Public Cloud refers to an IT model of offering Cloud computing services available on demand over the public internet. This differs from Private Cloud offerings which provide isolated environments for individual customers. For the purposes of this article we will be referring to ‘Public Cloud’ as simply ‘Cloud’ and specifying Private and Hybrid (a combination of On-Premise and Cloud) Cloud when required.
The largest Cloud providers at the time of writing are Amazon Web Service (AWS), Microsoft Azure and Google Cloud Platform (GCP). Adoption of these services has been a growing trend in many industries thanks to the promise of flexibility, scalability, availability, redundancy, enhanced security and cost savings available. But:
Does Cloud actually save you money?
Does Cloud make your solution more secure?
And does Cloud improve availability and business continuity?
This article aims to analyse whether public perception of cloud benefits and adoption lines up with the realities in the industry.
Advantages of Cloud
Let’s start with the positives. There are certain benefits of Cloud that are in-arguable and it is likely that in the coming years this list will continue to grow.
Deploying services in Cloud is faster than placing an order with a Private Cloud provider or sourcing, buying and deploying hardware. The speed of deployment not only lets you build up new infrastructure quickly, but it also allows for scalable solutions which add or remove resources as required.
Most Cloud platforms offer a Pay-As-You-Use model meaning that you only pay for the resources you are currently using. This is ideal for temporary deployments and scaling solutions that won’t always be online.
Extensive Service Catalog
Cloud providers offer a huge range of services accessible via their product marketplaces. These are not only populated by the Cloud provider themselves but external service providers as well. This means that there is a cloud service for almost any scenario to help meet the goals of your business. Services vary from Virtual Machine images to security consultancy and Disaster recovery backup options that transfer data to a 3rd party outside of the cloud.
Automation / Infrastructure as Code (IaC)
Automation receives a lot of attention in modern computing and it should be no surprise that Cloud does automation very well. All of the big three Cloud providers referenced earlier even have their own DevOps suite for automating and managing deployments of services and code, with integration with their own services being a key selling point.
Another benefit of how Cloud platforms are developed is that they often can be controlled directly via an API (Application Programming Interface) and not just from a portal. This is where IaC comes in. IaC is a powerful tool for managing and deploying your infrastructure through code instead of through manual processes. This allows you to repeat deployments easily and guarantee the configuration will be identical each time. The IaC itself also acts as a form of documentation of your solution in itself as well written IaC will include notes and clear referencing making it more openly readable then logging into a portal.
Disadvantages of Cloud
Cloud certainly isn’t perfect for everyone and here are some areas to look out for
Contrary to common perception, Cloud isn’t always a sure-fire way to cut costs. From a price to performance perspective, Bare-Metal or even Private Cloud Providers often have them beat. This comes from the fact that Cloud has to be everything for everyone all the time. In itself that sounds like a good thing, but it does come with certain limitations that can be avoided on Bare-Metal / On-Premise solutions.
An example can be seen in Cloud standard storage disk offerings. The backend Cloud Storage Solutions inherently have to be super scalable and available to match the services offered but this comes at the cost of performance. Distributed storage solutions is an entire topic in itself but as a general rule, Storage solutions can be optimised for one of the following: Performance, Redundancy or Resource Efficiency. The more you index into one, the more the others suffer. The result is that Cloud attached disks are not able to prioritise storage performance to the same degree as a more stripped back, dedicated solution can.
Note: This is not to say that high performance storage is not available in the cloud, just that it is not the default and it comes with additional costs and configuration.
Mismanagement in the Cloud web portal can also lead to run away costs on deployments. We have seen this most commonly with development VMs and services that were deployed to quickly test something and forgotten about rather than removed. This ties in to the general feel of lack of visibility in the cloud
Security professionals highlight lack of visibility (49%), high cost (43%), lack of control (42%), and lack of security (22%) as the biggest unforeseen factors to slow or stop cloud adoption.Cybersecurity Insiders – Cloud Security Report 2022
In many cases, applications are simply not developed or adapted to run in the cloud and cannot take advantage of advanced features such as auto scaling, DevOps integrations or PaaS databases. Smaller or high workload teams may not have the time to develop their solution in a Cloud forward direction while it is serving its current purpose. If a solution is not leveraging Cloud features then it may be better off in a Private Cloud or On-Premise environment.
Another example of where Cloud can be caught short is in security. While there are plenty of built in tools and services for securing your Cloud infrastructure, there is a disconnect between the solution and its security that is not present in conventional On-Premise or managed solutions.
