How to avoid hidden costs, other cloud 'gotchas'
You've made the decision to migrate to a hybrid cloud environment because of the well-documented benefits. But if you thought it was a matter of simply lifting and shifting data and workloads, think again.
Cloud experts say there is a plethora of issues that can catch you by surprise if you're not diligent. And just as in an on-premises environment, you need to stay on top of security, cost overages, integration, governance, and compliance. Both public and hybrid implementations can present unexpected issues.
Eugene O'Callaghan, senior vice president and general manager of cloud and platform services at DXC Technology, said what's needed is a holistic approach.
"[Migrating] requires looking across the entire operating model spectrum in a new way, re-evaluating everything from policies, to security, to organizational structures and how work gets done."
—Eugene O'Callaghan
That is not always happening, O'Callaghan said. And cloud implementations are only going to increase, so you don't want to be caught off guard. IDC has projected that by 2021, enterprise spending on cloud services and infrastructure will be more than $530 billion, and over 90% of enterprises will use multiple cloud services and platforms.
Adopting the cloud is no longer primarily about economics and agility. It is becoming an enterprise imperative, and more organizations will be deploying resources across multiple cloud platforms as they move further along on their digital transformation journeys.
IT Ops, beware. Here's how to avoid cloud "gotchas" of all kinds.
Anticipate the unexpected costs
Perhaps the biggest surprise of all is the unexpected costs, said David Linthicum, chief cloud strategy officer at Deloitte Consulting. Companies don't have cost governance in place, he said. You really need systems that automatically monitor what's being used, who's using it, and how much it's costing, he said.
"It's a self-inflicted wound; companies are not understanding how they're consuming cloud."
—David Linthicum
The problem is becoming more complex as organizations buy higher-level features such as database, serverless computing, and security systems. Those leverage resources in variable ways, and "the complexity tends to confuse people on what they're going to pay with compute systems, which have direct scalability, so you always will pay based on usage. That's typically where people get hung up,” Linthicum said.
Migration is still under way; just 25% of workloads are in the cloud. CIOs are getting prices for lift-and-shift, and "that's typically going to be relatively cheap," Linthicum said. "But they're finding they need to augment systems and refactor systems to make them cloud-native with APIs. That's an additional cost they didn't plan for." It also causes additional risk and time delays.
Be aware of the skills gap
There is also an assumption that once you're in the cloud, it's smooth sailing. Not true, said Chris Lee, vice chancellor of information technology services at Arkansas State University-Beebe. Sometimes it requires adding new skills you didn't anticipate.
The school has deployed Office 365, and IT staffers no longer have to worry about an on-premises email server and all of the maintenance that comes along with that setup, he said. "We have gained several different responsibilities related to tools that were previously not included in the ITS service catalog."
For example, ASUB is focusing additional attention on Office 365's security and compliance module. The software Microsoft provides for Office 365 administration "is a solid tool," Lee said, but it takes time to configure and maintain, and it's a product his team did not have to manage when ASUB had an on-premises email solution.
"We like the extra security offering, so no complaints, but it just shows that new, specific skill sets will be needed within one's new cloud environments."
—Chris Lee
Another big gotcha is the difficulty in finding talent, and organizations tend to underestimate what they have to pay for it, Linthicum said. Without people who have cloud architecture backgrounds, cloud will cost too much to implement, or companies won't be productive.
This has been a huge hindrance to leveraging cloud and IT's ability to digitize the organization, he said. "People are taken aback by how much skilled people want to make and the demand that is out there for those people."
Don't offload security entirely to cloud vendors
While public cloud vendors provide controls and security around their data center environment, organizations are often surprised by the fact that this doesn't let them off the hook.
There are still a tremendous amount of controls that an organization that hosts with AWS needs to have in place around their own practices, said Tom Dugas, director of information security at Duquesne University.
These controls include the design of their cloud services and configuration of the integration services "that are critical for security of cloud services," he said. For example, "our auditors will no longer rely solely" on the audit report of Amazon alone; they are requiring the university to also get an independent audit report for the software vendor or third-party organization hosting with Amazon that they leverage for services.
As a higher-education institution, Duquesne has also discovered that many research grants prohibit state universities from co-hosting their research data in another environment, Dugas said. "So you are required to isolate the environment from any other—including that of our own campus systems and servers. In some cases, that may even require it to have its own network connectivity."
