Are we putting too much blind faith in the cloud to deliver our business?

Cloud services are an incredibly useful tool for the average organisation. They have brought corporate-style IT to businesses without having to commit millions of dollars to infrastructure budgets or vast amounts of in-house technical knowledge, and the pay-as-you-go model suits companies that don’t want (or can’t afford) to spend vast sums on hardware and hosting. Costs become operational expenditure and can scale up (or down) with the business need.

We would be remiss if we didn’t also acknowledge the positive role that cloud services played in allowing businesses globally to implement remote working models quickly and viably. This little argument that cloud services represent agile and rapid solutions to a variety of business needs.

However, the extent of our reliance raises the question this world of cloud services too good to be true?

Cloud is Here to Stay

It’s unlikely that our burgeoning use of the cloud is likely to lead to a disastrous end, on a widespread scale. That said, if we’re not careful, we stand every chance of ending up with a result that is at best slightly detrimental and at worst quite costly in time, money and security.

One problem is that cloud solutions are quick to get up and running in their basic form. That basic deployment is often not good enough for us as security professionals, as we must care about implementing IT properly to ensure resiliency and security. Cloud services are particularly good for trying stuff out – with minimal initial investment you can do all these fun Agile things like running up Minimum Viable Products (MVPs) and failing fast without massive financial risk in infrastructure disruption. But as a wise security specialist once said: there’s no such thing as an MVP in security. It’s simply not acceptable to put an MVP live without it having proper controls to prevent security breaches; this doesn’t necessarily mean we have to have it fully integrated with our directory service and our plethora of security tools while it’s still in the pilot stage, but the security controls must be significantly more than minimal.

Even if we secure our cloud services properly, though, there is another issue – and again it’s down to the fact that stuff in the cloud can be very fast to sign up to, and potentially inexpensive. And this is the real threat that the cloud poses to our ability to do business and grow the organisation: trying to do everything because the barriers to entry are way too low.

Extracting Value

There is a general trend in IT for organisations to fail to get value from the technology they buy. There’s the old cliché about none of us ever using more than a small percentage of the features of our office desktop suite, but the same applies to rather a lot of the technology we use. Many cloud services fall into this category. Part of this is down to cloud suites that have a seemingly infinite number of extra features that you can add to the basic service for just a few dollars a month each. The other part can be attributed to our tendency to adopt a variety of systems across a number of technology areas (we in the security world aren’t immune from this either – how many of us have started with the Microsoft 365 world then gone out and added a SIEM, a SOAR, email protection, web filtering, Data Loss Prevention etc?).

Falling into the trap of using too many products increases the threat to our organizations. If it’s security systems, we run the risk of never using any of them to the level at which it provides actual benefit, because we don’t always have either the staff to use them properly or the time/funding for training the staff we do have. In general IT the story is similar: people are spread across an excess of systems that the organisation never gets true value from the tech. In both security and mainstream IT, the more tech we buy the less value we tend to get from it – and the more time we waste. It’s often better to have fewer systems and use them fully than to scrape the surface of the features of a myriad of platforms and services.

We described cloud services as “potentially inexpensive”, and that in a lot of cloud suites the add-on extras cost “just a few dollars a month each”. All of which is fine, but anyone who has ever used cloud systems (particularly Infrastructure as a Service solutions) will be familiar with the term “Bill Shock" - where what looks like a small per-gigabyte charge for storage and a modest per-month fee for each virtual server CPU suddenly leads to an eye-watering invoice at the end of the month once these modest charges have been multiplied by all the gigabytes and processors being used. Add to this the variety of other different “inexpensive” cloud services available and there’s a significant financial impact that can hit an organization.

Unless we’re sensible and careful about its use and cost, a cloud service can become a barrier to our business’ success. If we spread ourselves too thinly by falling for the simplicity of the cloud then we risk being distracted from actually doing business and securing our IT assets, with a side order of a financial overspend on hand to burn us too.