Cloud can be defined as the delivery of shared computing services over the internet. In other words, the cloud is just storing your data on someone else’s computers and accessing that data from wherever you are.
The U.S. National Institute of Science and Technology (NIST) defines cloud as including 5 key characteristics:
- On-demand self-service. Consumers can generally get set up to use the service without requiring human interaction.
- Broad network access. The service is not generally limited to a specific hardware or operating system platform.
- Resource pooling. The service providers take advantage of economy of scale to make resources available wherever required. This also means that customers don’t necessarily know exactly where their data is stored.
- Rapid elasticity. The solution scales up (and back down) rapidly and automatically based on usage and demand.
- Measured service. Customers use what they need and pay for it, in a fashion similar to that used for electricity or other utilities.
Taken together, this means that consumers who use a cloud service provider get the benefit of significant reduction in up-front costs and in maintenance costs over the life of the solution. This comes in a couple of different ways:
- With measured service and elasticity, consumers don’t have to worry about not having sufficient capacity, or, on the other hand, purchasing and maintaining excess capacity to address peak workloads.
- The initial cost and time required to provision a cloud solution is often significantly lower. Instead of months or years, cloud solutions can often be provisioned much more quickly and without the cost and disruption of an on-premises deployment.
- Cloud solutions are generally expensed as operating expenses – that is, the organization pays a set amount for a set amount of services on a regular basis. It’s analogous to renting vs. buying.
- At the same time, the cloud provider is responsible for maintenance: upgrades, updates, hot fixes, backups, provisioning of new capabilities, and so forth. The consumer may not even have to have a system administrator on staff depending on the complexity of the solution.
Cloud service providers can offer a spectrum of services to their customers – from a completely turnkey software application to just the underlying server architecture. NIST includes several different flavors of service and deployment models; most cloud service providers support many of these different models, which allows consumers to select and configure a cloud service in the way that makes most sense to their organization. In other words, if using a public cloud is of concern, it may be possible to use a private cloud, or a hybrid solution that puts some data in the cloud and retains some in an on-premises solution.
Most organizations share a couple of key concerns when evaluating the cloud:
- Security. Most cloud providers provide world-class physical and logical information security. They know they are targets of everyone from criminals, to wanna-be hackers, to state actors, and they spend significant resources ensuring the security of their assets. In fact, their security is better than all but the most sophisticated and dedicated organizations in the world.
- Uptime. What happens if the cloud solution goes down? Well, what happens if your on-premises solution goes down? Either way it needs to get fixed; a cloud provider has dedicated resources on staff and on site. Moreover, for the major service providers, downtime is generally measured in minutes per year. Compare that with your major on-premises systems including planned and unplanned interruptions.
- Vendor lock-in. This is a significant challenge, but not necessarily any more challenging than in migrating from one provider’s on-premises solution to another’s. The same issues around data formats and structures, metadata, permissions, etc. will all apply.
- Data location. This is a particular concern for data that is sensitive, such as personal data, medical or health data, or other data defined by various regulatory entities. In some cases data has to be stored in the country or region where the organization is physically located. Most cloud service providers will offer some ability to store your data in a data center located in your jurisdiction.
Due diligence is still a requirement to ensure that a given cloud service provider meets the organization’s business needs, including needs for security and data protection. But cloud services are generally robust and mature and organizations should include them where they make sense to do so.