Assess your security
Security is the top-rated cloud concern for small and mid-size businesses, noted Anurag Agrawal, CEO of research firm Techaisle.
"Post-implementation, they realize that their security framework is not sufficient."
—Anurag Agrawal
Organizations can run into problems by not assessing their own security stance, which should include an analysis of reliable bandwidth in the business' physical location, as well as adopting a formal policy concerning user behavior,said DXC's O'Callaghan. Adopting and enforcing a policy concerning cloud service passwords and good practice is key to safeguarding enterprise data, he said.
"Humans tend to be the weak link in any security chain."
—Eugene O'Callaghan
Encryption, authentication, and monitoring
A gotcha that frequently turns up when using hybrid cloud services is a lack of encryption for data in flight, observed Lynne Williams, a business and IT professor at Purdue University Global. If the data travels as plaintext, it's extremely vulnerable to man-in-the-middle attacks, she said.
Some cloud vendors make encryption a feature of their service, but others don't, so the enterprise must be sure about whether its chosen vendor is using sufficient encryption to properly safeguard enterprise data, she added.
She also finds that the use of weak authentication schemes is a widespread gotcha. Most cloud services require some sort of initial login on the part of the user. But if the enterprise doesn't take action against insecure user behavior, such as preventing corporate users from choosing weak passwords or from the frequent reuse of passwords, enterprise data can be put at risk of exposure when an attacker manages to guess or gain brute-force entry to the cloud service.
Depending on the cloud vendor alone to monitor your data is another area organizations are surprised to find is a no-no, Williams said, especially when they are in a regulated industry. Few cloud vendors as of 2018 have the ability to provide logging or monitoring mechanisms for a single tenant, which could bar some enterprises [that] require full auditing capability in order to comply with regulations, Williams added.
Back up your own data
Also, don't rely solely on your cloud vendor for 24/7 availability for backup, Williams said. If, for whatever reason, the cloud vendor experiences a shutdown or lapse in service, the enterprise will have no access to backup images, she said. "If the enterprise has undergone some sort of physical catastrophe, such as a hurricane or wildfire, not being able to quickly restore backup data can be extremely costly."
ASUB's Lee echoes that sentiment. Since downtime is always a possibility, IT learned it needed to move key enterprise applications to contractual, private clouds, he said. This has helped reduce the number of moving parts the ASUB ITS staff is responsible for keeping up and available, he said.
Avoid cloud gotchas through due diligence
IT can avoid these surprises by doing its due diligence ahead of time, said Deloitte's Linthicum. "It comes down to people making mistakes because of a lack of knowledge," he said. They're not reading articles and books, and they're not hiring the people they need to get the answers and planning done to avoid big costly mistakes.
You should also ask your cloud providers for their advice. While cloud providers won’t necessarily tell you how to augment a system for the cloud, people should still ask questions proactively. Providers simply don't know your app, he said. They're a utility for hire.
"They don't own the workload; it's your data, your workload."
—David Linthicum
When deciding to migrate something to the cloud, be sure you know ahead of time what type of changes need to be made, he added.
It's a good idea to start the process by developing a "holistic cloud strategy and road map" for each application or group of related applications, said DXC's O'Callaghan, since there are many options for legacy applications and many noncore capabilities can be replaced with cloud-native SaaS alternatives.
How to get started
Organizations should start with the business outcome in mind and work backwards from there, O'Callaghan said. To avoid getting caught by the gotchas, an enterprise needs to take a proactive approach to cloud services.
Don’t just look at the bottom line concerning costs when considering a cloud service, he said. Get a copy of the vendor's service agreement and read the fine print to ensure that data traveling across the public Internet is properly encrypted, whether point-to-point, at rest, or in transmission.
That service-level agreement should also include guarantees about what the vendor will or won't do in the event of an outage or lapse in service, O'Callaghan said. It also pays to check your vendors' compliance with governmental regulation, he said.
"If the cloud vendor specifically states in the service agreement that they store and transmit data in compliance with specific governmental regulations, it may cost a bit more, but that type of guarantee can help with compliance."
—Eugene O'Callaghan
One of the more common mistakes enterprises make when adopting cloud solutions is viewing the process as a simple IT adjustment, rather than as a business imperative, he said.
Often, they don't build a consensus and prioritize how IT changes will support their business needs, O'Callaghan said.
"Just moving to the cloud doesn't guarantee business value."