Is it safer/cheaper to run your own computers? Or should you have a cloud based service that manages your IT functions?
What characteristics are there in the decision to outsource servers? Or when outsourcing your IT department?
Don’t believe that outsourcing your IT servers now removes the risk of a data breach!! Or if you outsource the IT department there is no more risk in breaches!
doherty.co.uk has a webpage listing 5 costly data breaches:
#1 Wonga Loans – 250,000 customer details (including account numbers, names and addresses)
#2 Morrison’e supermarket — 100,000 employee personal details were leaked by an employee (bank account details and salaries)
#3 Brighton and Sussex University hospital — 232 decommissioned drives were stolen.
#4 LinkedIn — 165 million user accounts personal information (passwords and usernames)
This image is compiled data from the LinkedIn breach.
Which shows that many LinkedIn users do not have good passwords (over a million accounts)
#5 Vision Direct — 6600 customers CVV numbers from credit cards were removed, this is bad since as per PCI compliance one is not supposed to keep any number (so it won’t have the chance to be stolen)
Computerworld.com has a number of breaches in many different
Virgin Media: a million customers believed accessed due to marketing database left open for 10 months.
MGM resorts: Admitted 10.6mil former hotel guest information details were “discovered unauthorized access to a cloud server” containing a “limited amount of information”, but at least payment cards were not involved.
Authentic Jobs: Made 221k CVs exposed online after 2 online recruitment firms made their AWS cloud storage buckets public, which made the CVs of job applicants available to anyone who knew the URL.
There are many breaches occurring every year due to errors and omissions on the cloud and off.
So reducing risk by going to the cloud may not occur, but what other reasons can be ascertained to decide whether one should go to the Cloud or stay on premise?
What is the Cloud? It is just a computer on the Internet that is managed and run by another company. So when one is looking for cloud application or needs, you must evaluate the company for it’s ability to fulfill your requirements.
1st figure out your needs (such as email for example). Need 10 users and must have access with Androids and Mac devices.
Then look for an email “cloud” company this could also fall under the SaaS (Software As A Service) category.
There are many needs that you may have besides email, like being able to store files, work on files using many employees at once.
I have previously written about cloud computing: https://fixvirus.com/cloud-companies/ in fact it was many years ago. Going to the “cloud” was an improvement of business that was a move presented by many. Today we have Azure, AWS, and Google cloud which can help you while you develop software. but there are also many other cloud companies that handle specific functions at your company (email, file server, publisher, WordPress, and more). And these days one can likely find a ‘cloud’ company that is specific to your industry.
What are the main characteristics of choosing a cloud architecture versus having your own infrastructure? Control is the main one, when the computer is at your location one has absolute control (for good or bad). But if control is not important then one also has IT expertise. I.e. if you have a problem retaining good info tech people then you will always have a problem with keeping IT functions going as it should.
So control and expertise are some characteristics, but cost comes into it as well. Since the cloud company has to upgrade and buy new equipment if you need more resources. You no longer have to plan for that. Also space, power, and cooling is an issue for some people as well (it depends). Especially if one wants to run several machines.
So as far as Cloud types here are a few:
There are (at least) 3 different cloud companies: IaaS (Infrastructure as a Service), SaaS (Software as a Service), and PaaS (Platform as a Service), And a catchall due to the many new catagories is Xaas (Any as a service), back a few years ago DaaS(Desktop not Data) was big, but the acronym had to fight with DBaaS (Database as a service) and since soon more and more acronyms were coming the Xaas was created as a catchall. (Brainhub discusses many of these terms)
IaaS – Infrastructure As A Service
It allows you to rent a virtual machine and now you have to manage and configure the rest. So you better have a good IT person handling this task. This setup is really just a location issue, instead of you buying and maintaining at your location, the company with IaaS does this for you.
PaaS – Platform as a Service
A simple way to deploy an app using a specific technology(Ruby,PHP, Python, Java, .NET) , here though there are a lot of drawbacks with this method, as the integration with the platform becomes so dependent a decoupling is likely impossible without a major rewrite of your code.
SaaS – Software As A Service :
Here a good example is email, or web, where the server runs a specific piece of software. Like email. This service is likely the most cost effective and is the least complex.
So the bottom line is you have to be comfortable with expertise and abilities even in the cloud environment.
Before I get to the Cybersecurity angle of Cloud computing, I want to review basic tenets of outsourcing, since cloud computing is a form of outsourcing. And interesting to note an article in the Journal of Accountancy is appropriate even if it is from 1998
Access to state-of-the-art technology. The volatility of information technology can quickly make IT skills obsolete. Software is updated and replaced very rapidly by the time an entity invests in and trains its full-time staff, the technology may no longer be state-of-the-art. Outsourcing specialists must be well trained and up-to-date to survive.
From the article:
Cost savings and quality. Fierce competition has led many businesses to restructure and downsize staffs in an effort to save money. As in the case of General Electric, even thriving companies do whatever possible to reduce staff and costs. Vendors may save money because they
- Have much tighter control of fringe benefits and run much leaner overhead structures.
- Use low-cost labor pools more aggressively and, with the help of modern telecommunications, can move data centers to low-cost areas.
- Apply world-class standards to the company’s existing IT staff, all of whom have to requalify for appointment at the time of outsourcing.
- Can employ more effective bulk purchasing and leasing arrangements for all hardware and software.
- Have better control over software licenses because they often are more informed negotiators.
Flexibility. Companies must be flexible enough to adapt to a business environment in constant flux, so their IT functions have to respond quickly to changing demands. Vendors often can tap a wide range of resources, skills and capacities while internal IT staff may have limited capabilities.
A recent study revealed that a majority of senior managers viewed their companies IT functions as cost burdens rather than as strategic resources. They also perceived internal IT departments as being outdated, inflexible, expensive, unmanageable and lacking a customer orientation. (remember this was 1998 – the perception is different today)
What is the Risk of outsourcing?
Information technology is not easily outsourced because it affect everything a company does (usually).
Signing a long-term outsourcing contract is a bad idea since IT changes so quickly.
Outsourcing may give you less flexibility once the contract is signed. One may be stuck with whatever the IT outsourcing company is working with. And moving away from the vendor is also a problematic event. (in fact the term is “being held hostage”.
Cost savings may not actually occur
Here is where I insert my cybersecurity hat and notice that there would be problems with many of these environments if the correct connection between talent and capabilities do not occur. Also process and leadership.
What problems can occur no matter what environment? We have discussed this before: https://oversitesentry.com/attack-life-cycle-changed-by-cloud/ (in this link there are top12 cloud security threats)
1. Password problems – Identity management
2. General errors – leaving too much information for hackers to steal
3. No plan, no system no process? what will happen?
Top12 cloud security threats:
- Data Breaches
- Insufficient Identity, credential and access management
- Insecure interfaces and application programming interfaces (APIs)
- System vulnerabilities
- Account hijacking
- Malicious Insiders
- Advanced Persistent Threats (APTs)
- Data loss
- Insufficient Due Diligence
- Abuse and nefarious use of cloud services
- Denial of Service (DoS)
- Shared Technology vulnerabilities
If you notice that even though a cloud provider should be able to handle most of these it does not always happen with all cloud providers. And as I said before the service provider(cloud co) is not always at fault, as the client can also affect the state of security.
Contact us to discuss