When deciding whether or not to undertake a cloud migration, most people examine the issue from one angle, either the business case that will favor efficiencies and cost savings, or the security case that will raise questions as to where data resides, who owns it, and whether or not systems can be secure in their new location. As an integrated provider of both IT and Information Security services, TRUE takes a different approach. Our consultants examine cloud deployment from all angles, drawing on the vast experience of our experts in IT, Data Science, Security, and Compliance. John Connors, TRUE’s Director of IT and Cloud Strategy, maintains an AWS Solution Architect Certification and heads up the robust (and growing) Sysops and Solution Architects teams for TRUE. Connors and his team work with organizations directly to architect the best possible cloud solutions for their business and security needs.
According to Connors, the first thing you will want to consider is TCO or Total Cost of Ownership. He walks clients through this process, assembling the data necessary to make an informed decision. The purpose of this exercise is to better understand the real business costs of maintaining on-premise systems over time, as well as the actual costs of deploying cloud networks–either in full or hybrid scenarios.
1: Cost of Downtime
You wouldn’t want to maintain any network or system without considering failover, business continuity during an outage, and disaster recovery. This is one place that IT and Security considerations for where your systems live will overlap, as you should consider what would happen if your network is attacked, breached, or infected by malware or ransomware. Anyone who has not considered this will be very disappointed when threat actors enter your environment and simply delete their backups–housed on the same network. At that point, you will be stuck paying the ransom with no guarantee of your attacker’s goodwill to return your data and access to systems.
In that vein, uptime and availability include both business and security considerations. As a research and analyst firm point out when comparing cloud and on-premise solutions in a Forbes Magazine article, “In many cases, cloud service providers and hosters provide uptime guarantees in their service level agreements that are higher than those achieved with a self-managed on-premises solution. Unplanned downtime has the potential to impact a number of areas, including labor productivity, revenue, reputation and customer loyalty.”
(For more information on business continuity and to calculate how much downtime your organization can afford, see our recent blog on DR.)
2: Cost of Hardware in Colocation vs. Cloud
Your organization may be one of those few out there still maintaining a full data center on-premise. In that case, you are painfully aware of how much your hardware costs. If you are like most organizations that have not yet migrated to the cloud, however, you are probably colocated, with rack space in a nearby datacenter. While somewhat less expensive than fully on-premise solutions, colocation still has cost and maintenance. You will first want to list the current price of each of your servers. Then lay that cost next to the cost of the cloud equivalent: In Microsoft Azure IaaS, for example, a D2 SSD 2 cores 7 GB RAM 100 GB disk, costs roughly $200/month. Are your per-server costs greater than $2400/year?
3: Maintenance and Hardware Updates
In colocation or on-premise scenarios, your equipment is still owned, maintained, and replaced by you as various components become obsolete or need to be updated. This goes well beyond the face value of a one-time purchase, because hardware must be replaced every 3-5 years, and it requires staff hours to execute these projects. Over the long haul, you are buying much more than just a server. By contrast, when your cloud provider needs to update their own hardware, they do so at no additional cost to you. Most Service Level Agreements with cloud providers place those responsibilities squarely on the cloud provider, so you can relax, knowing their teams will manage servers, storage, and network components, with no additional lift from your staff.
4: Power Consumption
Most people don’t consider electrical expenses around maintaining on-premise servers. Certainly, servers have evolved in their energy efficiency, but consider the fact that the average solid server contains two or more power supplies, numerous sets of hard drives, multiple socketed processors, and many other components that support their ability to provide uptime and availability–components that normal computers don’t need. This means their power usage is going to be far greater than laptops and desktop computers. Further, servers generate heat, A LOT of heat. That will, in turn, affect your cooling bills.
5: Internet Connectivity Costs
What is the cost of bandwidth needed to accomplish your core business processes? That will help you determine whether or not you want to deploy everything in the cloud, or go with a hybrid model. Certainly, most daily business functions will be cheaper in the cloud, but every organization and environment is unique. For instance, if you have large capacity file shares (50GB in size or more) or operations that would be bandwidth-prohibitive in a cloud scenario, you might choose to continue hosting just those functions in-house, or at least consider the costs for additional internet connectivity. For organizations in major urban areas, connectivity options will be readily available. Those operating in rural areas may be more limited.
6: Cost of Licensing
Some of the applications your organization may rely on in your current environment may be priced out more advantageously for the cloud. For instance, if you can configure and license per core, you will save a great deal of money over applications that are only priced per VM. So this will be a key consideration in selecting new applications, maintaining, or retiring existing ones.