Cloud resources are managed through centralised access points that rely on Role Based Access Control (RBAC) for managing users and permissions (i.e. AWS IAM and Azure AD). This is great for collaborative work and for implementing the principles like ‘Just-Enough-Access’ but wrongly assigned permissions can lead to users having the potential to misconfigure, alter or remove deployments at any scale. This increased the risks associated with ‘Bad Actors’. Then there’s the risk of external parties gaining access to an organisations Cloud resources, either through poor user password management, or perhaps more likely a misplaced access token.
Cloud access tokens are essentially a string of data generated by a Clouds authentication system that is granted user permissions for performing actions via the Clouds API. This is great for Cloud integrations and automation but the downside is that whoever has access to the token has access to the tokens resources. When handled properly and in accordance with good practice guidelines, tokens are a secure and trusted method of authentication. The problem lies in the potential for poor token management. There have unfortunately been numerous cases in public record of tokens being exploited to gain unauthorised access to systems thanks to tokens being incorrectly handled by users and service providers alike.
For example it was reported in a post by Team Nautilus of Aqua Security in June 2022 that the ‘Travis CI’ software development and testing platform could be exploited to gain access to tokens for providers such as AWS from user logs. “In our latest research, we at Team Nautilus found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access historical clear-text logs. More than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub. Attackers can use this sensitive data to launch massive cyberattacks and to move laterally in the cloud.”
Then there is the infrastructure deployment and management itself. Where before, a deployment would likely be specced out and deployed by an infrastructure engineer, Cloud allows for any user to deploy quickly and easily (Assuming they have permissions). Without proper templating or leveraging of IaC tools, deployment mistakes can easily creep in that open attack vectors.
Cloud deployments also differ from conventional solutions in that they tend to run without traditional edge firewalls, which would act as the first line of defence on the perimeter of your infrastructure. Cloud instead often adopts a ‘Zero Trust’ approach of managing individual security groups and access for each service. While this does allow for more granular and fine tuned control it does mean that multiple security groups must be tracked and maintained instead of the focus being around the edge firewall.
Cloud security continues to be a significant concern for cybersecurity professionals. With an increase of two percentage points from last year, 95% of organizations are moderately to extremely concerned about their security posture in a public cloud environment.Cybersecurity Insiders – Cloud Security Report 2022
A significant concern when moving to Cloud is the possibility of vendor lock-in. This is a scenario where you are forced to continue using a Cloud provider due to the difficulty of moving away from them. Should a Cloud provider decide to significantly increase its prices on a service that is key to your infrastructure, there is often little that can be done in the short term to avoid this.
Business continuity and DR planning can be of use here as planning for eventualities such as having to move Cloud providers can make avoiding vendor lock-in much easier. Lift and shift compatible backups and IaC prepared for an alternate providers lets you position your infrastructure wherever works best for your business.
According to Gartner’s ‘cloud shift’ research (February 9, 2022) “By 2025, 51% of IT spending in these four categories will have shifted from traditional solutions to the public cloud, compared to 41% in 2022. Almost two-thirds (65.9%) of spending on application software will be directed toward cloud technologies in 2025, up from 57.7% in 2022.” So it’s clear that the industry continues to trend towards the Cloud.
However, it isn’t quite as simple as picking a cloud provider to build up your infrastructure and being done with it. The concerns and shortcomings of working with Cloud lead to a majority of organisations opting for Hybrid Cloud solutions with the next highest percentage opting for a multi-cloud strategy, splitting their infrastructure between two or more Cloud providers.
Most organizations continue to pursue a hybrid (39%, up from 36% last year) or multi-cloud strategy (33%) to integrate multiple services, for scalability, or for business continuity reasons. Seventy-six percent are utilizing two or more cloud providers.Cybersecurity Insiders – Cloud Security Report 2022
Cloud adoption should not be rushed into, a gradual approach is perfectly respectable if it means proper planning and consideration can be taken when moving into Cloud. Consider that a properly optimised and managed Private Cloud solution may have the edge over a poorly developed Public Cloud one. It sounds simple but Cloud Infrastructure works best when it plays to its strengths. This means making use of the Cloud specific features and services to cut costs and to optimise processes.
Here are some of the questions you should be asking yourself when planning Cloud adoption –
- Does my current team have the knowledge and experience to manage our Cloud infrastructure safely and securely or will I need outside assistance?
- Can I account for the risks associated with vendor lock-in?
- Are my current security standards and policies suitable for Cloud infrastructure?
- What specific elements of my current infrastructure are improved by moving to the Cloud?
Many of the areas of worry when working with Cloud can be minimised or even removed entirely through proper management and planning. Pipe Ten Hosting Ltd offers consultancy and solutions in Public, Private and Hybrid Cloud infrastructure, get in touch to find out how we can help you.