What will you do when your cloud goes down?
Ahmad Al Qadri, regional sales director, Middle East and Gulf, Cohesity, on the damaging effect of cloud outages
A short history of business IT might report that the Noughties were all about the West taking baby steps in cloud applications such as Oracle, Salesforce and Google Apps. The 2010s saw clouds proliferate globally as pioneers took a ‘cloud-first’ stance and used platforms including AWS, Microsoft Azure and Google Cloud Platform to pilot, test and run services. By 2025, IDC says worldwide data will grow 61 percent to 175 zettabytes, with as much of the data residing in the cloud as in data centres. The responsibility to maintain and manage all this consumer and business data supports the growth in cloud provider data centres.
With that in mind, it’s not unreasonable to expect that in the 2020s, businesses across the Gulf and the wider Middle East region will invest further in the cloud. And, those already with data in the public cloud, will attempt to harness their existing cloud investments, formalising multi-cloud and hybrid cloud strategies and clawing back control via consoles that offer visibility and manageability over increasingly disparate estates.
There are still some unmanageable areas where cloud hasn’t yet permeated but progressive companies today are asking ‘why not cloud?’ instead of ‘why cloud?’ It’s the default deployment mode for the new IT but does that dependence on a deployment model incur a risk? The short answer is ‘yes’.
Innovations to IT dependencies have traditionally incurred more risk since those days when you didn’t get fired for buying IBM. Businesses now typically have added more silos and IT has become more distributed. In tandem to this pace of IT change has been a rapidly evolving cyber threat landscape which now can produce threats and undermine security on every infrastructure imaginable.
Cloud isn’t infallible
Cloud computing is mushrooming and we are entering a new era where tactical investments are becoming strategic and there is a return to order that’s seeing more CIOs attempt to reign in what they have and introduce controls that reduce siloes, bring down costs, and mitigate risks.
We are now depending on cloud services even if we don’t realise where our data is residing or travelling at any given point in time. We luxuriate in the notion that our data is somehow safe, looked after by the internet and cloud giants so we build our trust up and up. But an inconvenient question appears: what happens when it all goes down?
Cloud services aren’t immune from outages, hacking, acts of God or worse. In 2019 alone, we saw Office 365 Exchange Online go down, shortly to be followed by other Microsoft services. Then there was Google Gmail and Drive, Azure, Google Cloud, Salesforce, AWS and more consumer platforms such as Facebook, Instagram, and Apple Cloud. If these mega-forces can go down, anything can, so we need to have a plan to rapidly restore when the worst-case scenario strikes.
Not my problem: Who’s responsible for what?
Per a recent McAfee report, 69 percent of CISOs trust their cloud providers to keep their data secure, and 12 percent believe cloud service providers are solely responsible for securing data. The truth of the matter is that cloud security is a shared responsibility. In an effort to educate cloud customers on what’s required of them, the cloud provider giants have created a cloud shared responsibility model or SRM for short.
Simply put, the SRM denotes that customers are responsible for protecting the security of their data that resides in the cloud, just as they are responsible for it on-premises. This doesn’t change for a different cloud deployment type. Customers are wholly responsible for protecting the security of their data and identities, on-premises resources, and the cloud components you control (which varies by service type).
By 2022 it’s believed that at least 95 percent of cloud security failures will be because of customer error, essentially not upholding their part of the SRM. So, in the context of a major cloud-based service having an outage, a customer really needs to know how much of the responsibility and heavy lifting for recovery is on them. With the cloud, it’s not just about damaged undersea cables causing limitations. It’s more complex.
‘Why is backup just an insurance policy? Why can’t it do more?’
What’s required is a web-scale design that can consolidate all workloads, data, and apps (regardless of whether they are on-premises, in the cloud, or both), onto one platform for recovery. This moves companies away from being vulnerable to a single point of failure. De-duplication, indexing, and search are required too or there is a high chance of “bill shock” when you suddenly realise that all those low-cost cloud services can add up to very large sums if not managed wisely.
In 2020, having a recovery backstop for if (read: ‘when’) your cloud service provider has an outage is important for business continuity and data and regulatory governance. But why is backup data only used as an insurance policy? It typically sits idle most of the time, but could be used for business benefit. Progressive organisations are finding ways to use their backup data, rather than put added strain on the production environment. Uses include threat prevention, test and dev work, analytics, verification, and reporting.
“Today, it takes on average five separate vendors to provide data management across on-premises and multiple cloud environments,” according to Enterprise Strategy Group. That needs to change.
Vulnerability checking your relationship with the cloud
As we move from a world where the cloud is adopted in an ad-hoc way to one where the cloud is IT, we need to rethink its surrounding support infrastructure and the responsibility model associated with it. It has taken time to reach these shores, but now Amazon Web Services has three zones based out of Bahrain, and Microsoft is delivering Azure and Office 365 services from its UAE cloud datacentre regions. Progress is being made. And, it’s expected that cloud services delivered from UAE will have a positive impact on job creation, entrepreneurship, and economic growth across the region. IDC predicts that cloud services could bring more than half a million jobs to the Middle East, including the potential of more than 55,000 new jobs in UAE, between 2017 and 2022.
Within most organisations, the conversation around securing your data and infrastructure has inevitably shifted with cloud services arriving and maturing, and has now moved on; how a customer manages its data both on-premises, in the cloud and the edge and the subsequent protection dictates the success of its IT strategy.
In the past few months we’ve seen businesses of all sizes making changes as a result of COVID-19. Migration of data and workload to the public cloud has been occurring at a fast rate, as enterprise IT seeks to overcome the problems presented by traditional data centres, be it physical access constraints or hardware issues presented by vendor supply issues. Business cannot merely take such challenges on the chin and move forwards. Downtime costs revenue and reputation.
However, when the next major cloud outage occurs, the enterprise IT team is still responsible for maintaining IT services to its users. And if you’re reading this and asking yourself the question ‘what do we do if our biggest cloud provider goes down?’ you need to start thinking about answers. For it is the enterprise mission success that’s on the line in the event of a major cloud outage, not just the cloud providers.