7: Cost of Service Renewals
You will have different kinds of service providers for each type of environment, so be sure to consider hosting, maintenance, management, and any other service renewals you currently maintain, versus those you will need when migrating to the cloud. You won’t need to keep an ongoing service account with hardware providers anymore post-migration. With cloud deployments, remote management of certain parts of your environment–much more cost effective than full-time employees in most cases, may be a new consideration.
8: Cost of Management and IT Staff Capacity or Skills Gaps
Speaking of services and staff considerations, the issue plaguing most organizations in the US–an IT and Information Security skills gap, will most likely apply to you. Especially as these two key teams have increasingly more overlap, these gaps are going to become more prevalent as time goes on. According to the most recent published research from ISACA (Information Systems Audit and Control Association), 69% of organizations say their cybersecurity teams are understaffed, 58% have unfilled cybersecurity positions, and 32% say it takes six months or more to fill cybersecurity jobs at their organization. Further, leadership boards are demanding more deployment of disruptive technologies they see as a great business benefit, such as IoT devices and AI driven platforms. These will require IT teams to pivot and learn to specialize in new technologies that not only impact your bottom line, but also have tremendous impact on your security posture. That doesn’t even take into consideration the risks your organization runs from lack of proper patching schedule, due to overworked and understaffed IT teams.
9: Differentiation and Team Management
Notes Connors, “A client who maintains full ownership of their instances, data, etc. in a datacenter is obligated to pay for the costs to increase or replace hardware, licensing et al –and those are significant– but they must also maintain a staff of engineers whose sole purpose is the maintenance and proficiency of that environment.”
Those costs are massive and they are almost entirely undifferentiated costs – those individuals do nothing to advance the clients’ service, solution or product.
“Pushing that into a cloud like AWS allows your business to, in most cases, simplify the dynamic, but also (and perhaps more importantly) augment your staff, outsourcing the undifferentiated heavy lifting to an MSSP firm with a mature cloud management practice. Then, you can reallocate those salaries/resources to areas of your business that will drive or create differentiation in your space, pushing you ahead of your competitors rather than simply keeping pace–with the same budget.
If your business has a development team, using the public cloud will also make them more efficient – but in addition the savings of moving the cloud and outsourcing swathes of the management to an MSSP, this should also allow you to reallocate dollars towards additional Dev Ops, QA Teams, etc. Then you can actually take on more projects that get to market faster than if you remain in the datacenter paradigm.”
While It’s rarely a perfect, direct line like that, these are the real outcomes, and at TRUE, we strive to bring clarity around that opaqueness.
10: Security Considerations
The myth that your data is more secure when you can walk over and physically touch your servers is still widely held by many. The truth is, we work a great number of instances where because someone was afraid of cloud migration for security or data residency concerns, their systems were actually far less secure and did not have proper backups in place (meaning completely off-campus and completely able to handle immediate failover). Then when a security incident hits, like ransomware or malware, essential operating data or systems are completely lost, because all an attacker needs to do is move laterally to just delete backups that are stored on the same network as the rest of their infrastructure. Alternatively, backup tapes and other outdated means of data protection will be very little help in these scenarios.
In an on-premise or cloud deployment, you are responsible for the security of your data. If it is not physically and remotely secured by you, it is not secured. Regardless of where your data lives, responsibility for its security and the vetting of all your 3rdparty providers is yours. We recommend you undertake due diligence in researching security practices and reputations of all providers with any access to your environment, whether direct, upstream, or down-stream. That said, your cloud provider likely follows a shared responsibility model, which means that while they will work to secure physical access and do their part, all settings, configurations, and layered security controls for your environment are up to you, as an organization. You will want to work with a security provider to ensure you have all options enabled at every stage, and that you are following best practices. This is true regardless of where your systems reside. In short, your data and network are not more or less secure whether on-premise, colocated, or in the cloud. Your systems–wherever they live– are only secure if you have architected them to be so, and if you are keeping eyes on your network 24/7 to deal with any incidents as they arise. Period. John Connors works with clients to ensure they are taking all security considerations into account when helping them architect a cloud migration.
Still, considering once more the Cybersecurity Skills Gap, one is in a much better place for support from Managed Services Providers and Managed Security Services Providers to assist you remotely in a managed capacity when you are deployed in the cloud. Even if you are just considering the cost of physical security required for you to house a data center with best security practices in place, you can see where savings and being able to outsource to remote teams will support your bottom line and save you money, without having to hire more full-time employees. Add to that remote monitoring and management tasks you can take advantage of with an MSP or MSSP, and you will quickly realize massive savings.
In the end, suffice to say you will want to take a deeper dive into the nuances of your own environment to make a complete evaluation of whether a cloud migration will be the most cost-effective, efficient, and secure route for your own organization. If you would like someone to walk you through this process and help you assemble the necessary data to make an organizational decision about whether cloud migration is right for you, please reach out to us at sales@truedigitalsecurity.com.
Sources: