The cloud's inherent agility, efficiencies and productivity gains distract many CIOs from four "blind spots" they need to head off before they become a problem. But that's not the only reason to understand these risks. They can also deliver three additional benefits for your apps: faster time to market, better performance, and comprehensive security.
Just as you need to be aware of blind spots when you drive your car, you also need to check for blind spots as you move your company to the cloud. Dazzled by the agility, capital expenditure reductions, efficiencies, and productivity gains the cloud offers, many chief information officers miss four dangers that are hidden in plain sight.
Blind Spot No. 1: Security in the public cloud is a shared responsibility
Adopting a public cloud (also known as Infrastructure as a Service, or IaaS) is a lot like renting a flat. Both IaaS and apartments require that you share responsibility for infrastructure and services. For flats, the property owner is responsible for everything outside—landscaping, sewers, and sidewalks. Individual renters are often responsible for everything inside—furniture, fixtures, heat, and hot water.
Likewise, in the public cloud, vendors provide basic infrastructure for the “outside” of your app—such as physical servers and guest operating systems—while you handle the “inside” of the app itself and whatever technologies or tools support it.
Knowing who is responsible for what is critical because security can be compromised at either level. The head of global security programs at Amazon Web Services (AWS) once said that the thing that keeps him up at night is not the security of the AWS environment itself (the outside), but “the customer not configuring their applications correctly to keep themselves secure” (the inside). If you plan to integrate an application component like payment processing to your mix, you’ll want to ask your cloud vendor what options exist in the broader ecosystem to assist in protecting your applications.
Blind Spot No. 2: Be careful to avoid vendor lock-in
Dreamy-eyed cloud proponents have long envisioned a world in which apps freely move from cloud to cloud. That’s a nice dream, but a dream nonetheless. It isn’t easy to extricate an app from a specific cloud environment. With distinct APIs, consoles, and services, each cloud has multiple “hooks” into your app, making it difficult for you to migrate elsewhere or to implement a failover plan when necessary.
Before committing to a cloud environment, ask whether it’s possible to manage and operationally integrate with existing services and systems to mitigate the risk of lock-in.
Blind Spot No. 3: Cloud talent remains elusive
You also need to consider who will support your cloud initiatives. Almost half (44 percent) of companies that are committed to the cloud have had to hire new workers who understand the technology.
This can significantly delay time to market of your enterprise apps. Your IT decision makers will need to thoroughly understand the APIs and consoles of the cloud provider you choose, as well as provider-specific management processes. Introducing unfamiliar tools and processes can cause delays, increase operating costs, and negatively impact app developer productivity and morale. That’s why, before you select a cloud provider, you should evaluate your current in-house skills as well as the availability of talent in the open employment market. Make sure your team has the skills necessary to handle your provider’s operational methods and processes.
You can do everything else right, but if you don’t have the human skills to power your cloud apps and ops efforts, you’re heading for a crash.
Demystifying the Threat Landscape
Blind Spot No. 4: The public cloud may not be suitable for Industrial Internet of Things
While glitzy gadgets remain the topic of discussion when it comes to the Internet of Things (IoT), the real growth potential for most organizations remains in what is being called the Industrial Internet of Things (IIoT). Enterprises across a wide variety of industries see the opportunity inherent in automating a significant selection of monitoring duties to shift responsibility from people to technology. Doing so, however, requires a high degree of reliability and performance that early adopters are discovering is not the purview of public cloud.
While the public cloud can provide the critical security, compliance, privacy, and performance for IIoT, numerous leading enterprises have found it wanting in terms of latency and reliability.
Carefully consider the response times, reliability requirements, and data security needs of your project before committing to any cloud provider. Changing clouds in midstream is costly under any scenario, and the risk of change is greater when developing apps that deal with transformational technology like IIoT.
Like skillful drivers, CIOs will have more success knowing what’s in their blind spots.
As you travel to the cloud you’ll have a more successful journey if you eliminate the four common blind spots mentioned above. You’ll understand your responsibility for security. You’ll avoid vendor lock-in. You’ll have the IT talent you need. And you’ll be able to deploy leading-edge IIoT applications.
All this will help you bring better-performing and more-secure apps to market a lot faster.
Mike Convertino is F5 Networks’ first Chief Information Security Officer (CISO). Convertino brings to F5 nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide array of organizations including the U.S. government, Fortune 500 companies, and security start-ups.