The allure of cloud is undoubtedly strong. Massive cost savings, compute and storage on-demand, pay-for-what-you-use commercials and a huge array of applications being offered 'as a service' from a growing number of cloud platforms. But, is it that easy? What do you need to know about storing your high-value, sensitive information in the cloud?
TEAM Informatics has worked in the Content Management industry for twenty years, and many of us working here have been in the industry for almost as long. Last year we launched our Content Advisory group, a new practice within the company, to share our extensive and wide-ranging experience with our clients.
This blog post will be the first in a series that looks at some of the questions we are often asked by our clients and is intended to share some of our insights. We aim to encourage all to work together to improve the overall management of information within our organizations.
I thought we could start with a very broad question we often hear (Can I Put My Company’s Information in the Cloud?) and then share the process of how we can break it down to provide actionable steps and advice. As such, the question at hand depends on many different things – here’s an approximate breakdown of the process we might go through to make a recommendation.
Ignoring the first part of the question, except the question “can you?” – sure, it’s very easy to drag and drop data or files into a cloud sharing service or cloud storage. Let’s look at the three major parts of this question: “my company,” “information,” and “cloud.”
Take an honest look at your company – what industry are you in? What level of risk tolerance do you have? Do you have many locations or only one? How technically skilled are your staff?
You are likely to only get a blessing from management for cloud projects if you meet the right criteria. Highly regulated industries, or organizations in fields that are generally quite conservative (banking, insurance, heavy industry, etc.), will get more pushback than those that tend to be more cutting-edge (technology, media, retail, etc.). This is strongly tied to risk tolerance but can be offset if you can educate management and colleagues on the ways you (and your vendors) will manage those risks. This may also come down to which kind of cloud deployment you choose (see below).
Cloud deployments are most useful for distributed workloads. If your company has everyone in one office, has made a large investment in internal connectivity, and manages their own servers locally, it will be a hard sell to move applications or data to the cloud. Alternatively, if you have a distributed workforce communicating over multiple channels, have outsourced your data center, or have requirements for mobile access to data and systems, cloud deployments might just be the ideal solution. Most companies will lie somewhere along this spectrum and you need to judge where you are and where you plan to be in the future.
Staff capability was the key that led me to embrace cloud deployments. I saw that it was harder and harder for our clients to find and retain skilled staff for complex application server, database, and application development and support. This is particularly a challenge for small and medium-sized enterprises and those located away from major urban areas. Ask yourself if your application security staff (as good as I’m sure they are) are as skilled as those employed by Amazon, Google, Oracle, Cloudflare, or Microsoft. Furthermore, are they capable of responding to attacks from overseas governments or malicious competitors? This is the key to cloud resources – you are outsourcing the difficult technical tasks of infrastructure, security, and monitoring to a third-party who does nothing else but that, leaving you to focus on your core business.
Tied into understanding your company profile, it’s important to consider the kind of data you are going to put into the cloud. Are these sensitive records like patient data, internal intellectual property, or financial content? If so, you need to be very certain you have the right controls and training in place. If the content is general office documents, marketing data, and non-sensitive customer information, it’s a more straightforward process.
Think about things like data residency and whether that applies to your information. Talk to stakeholders about their requirements for security, version control, encryption, retention, metadata and any other concerns. Find a cloud provider and an application that meets these needs and provides support to you through the transition from on-premises to cloud deployment.
Give some thought to the migration process – just saying that you are going to move content to the cloud is one thing but working out how much of those 75 TB of data sitting on shared drives is valuable and should be migrated is a different challenge. We will look at some different approaches to this problem in subsequent posts in this blog series.
An increasing concern with regards to data storage, both locally or in the cloud, is ultimate ownership and responsibility. We have all heard about the various data losses and hacks from major companies and organizations around the world, and the most damaging of those were where the data loss was not noticed and reported quickly. Wherever your content is stored, you need adequate monitoring and reporting on security, access, and traffic levels. No security is 100% perfect, so you need a warning capability in terms of system monitoring and reporting. You believe there will never be a fire at your home or office, but you still have smoke detectors. At least I hope you do.
As I joked earlier, can you move your company data to the cloud? Sure, it’s very easy to drag and drop large amounts of data to an enterprise file store and synch the (EFSS) platform, but that may not be a good idea.
First, what kind of “cloud” are we talking about? Infrastructure as a service (IaaS) is virtual servers in the cloud (Amazon Web Services’ Elastic Cloud, for instance), platform as a Service (PaaS) adds more functionality (specifically middleware, runtime and OS). For example, Salesforce’s Force.com, MS Windows Azure, or Oracle’s Java Cloud Service are service platforms. Software as a service (SaaS) is a cloud-hosted application like Box.com, Google Apps, or Microsoft’s SharePoint Online.
Figure 1 Differences between IaaS, PaaS, and SaaS - from https://www.bmc.com/blogs/saas-vs-paas-vs-iaas-whats-the-difference-and-how-to-choose/
Each different type of cloud deployment has a different balance between flexibility, ease of deployment and support, and cost. Generally, the cheaper IaaS services require more in-house setup and knowledge but offer many options and configuration. The SaaS offerings, which are somewhat more expensive, tend to be focused on what they offer, but are usually “plug and play.”
You need to determine the right scenario for your company, your data, and (probably most importantly) your risk profile.
The next step, after determining what kind of cloud platform you want to use, is to plan for high availability, disaster recovery, geographic location, monitoring service, etc. There are many options out there, and the beauty of a cloud platform is that you can load balance across data centers (close to your workforce or your customers), or you may choose to keep data resident in a single location for compliance or performance reasons. You need to think about HA and DR in the same way that you would for local deployments. While you may not have been running SIEM (security information and event monitoring) locally, it’s a very good idea to commission this with cloud deployments.
Finally, strongly consider management services – some SaaS offerings have this cost built in, as do some PaaS (up to a point). Can you support the rest of the stack internally? Or do you need to procure assistance with the appropriate skills and experience?
Putting it all together
Cloud deployments may seem to be a fad, a great idea, or even a terrible idea depending on your experience and knowledge of the topic. Five years ago, we might have thought it was a temporary flavor of the month, but now this deployment pattern is standard and on-premises deployments are seen as the exception. Financial considerations now come into play, with capital expense being exchanged for operating expense, and the total cost of ownership for data centers, redundant power and networking, servers, storage, and software being compared closely to their cloud equivalents. You should also look at your key application and software partners and inquire about their product plans. Many applications are being migrated from on-premises install to cloud offerings and the costs are being migrated from perpetual licenses with annual support to monthly or annual subscription.
In the end, the decision will come down to what is right for you, your company, and the data you manage. There’s no right or wrong answer here, and the answer you reach today may not be the same in six months’ time, so be sure to return to the topic regularly. If all of this feels overwhelming, we at TEAM would be very happy to talk to you about this and give you the benefits of our own experience, as well as our customers’ experience on their journey into cloud deployments.
Later in this series, we will examine the practicalities of cloud deployment –
- How to analyze the data you have locally and determine what should be migrated to other platforms
- The pros and cons of the “new breed” of cloud content management platforms, and how to determine whether they can meet your needs
- How content services have changed the face of enterprise content management (including a look at whether CMIS can deliver this vision)
We hope you find these useful and look forward to your feedback and questions. Contact us at firstname.lastname@example.org to start a conversation.