Blog

Hybrid Cloud Migration Not Always Best Option

Angelo Richichi
By Angelo Richichi, Principal Consultant, Engineer, and Architect, CDI

Part 2 of 2: Read this before you embark on your migration journey to the hybrid cloud with Amazon Web Services (AWS), Microsoft Azure, Office365, or any other cloud services provider.

In my last blog post, I noted that companies of all sizes today from small businesses to large global enterprise firms are moving more applications and infrastructure services to the cloud. It’s typical for them to adopt a hybrid model where private and public architectures co-exist, and they continue to integrate some on-premise resources with their new cloud platform.

It’s also likely that you and your organization also want to adopt cloud, but your plans don’t include substantial new costs to replace, re-engineer, or convert legacy hardware and software. Your team rallies around a passion for minimizing capital expenses and simplifying your hybrid cloud model.

Amazon Web Services (AWS), Microsoft Azure, Google Cloud, IBM, and other cloud providers and partners including CDI can fully support your business in the cloud and want to help you achieve your IT and business goals.

We all want to enjoy worry-free cloud operations spanning decades to come.

You and your team are thrilled with the promise of 99.95 percent availability and secure encryption in the cloud; however, you might have concerns about performance, compliance, regulations, and security.

And to be completely honest, some applications with strict data storage policies and sensitive data handling procedures are simply not going to be 100 percent in the cloud.

In fact, some portion of your IT infrastructure simply won’t be appropriate for cloud migration.

Cloud Risks: Real or Perceived?

At the heart of the issue are minor problems that converge into the current sense of malaise about more robust cloud adoption. There is a possible risk fueled by a fear of the unknown and a perception of the immaturity of cloud security standards paired with increasingly larger and more challenging workloads.

Consider patient health information and large databases storing real-time financial transactions against the backdrop of major system failures such as the online healthcare.gov marketplace website crash in 2013, and major security breaches including one at Yahoo that impacted over one billion accounts (http://www.usatoday.com/story/tech/news/2017/01/23/report-sec-looking-into-yahoo-data-breaches/96940674/).

The perfect storm of performance concerns, automation gaps, and security questions all conspire against the still relatively new cloud technologies.

Other risks, real or perceived, include:

  • It may be a valid criticism that cloud migration templates that teams can follow for a smooth transition are not available yet.
  • There is a perception that the standards for physical access to cloud-hosted assets by auditors are not widely adopted yet. Data center providers, by and large, don’t have the staff to accompany auditors or customers as they visit data centers and probe for compliance practices.
  • What if a managed services provider is not able to demonstrate proof of certification or compliance with an industry standard or regulatory rule that you, as a business stakeholder, are required to provide?
  • In addition to the known problems, what unknown risks might you be taking on as you migrate more and more of your business to the cloud?

Cloud Security or Data Retention

One such risk may occur when we examine data retention policies. Your aggressive move to the cloud may backfire. For example, a security policy requires that your team physically destroys old hardware disks or storage volumes with sensitive customer information. Because you moved to the cloud, you cannot comply and you find yourself in a lawsuit.

The following scenarios exemplify possible cloud security concerns you may have:

  • An assessment reveals that your cloud services provider received a high-risk/insecure score on three out of 10 compliance items. Your organization is locked-in with a one-year contract.
  • You discover a risk and order the deletion of certain data. Because the operating system and resources are in the cloud, you are not able to completely assure yourself, your boss, your customer, a demand letter, or a court order that the information was destroyed. It could re-surface later, or worse, leaked data could threaten your reputation, contribute to ransomware, or fall into the hands of competitors.
  • An audit reveals you are sharing multi-tenant resources with the same company that was indicted last month in a multi-million-dollar price-fixing scam. Your risk compliance officer is not happy to learn the news and wonders if the cloud vendor has made any copies of the sensitive customer data you don’t want associated with the scam.

Feeling Vulnerable

Without dedicated storage hardware, the cloud can leave you feeling vulnerable. In a related sense, your data-handling processes can also be exposed to the risk of certain software vulnerabilities.

