Hybrid cloud: The best of both worlds?
Organisations are migrating to the cloud in their droves, because of business benefits it brings; such as agility, cost savings, efficiency and performance.
But, each business is an individual.
“Not all businesses derive the same benefits from the technology [the cloud], nor do they all have the same requirements,” explains Javid Khan, Chief Cloud Officer at Pulsant.
“This is especially true when it comes to choosing between private and public cloud models, managed hosting and colocation. In addition, they may not be allowed to move certain information into the public cloud due to regulatory or business requirements.”
Hybrid cloud represents the best of all worlds.
“It allows organisations to use whichever cloud or hosting model best suits their requirements, regulatory frameworks and business objectives. This could mean using private cloud to host sensitive data and public cloud to host other business systems, or it could mean maintaining their investment in existing technology (such as colocation), while using public or private cloud as well to capitalise on performance and cost benefits,” says Khan.
The move to the cloud
Protecting data in the cloud
When the cloud first emerged, and businesses began to consider adopting it there was an immense barrier to overcome: data protection.
Protection is everyone’s concern, or at least it should be, and initially, businesses viewed the cloud with scepticism regarding its vulnerability.
It is now established that the cloud is — in fact — secure.
Cloud security – who should take ownership in the enterprise?
“It’s up to the cloud provider to ensure there is the right encryption and infrastructure security in place. Large public cloud vendors like AWS and Microsoft Azure have security processes embedded in their technology to ensure their infrastructure is secure,” confirms Khan.
“It’s up to the customer, however, to have the right safeguards in place to protect their data (just like they would if they hosted the information in-house), such as backup, disaster recovery plans, encryption and anti-virus,” he continues.
Compliance in the cloud
IT compliance is a meandering and complex landscape to navigate.
“When it comes to cloud, there are a number of regulatory frameworks that apply, such as ISO 27001 for information security and ISO 27017 for cloud services,” says Khan. “While businesses may achieve compliance, the rate of change in the industry, business growth and regulatory shifts means that maintaining that compliance cloud be a challenge.”
Continuous compliance
Cloud compliance isn’t a one-off, check box activity. It is a journey that doesn’t end with achieving compliance. Just like digital transformation doesn’t have an end-state; it is continuous.
“It’s an organisation-wide commitment to ensuring the business’ IT systems do not fall out of compliance,” says Khan.
“Continuous compliance is the ability or capability of an organisation to keep a handle on their IT compliance requirements and ensure they remain compliant and are alerted when they aren’t with a view to remediating that,” he continues.
“But it can be challenging for a number of reasons, including difficulty in managing compliance frameworks, the rate of change internally and externally, and a general lack of understanding when it comes to compliance.”
Security and compliance concerns eroding confidence in the cloud
Continuous compliance challenge
• Risk management and compliance frameworks are massive and are difficult to manage in terms of the requirements that need to be met. And if organisations are dealing with more than one framework, the complexity is magnified.
• Businesses are influenced by a number of things, internally and externally. As the organisation grows, requirements change. In parallel, the market is also changing, as is the technology landscape. The compliance framework therefore covers environments that are changing while also being influenced by external factors.
• There is a lack of understanding around what compliance means and what it applies to. What should be monitored, when should it be monitored? When should you do it? How do you should you report on it, and how can you prove compliance?