Risks of Migrating to a Public Cloud
In accordance with modern world trends, it is worth considering the cloud as a proper alternative to hardware procurement right away, since the benefits of moving on-premise IT infrastructure to a public cloud far outweigh the potential risks.
When migrating to a public cloud, companies sometimes do not pay attention to significant details and risks. Cloud threats are similar to the ones typically found in traditional infrastructures. It is no wonder, since the same software is engaged both in a cloud environment and on physical servers, thus it has the same vulnerabilities. The risks are divided between a cloud service provider and an end-user of a service. That is why companies need to be aware of those risks and choose a provider in line with the company requirements and compliance policies.
Let me point out some of the questions arising when using cloud services.
1. Risk of making mistakes in a migration project
A poorly designed cloud migration project can lead to uncontrolled business downtime, which has serious impact on revenue and reputation. The ill-conceived migration procedure results in facing other problems within the project, e.g..: partial data loss, inoperability of services transferred to a cloud, missed SLAs, etc.
Before the start of any migration, the following points are to be defined: the list of applications to be transferred to a cloud, the migration order, the volume and the deadlines. Choose a secure software and services provider with related experience and established procedures for migrating customer workloads from a source platform to a cloud, using specialized migration solutions and practices. A preliminary audit will identify weak points. Create a detailed migration plan to apply best practices and avoid costly errors.
2. The threat of unpredictable growth of cloud bill
Cost reduction is the main driving force behind an implementation of public clouds. Although cloud migration means high one-time setup costs, it allows to switch from CAPEX to OPEX. Cloud budget overruns can occur due to several reasons:
- The cloud services’ costs can increase as a result of scaling if a company, absent any need, has excess resources active for subscription for several days or even weeks.
- Additional expenditures may happen because of accidental or unauthorized subscription to new services.
A simplicity of cloud services makes unauthorized usage easier. Moreover, this will not necessarily be a result of a malicious intent of an employee. It is far too simple to log on to the extra services inadvertently than to make an accidental purchase of another physical server.
- Migration to a cloud requires adjusting internal business processes and companies do not have a proper way to test the new model until migration ends. Any issue with the model can result in uncontrolled spending.
- Running workloads in a cloud requires engineers and cloud users to carry out a mindshift to understand the new model, and that all the resources are billed, and R&D departments need to establish budget control, provisioning culture, and best practices.
Choose a cloud management platform to control all IT resources and get full transparency into IT spending. Such products provide budget-driven resource control and forecasts cloud costs. A cloud management solution helps to prevent budget excess with budget assignments, full provisioning control, predictive insights, sophisticated reports and automated optimization based on deep analytics of historical and current usage of IT environment. Investing into cloud management software allows savings of up to 35% of monthly cloud costs.
3. Risk of vendor lock-in
Risk of vendor lock-in is one of the main fears for companies that are in a digital transformation phase. The dependence on a single vendor rate might be huge as multiple crucial components are controlled by a service provider: infrastructure, data, networking, user management and a lot more. Thus, if a need to move to different vendor appears, the business can suffer significantly because of substantial costs, legal constraints, or technical incompatibilities.
Before selecting a cloud service provider and launching a migration project, an experienced architect should thoroughly investigate if the vendor is capable to ensure running the applications properly. To minimize the risk of vendor lock-in, the applications must be migrated according to a lift-and-shift model or created the way they are as flexible and loosely interrelated as possible. You can achieve this by using containers and incorporating REST APIs with popular industry standards like HTTP, and OAuth to abstract your applications from the underlying proprietary cloud infrastructure. For legacy products lift-and-shift gives an assurance that the cloud can be changed later if there are any problems or SLAs are not met. Also, there is operating system-agnostic and cloud-agnostic migration software to allow movement from any cloud platform with minimal downtime and full control over a process. In case of a negative experience the software allows users to switch from one cloud provider to another or build a hybrid cloud.
4. Risk of applications to malfunction in a cloud after migration
One of the reasons for having defective cloud applications immediately after migration is lack of application dependency schema analyzed during migration design. When migrating to a cloud, companies should pay attention to applications interrelation and the infrastructure in general. Therefore, it is necessary to take this into account and choose a solution with cloud orchestration: network settings configuration and boot order configuration. Ignoring the step of application dependency schema design and the infrastructure specification leads to the drastic increase of incorrect applications operation. An omission of test migrations can also be a reason for malfunctioning applications.
Consistent planning of the infrastructure transfer process will help to avoid mistakes in the future. After choosing a cloud provider, request test access to the cloud and pass through a migration simulation. First, transfer a simple service to a cloud, evaluate the amount of time spent and check how everything works, analyze the errors and then proceed to next service by increasing the complexity. Execute the final migration only if you are 100% sure of success after a set of test migrations to check connectivity, performance and application consistency.
5. Lack of IT resilience in a public cloud
Moving to a cloud is always a search for balance between a desire to maintain control over IT infrastructure and transferring it to more skilled hands of a cloud provider. This balance undoubtedly has to be reached in the field of cloud security and business impact in case of disaster. The responsibility level of chosen provider depends on a cloud model (IaaS, PaaS, SaaS).
Design a proper business continuity strategy to ensure interoperability in case of large-scale accidents. Regular block-level replication of an entire virtual machine minimizes the risk of data loss in a cloud.
6. Risk of violation of Service Level Agreement (SLA)
A Service Level Agreement sets a quality standard for IT services provided to a business. The SLA also describes conditions for provision of services, as well as the rules for a customer to use these services. The quality parameters should certainly correlate with the companies’ business goals and must reflect business needs. However, the presence of a signed SLA does not guarantee availability of a service corresponding to the fixed indicators.
Verify a CSP’s ability to provide an appropriate SLA. When choosing a provider, it is important to analyze a number of factors that affect the vendor’s ability to provide the level of quality agreed in the SLA. The following factors are to be considered: the reliability category of data center, the class of the equipment that is used to build a cloud platform, the hardware architecture of a cloud platform, hypervisor, methodological documents used by a provider to provide the infrastructure support, and having a quality management system in place.
7. The threats of compromising unprotected interfaces and APIs
Weak software interfaces or API, used by customers to manage and interact with cloud services exposes an organization to a number of threats. Companies and third-party service providers often use cloud-based interfaces to offer additional services, which makes them more complex and increases the risk, as it may be necessary for the customer to provide their registration data to such contractors to simplify a provision of services.
These interfaces must be properly designed and must include authentication, access control and encryption to provide necessary protection and availability of cloud services.
Today, an increasing number of companies decide to switch to cloud technologies, as they help to solve and optimize numerous tasks. When deciding whether to partially or fully transfer data and applications to a public cloud platform, companies need to evaluate potential benefits and risks associated with such decision. In my opinion, the increasing potential of economic efficiency associated with cloud technologies implementation is an incentive for private and public sector organizations to transfer their operating activities to clouds. Read more about cloud transformation in our previous article.
CTO at Hystax (hystax.com)