Cloud computing services have become a vital tool for most businesses. It's a trend that certainly has accelerated with the Pandemic as public cloud-based services such as Zoom, Microsoft 365 and Google Workspace became the collaboration and productivity tools of choice for teams working remotely. Entire workloads, including servers, data, and applications, are being moved to public cloud platforms such as Azure and AWS. In fact, it is projected that up to 60% of businesses will make the shift to some form of the public cloud by 2022 which means the demand for on‑premise infrastructure will decrease in this time frame as well. With touted benefits such as OPEX versus CAPEX, increased flexibility, and scalability, and shifting of the underlying infrastructure maintenance to the service provider, it would seem that a move to the public cloud is a sound business decision; but is it really? Before one can answer that question, we need to look at the different flavorings of ‘cloud’ with the three most common being public, private, and hybrid.
Public Cloud
The public cloud is defined as computing services offered by third-party providers over the public Internet, making them available to anyone who wants to use or purchase them. They may be free or sold on-demand, allowing customers to pay only per usage for the CPU cycles, storage, or bandwidth they consume. Public clouds can save companies from the expensive costs of having to purchase, manage, and maintain on-premises hardware and application infrastructure; and the cloud service provider is held responsible for all management and maintenance of the underlying infrastructure. Public clouds can also be deployed faster than on-premises infrastructures and present an almost infinitely scalable platform.
Private Cloud
The private cloud is defined as computing services offered either over the Internet or a private internal network. Also called an internal or corporate cloud, private cloud computing gives businesses many of the benefits of a public cloud - including self-service, scalability, and elasticity - with the additional control and customization available from dedicated resources over a computing infrastructure hosted on-premises. In addition, private clouds deliver a higher level of security and privacy through both company firewalls and internal hosting to ensure operations and sensitive data are not accessible to third-party providers. the public cloud, the company is held responsible for the cost and accountability of managing the private cloud. The management of the private cloud can be provided by the company’s own internal IT department, an outsourced IT provider like QPC Security or a combination which is sometimes referred to as Co-Managed IT (CoMIT). The infrastructure powering a company’s private cloud can either be delivered via physical servers or virtual servers and the decision upon which to use can be a complex one. If the ultimate goal is to control IT risk and costs while also increasing supportability, scalability, and recovery options, QPC Security believes there must be a paradigm shift from physical to virtual servers.
Hybrid Cloud
Hybrid cloud is a solution that combines a private cloud with one or more public cloud services, with proprietary software enabling communication between each distinct service. While there are varying opinions on what truly defines a hybrid cloud, one thing is for certain, management of a hybrid cloud is overly complex and therefore does NOT reduce costs. What many fail to realize is that you must use two disparate methodologies for a bunch of things. Consider the costs associated with providing and managing two of the following: backups, audit and monitoring systems, network layer security systems, penetration testing systems, SOC profiles and so on.
For the purposes of this article, I am going to stay focused on the risks associated with public cloud, but as private cloud and hybrid cloud are also referenced, it’s important to have a general understanding of the different options available. The risks I see and have experienced with the public cloud include:
Security, Security, Security
Probably my biggest issue with Public Cloud is security. If you struggle with how to secure your network and data when it’s on premises, how is it even possible to secure it when it’s on a public cloud platform? You have less control and access over the underlying infrastructure in a public cloud therefore you don’t have what you need in order to properly secure your data.
A good example of this is the use of a network layer security appliance to protect your public cloud assets. You could spend upwards of $400/month for just the licensing and compute for this appliance and it’s still not going to be able to do the sophisticated level networking you would have if it was onsite. The other truth is that the virtual appliance manufacturers don’t even have it on their roadmap to allow for these changes because no one is asking for them. I’m not even sure how it’s possible for a technology provider to offer public cloud services and not care about network layer security as part of their services. It’s like a bank offering lock boxes but then they are placed in the lobby with the master access keys being hung on a hook right next to them Why would anyone put something on a public cloud, when there are certainly more risks than on-premises, and not even have baseline network security?
Eviction Notice
So, you go and move all of your data and business critical applications to the public cloud and then one day, out of the seemingly blue, you have no access to your data and applications. Or you receive a 24-hour eviction notice- move all of your data and applications or lose access forever. How can this even be possible in today’s world? It’s your data and applications after all.
At its core, public cloud is a ‘utility service’ based upon on subscription ‘pay as you go’ model where the customer is charged for the services it has consumed. Just like an electricity or water utility, rates are assigned to the resources, calculated on a monthly basis, and then charged to the customer. Also, just like a utility, those services can be terminated for non-payment or not adhering to the terms of the ‘contract’. It is the latter that many businesses do not pay attention to (or quite frankly, understand), when it comes to the public cloud.
Read The Terms Of Service
The Terms of Service (TOS) you signed which allow you to utilize the public cloud services supposedly drive these decisions. It’s very simple, if your provider does not agree with your product, messaging, social media presence, or anything that they may not understand or value, they can pull the plug on the services they are providing to you – all under the TOS.
Call it Big Tech censorship, hiding behind a vague TOS, or reneging on a contract, the risk is real and one you need to be aware of before moving to or staying on a public cloud platform. This is not a political or private entity ‘they can do as wish’ discussion. It is a consumption of resources in a utility service model problem. A vague TOS and yes, sometimes the insertion of a personal opinion or value system, drives these decisions and continuation of service is no longer predicated simply upon paying the bill.
The Cost Factor
Contrary to the general narrative put forth by public cloud providers, it’s not an “all you can eat” under one price model. Everything, and I mean everything, in the public cloud costs you. It’s not just the compute resources but network traffic consumption and storage consumption play a big role in the calculation of your monthly cost.
Looking at an on-premises physical server, after purchase, you just use it and know that the compute, network, and storage will not have additional costs. Your MENTALITY is on best maximizing the use of your asset.
Conversely, when you use the public cloud where you are charged monthly fees based upon compute, network, and storage during that month, your MENTALITY becomes “how do I reduce this horrendous bill” every month.
Time and time again, I see inadequate resources being allocated to items hosted in the public cloud because the cost is horrendous. The logical response from a cost perspective is to shave those resources so thin that they perform poorly which then takes its toll on productivity across all departments. It’s not uncommon to see processes that would normally take 30 seconds in a database transaction when it is located on an on-premises server take 30 minutes in the public cloud due to the insane disparity in provisioned resources.
Think about as well that no one properly estimates the amount of time you will waste screwing around with public cloud trying to figure out how to get the monthly consumption costs down. Just when you thought you were going to be able to focus on productivity and profitability, you cannot because all you are doing is worrying about the $5,000/month public cloud bill that you thought was only going to cost $1,200/month. Before too long, you realize you just paid the public cloud hosting provider the same amount that you could invested in two on-premises $35,000 servers. Not to mentioned that you would have better performance, lower costs, and more peace of mind.
Pre-Built Versus Build Your Own
While I spoke about security earlier in this article, I approached it from a perspective of what you as the customer need to manage. Now let’s take a look at security, or lack thereof, from the platform provider’s view.
While the ‘race to the cloud’ has been going on for a few years now, the COVID pandemic and abrupt shift to remote workforces brought a whole new set of challenges as it relates to security and data privacy.
At the highest level, public cloud platform providers are able to provide services at that perceived “low cost” price point because they provision out many pre-built VM ‘images’ at a time. Think of an ‘image’ as a template. It is applied to machine after machine and while this may make sense from an efficiency standpoint, what happens when a new vulnerability is identified? New ‘images’ contain a patch for that vulnerability, but the existing images do not.
Overly permissive firewall settings are another huge issue. Back to our bank analogy, think of a firewall as the bank vault. While it should always be locked with the strictest of security measures and access controls determining when the door is opened, public cloud platform providers often take a ‘leave the door ajar’ approach to firewalls. It makes them easier to manage and less complaining from customers who need a specific port open – which usually is one that should not be opened in the first place. With an overly permissive firewall stance, once a VM is booted up, it is open to attack.
Still another troubling trend is VM images which are pre-installed with malware or crypto-currency miners or hackers that develop a VM image which, after set period of time, connect back to the malware operators and establish a command-and-control (C2) connection. While some of the larger public cloud platform providers like AWS and Azure have put some protocols in place such as limiting IP addresses to be accessible to the VMs to which they can be verified to belong to, that information can still be collected by cybercriminals. Also, with the rise in ‘hybrid environments’ and point to point VPNs, lack of proper and comprehensive security protocols can provide an open door from the cloud VM back to the on-premises network.
In a build your own scenario, that server OS licensing is yours. You can buy it the most cost‑effectively. Whereas when you use public cloud, you cannot bring your own licensing. You are renting the OS licensing from the infrastructure provider monthly. This is just another factor that increases the overall TCO of public cloud.
The Untold Secret
One thing no one seems to want to talk about, but everyone should be aware of is the approach many cloud platform providers have when it comes to taking a proactive stance to breach/compromise monitoring; even when they are informed of a potential threat, they do not pass along that information to their customers. To be fair, while public cloud providers can’t be responsible for every bad decision a customer makes when it comes to security, they tend to take a very hands-off approach when it comes to taking threats seriously and making sure their customers are made aware of such threats. Because of this, a coordinated attack can compromise hundreds of VMs at once because customers just didn’t know what to look for.
The other major security issue with public cloud platforms is data leaks. Unsecure NoSQL databases are the typical attack surface and even the major public cloud platform providers fall victim to this type of attack. Take for example when Microsoft ‘accidentally’ exposed 250 million customer records through an improperly secured Elasticsearch instance in late 2019. I use the term ‘accidentally’ because that was how then incident was positioned but let’s be honest, accidentally means by chance or inadvertently. If Microsoft had properly secured the instance in the first place, there would be no ‘chance’ occurrence of millions of exposed records. And so as to not leave Amazon out, they commonly leave S3 buckets insecure which invites their databases to be searched for search for valuable data, personally identifiable information (PII), financial records, database backups, credentials, and credit-card records. It is a case of people should not be using technology they do not know how to secure properly.
And it is not just the platform providers that don’t take security as seriously as they should, it is also third-party data aggregators and advertising companies who are frequently behind data leaks from organizations who themselves may have strict policies about data security, encryption-at-rest, privileged access, and restricted internet exposure to sensitive files. In 2020 alone, 36 billion records were exposed in the first three quarters.
Moral To The Story
If you can’t secure your cloud infrastructure to the same degree that you secure your on-premises network, then you have no business being in the cloud. Thinking that because you may be using a reputable, big-name provider like Azure or Amazon, your cloud infrastructure (and your data) is secure, think again. Until providers like this become far more proactive and aggressive in their approach to security, you have to assume that you are the only one looking out for your best interests when it comes to security. In many ways, the IaaS providers like Azure and AWS are not responsible for security. It is you or your IT service provider. If the TCO of hybrid is higher and the TCO of public cloud is higher than private cloud, then why would SMB use public cloud?
If your ultimate goal is to control IT costs while also increasing supportability, scalability and recovery options, public cloud is not your best option. For more information on how to do this with an on-premises network, QPC Security can help, contact us today at 262-553-6510 or by visiting qpcsecurity.com.