cloud market predictions would not exist. However, when taking a deeper look at what is happening within companies, we can see that the flight to the cloud is not without its pockets of turbulence. In our survey, when we asked ITDMs about their top three concerns on placing future workloads in the cloud, 58% noted overall security as their top concern, followed by specifically protecting sensitive data from unauthorized access (55%) and the increased complexity of infrastructure (44%).
One simple example among the many problems this creates is that, on average, companies report they use three isolated vendor encryption solutions to protect data across cloud and on-premises infrastructure. It is no wonder then that a third (33%) of respondents also reported that data is only partially encrypted in the cloud, and 39% admitted to not having unbroken security audit trails across virtual machines in the cloud, leaving them exposed to failed audits, data breaches, legal proceedings, fines, and damage to their corporate reputation.
Compliance and audit failure is a top concern for C-Suite executives. Enterprises must meet compliance requirements. New legislation, such as the EU General Data Protection Regulation (GDPR) which comes into enforcement this May, will see companies required to carefully manage the encryption, storage, use, and sharing of personally identifiable information (PII). Failure to comply with this legislation can result in fines equivalent to 4% of annual global revenue, or €20m, whichever is the greater.
But what about that PII in the cloud? As companies prepare for the new legislative framework, there seems to be some confusion when it comes to who “owns” that same data security responsibility in the cloud. Only 39% of the participants in our survey correctly consider themselves ultimately responsible for the compliance of data stored with cloud services. Worryingly, one fifth incorrectly believe it is solely the responsibility of the cloud service provider, while a further fifth incorrectly believe they are covered by their cloud service provider’s service-level agreements (SLAs).
It is critical for ITDMs to understand and accept that their company is ultimately responsible and accountable for the data they create and hold — wherever it resides. The SLAs of cloud service providers do not cover data protection; they are only responsible for the protection of the cloud itself, not what is in it. It is only through a clear understanding of the extent of their responsibilities that ITDMs can fully appreciate their responsibilities with regard to data protection, and legislation such as GDPR.
Controlling data sprawl is a critically important step in meeting the data sovereignty and data security requirements in most modern regulations. Only by tightly defining the operational boundaries of your virtual machines (VMs), and any other parameters such as how your VMs are accessed, shared, cloned or replicated, can you clamp down on data risk.
To improve compliance posture, companies need user-friendly audit tools to track and report that VMs and data are always in a protected state. Compliance doesn’t leave room for guessing. Data security solutions that offer a single pane of glass to provide instant visibility through an easy-to-read dashboard are critically important. These tools help verify compliance across numerous security standards (EU-GDPR, PCI DSS, NIST, as well as HIPAA, and others), and often include automatic auditing tools that report on each instance secured.
Stress on IT Departments
Expanding infrastructure into the cloud has come at a cost for the majority of companies, with a greater burden on IT teams. Over half (55%) or those surveyed reported needing to use more management tools since migrating workloads to the cloud — sometimes needing multiple tools for the same task. More than half again (53%) conveyed spending more time on management tasks than ever before.
Asked what they would use time saved on management tasks for, responses included IT projects needed to support the business (50%), accelerate projects that are currently stalling (42%), and improving security (36%).
But just how can that time-saving be realized? The current approach across endpoints of mixing and matching management tools simply will not work when managing cloud and virtualized environments. For companies with a mix of security solutions and cloud platforms, keeping track of data security, user access, and authentication and use policies will become overwhelming. And what about all those separate recovery processes and end-user burdensome processes? The cloud is about simplicity, speed-to-market and unbridling the business. Adding complexity simply negates the benefits.
What’s Needed to Overcome These Barriers and Fly High?
The answer is the right management, and that can only be achieved through the right processes and tools. All cloud workloads need to be effectively managed to ensure secure access, compliance, and protection against threats, including both internal and external risks
It’s critical to keep in mind that this management should be treated the same as managing on-premises servers and services. Management must cross these inferred boundaries, otherwise we are leaving a chasm in which security and compliance fail. As we all know, this can lead to data breaches or regulatory failures that impact customer trust and corporate reputation and can result in substantial fines or operational costs to rectify the situation.
When it comes to key management, a single key management solution should be considered for all of the organization’s platforms. Emerging hypervisor vulnerabilities create a security gap, so why leave keys open to theft or transfer of authority? By decoupling keys from the hypervisor, keys and data are never exposed to government agencies or dangerous insiders. Furthermore, if there’s a breach at your cloud solution provider’s facilities, your encrypted data and keys won’t be compromised.
Any steps in preparation for shifting to the cloud need to consider not further taxing an already overloaded IT department. As we can see, we have a situation where some of the benefits of the cloud are being realized, but at the expense of internal IT staff resources. In the same way that management tools have played a key role in allowing IT departments to better visualize and manage the deployment of VMs over last 10 years, they can play the same role for cloud services. But the inescapable fundamental with cloud services is that their lack of physical visibility within the IT infrastructure makes them prone to human error when it comes to management and administration. Investing in cloud services and the security tools is not enough — tools that can manage all of these areas are essential.
While it presents numerous benefits, using heterogeneous cloud environments unfortunately makes it more challenging for businesses to manage security and compliance. As a result, IT departments can be left scrambling to put out fires rather than focusing on other important areas. Companies need to think about choosing management tools that are cloud agnostic, and which remove complexity, so they can focus on activities that maximize value in cloud computing, such as investing in-house resources on projects that will drive positive business impact. Financially, it is easy to make an argument for the cloud to account for a larger part of a business’ IT infrastructure, but without the right management tools and processes in place, all of the issues highlighted above can emerge and create a perfect storm that leaves the company exposed to compliance and security risks. Plan well.