How do you know for a fact that your cloud services provider is living up to their end of the deal by keeping the new platform service secure? For example, do they provide documented software security, threat monitoring, vulnerability management, and security updates process? Who do you call?

What timeline and actions are provided in response? What is their patch schedule?

And finally, what level of compliance certification have they achieved from software audits?

Cloud Security Standards

As a customer moving to the cloud, you might feel like you are no longer in control of verifying safe data processing practices. It’s your data, but someone else is handling it. Perhaps it is even spanning multiple federated cloud environments. Are multiple transfers taking place? Is the data handled in observance with insurance regulations, industry standards, and other legal statutes?

Some SaaS customers are required by state banking and insurance regulations to personally verify patches even if another vendor already attests to the results. Today’s climate in some ways penalizes the strongest cloud supporters and early adopters.

The tide is slowing turning. We are seeing more cloud providers that publish their data-handling practices.

In truth, the handling of sensitive information is the responsibility of the business customer and not the cloud provider. But more often it is protected by a shared responsibility or shared security model, where the cloud vendor provides physical and logical security to the underlying infrastructure and business customers apply the security safeguards to their data.

Again, we’ll use patient health information as an example. HIPAA compliance calls for PHI data to be encrypted in flight and at rest. While clouds like AWS provide the tools to encrypt your data as an option, it’s up to you, the customer, to follow through and secure your data with the tools that AWS provides in a HIPAA-compliant manner.

AWS and Azure now feature cloud standards for physical security, cloud whitepapers, and other publications as part of their shared responsibility model.

Moreover, many cloud customers are beginning to realize that the cloud is inherently more secure than their own data center was, or will ever be again. In some ways, it’s a leap of faith because you’re accepting what the provider is telling you as the truth. Reputable cloud providers are honestly securing your data environments and making sure that their underlying infrastructure is protected.

API Risk Exposure

The obvious risk from web-based APIs and UI controls is from network attacks. This includes APIs in early, active, or even mature phases of development. For mature systems, employees are subjected to more information and become greater threats themselves. Two-factor authentication will greatly help here. However, a network attack or leak through an API could result in serious damage to the customer’s reputation.

The administrative cloud console or API manager interface is often an easy target of hacking. An account with full access to the API console could be hacked to access sensitive customer information.

Ask your services provider the following questions:

  • How is the admin interface or API layer protected?
  • What authentication methods are you using?
  • What encryption strength and password policy do you recommend and what do you enforce at the system level?
  • Do you place restrictions on access by IP, groups, roles, or individual permissions?

To mitigate against the risks, you need to recognize the limitations. Despite the cost-savings and other advantages, do not push everything to the cloud. If you do decide to start a migration, monitor the security and performance of the applications, services, and entire platform.

Tip: If you are interested in getting started with a cloud storage and migration assessment, contact your CDI representative.

Angelo Richichi

Angelo Richichi, Principal Consultant, Engineer, and Architect, CDI

With over 20 years of experience in IT, Angelo Richichi is Principal Consultant, Engineer, and Architect at CDI specializing in the design, installation, and administration of storage, virtualization, and networking equipment, applications, and solutions. Mr. Richichi provides mid-range and enterprise array design services and advises clients on their implementation, migration, and replication needs. After attending Seton Hall University, Mr. Richichi earned his BS in Computer Science before going on to earn over a dozen industry certifications. His extensive skill set spans all areas of the data center including business continuity, disaster recovery, cloud computing, storage area networks (SAN), Brocade, Cisco UCS, MDS switches, EMC, EMCIE, VMware, virtualization, VNX/VNXe, VMAX, VPLEX, Clariion, Unity, XtremIO, Unix, and Red Hat Linux.

Connect
with us

To learn more, call us at 877.216.0133, email us at [email protected] or fill out the following information.

  • By completing this form, you're automatically added to our mailing list and can opt out at any time.

  • This field is for validation purposes and should be left unchanged.