I know this is embarrassing to admit, but I don’t really understand the cloud. Sure, I can describe what it does. I can even tell you all about the underlying technologies that make it work and how they fit together. With a fair wind, I might be able to walk you through the set up of a large cloud data centre and its operation. But, I’m not sure that really gets to the heart of the opportunities and challenges presented by the cloud.
This came home to me very clearly recently when I received a nasty surprise that one of the websites I set up had been hacked. Head to the URL of the site and you get a barrage of pop-up windows from the anti-virus software you’re running warning you about all sorts of dangers. Then checking my email, I found several messages from my internet service provider, domain name registrar, and internet security response teams threatening me with bans and fines unless I ceased this bad behaviour!
What on earth had I done to deserve this? The answer, of course, is that I have not really understood the risks and obligations of relying on a third-party cloud service. This shock is a wake-up call that brings home the implications of working in a digital world that relies significantly on cloud-based connectivity and service provision. Perhaps it also reinforces that mantra that you don’t really understand something until it has gone wrong and you have to fix it!
The arrival of cloud computing is one of the most important and conspicuous trends in computer services delivery in recent times. It already has a widespread impact on digital transformation of business, making inroads in private and public sectors alike. Whether viewed as a natural extension of Internet-based computing or a completely new phenomenon, high-bandwidth interconnectivity coupled with cheap processors and storage serve organizations by creating large computing centers that may be located anywhere around the world.
Simply stated, instead of accessing computing resources on your desk, you are instead relying on the internet to take advantage of digital technology owned and managed by someone else. This could be nearby or on the other side of the world. These centralized computing centers can be created by a single organization, shared between organizations, or provided by third parties as a resource that can be acquired as necessary. This gives rise to digital technology infrastructures that can be coordinated more effectively via shared service centers and supported more efficiently using a flexible set of hardware and software services that can expand and contract as an individual or organization’s needs evolve.
This move towards a centralized approach for greater flexibility and efficiency in service delivery is not new. From the earliest days of computing there have been efforts to centralize computer resources, share access to costly infrastructure, increase flexibility of access to common services, improve responsiveness to peak demands for capabilities. What is new in the recent move towards cloud computing is the technology infrastructure that now makes that possible, the business environment forcing efficiencies across digital service delivery, the expanding global nature of many organizations and their supply chains, and a broader re-evaluation of the role of digital services supporting the organization’s value to its stakeholders.
According to the US National Institute of Standards and Technology (NIST), the main focus of a cloud computing approach is to deliver ‘convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction’. The value of this approach is that it offers a great deal of flexibility to users of those resources. In particular, capabilities can be rapidly and elastically scaled up when demands for those capabilities increase, and similarly scaled down when demand falls.
The flexibility possible with cloud computing approaches is essential. Not only does it encourage dynamic relationships in the supply chain, it also provides much more explicit ways to look at infrastructure costs, to assign them to the role of each organization and team. It also encourages delivery approaches more suited to today’s highly diverse and rapidly evolving organizations.
We have seen many traditional solutions ported to a cloud platform. The opportunities and advantages of this switch are obvious. However, there are also many issues that must be considered in this move regarding security, privacy, and access. These concerns are best illustrated using a simple example; Setting up a website.
So, you want to build a website. Isn’t that now super-easy? Today, creating and managing a website seems like such a mundane activity. With all the experience we have had over the years, you would be forgiven for thinking that this was uninteresting. A done deal. Yet, even this activity provides a very useful illustration of the strengths and weaknesses of cloud-based services.
When I set up websites over 20 years ago, the task involved a lot of work to acquire, install, configure, and manage the system. Typically, I would need to build a new computer from scratch and get it running a core stack of LAMP infrastructure software. This provided the key services of Linux (operating system), Apache (web server), MySQL (database), and PHP (scripting language). Correctly configured (no mean feat!), this computer could be connected to the internet to act as a web server. Requests for webpages would resolve to an IP address that connected to this machine and the webpage would be returned.
By taking this approach, I was accepting all responsibility for security, privacy and access rights to the services I was hosting. Consequently, a great deal of effort was required to ensure correct configuration of this system, update all software to the latest versions, manage logfiles to view usage patterns, block unwanted access, build resilience into the systems in case of failure, and so on. A great deal of effort, but essential to maintain safe and continuous operation.
Move forward to today’s cloud-based world, and the choices for setting up a website are quite different. Essentially, you have 3 options (each with numerous variations):
1. Instead of setting up your own computer, cloud providers such as AWS and Google will provision a computer for you. This can be configured with a LAMP stack of software which they will manage on your behalf. Everything else remains as it was. You are responsible for installing software, managing webpages on the webserver, and for keeping this safe and secure.
2. A wide variety of web hosting companies such as Ionos, Bluehost, and 365hosts are now available who have built web management services on top of cloud-based infrastructure. They host software services for website management such as WordPress and give full access to allow you to manage and configure cloud-based capabilities for a wide set of needs such as file sharing, collaboration, sharing courseware, and much more. Rather than configure the core computing platform, these aspects are handled by the hosting company to ensure that platform is available and secure. Your responsibilities are to ensure that you manage your WordPress instance and all its web content effectively by keeping it up-to-date, configuring it appropriately, and monitoring its use.
3. Specialist website management companies such as Wix, Weebly, SquareSpace, and GoDaddy have created simplified webpage building tools and web hosting services. Each of these provides specializations using templates for websites in different categories (e.g., storefronts or online education providers) and customized integrations with other web services (e.g., accepting payments or verifying online identity). They perform all underlying management of the computer infrastructure for you and provide a customized set of web building options based on your needs, subscription level, and package of services you committed to buy. Crucially, you rely on the website management company to address all security and privacy concerns. You are freed of the burden of the vast majority of security and privacy issues (but not all!). To achieve this, they restrict the use of their systems. Through a set of managed services, they limit configuration options and prohibit many of the more advanced web capabilities that are emerging to provide a more robust environment.
These 3 levels of capability are all viable options when building a website. Each of them can be used successfully to deliver a meaningful service and meet your users needs. The challenge is to understand the implications, risks, and trade-offs between them. And it may not be obvious which is the right one for your needs. They have significant differences in cost profile, management processes required, flexibility to change, ease of upgrade, risk of being hacked, and so on.
If this set of choices on cloud-based infrastructure is complicated for hosting a website, imagine what this means when your organization’s key business processes are “rehosted on the cloud”. The issues and implications of this shift are significant. You cannot simply wave your hand and put this down as an “IT issue”. The choices you make have significant implications for many aspects of your business strategy, for the skills, processes and practices in which you must invest, and for the risks and responsibilities you personally assume when you transform your organization into a digital, cloud-based operation.
We are now all used to the idea that “everything is in the cloud”. From email to retail we expect to use the internet to access services being hosted by cloud providers as a key part of every digital transformation. However, it is important to remember that this shift requires that we adopt a different way of thinking about flexibility, risk, trust, and efficiency. As leaders and influencers, it is not enough that we get by with a high-level understanding of what it means to move to the cloud and pass on the obligation to others in the IT team. All of us need to keep being reminded that a cloud-based operating approach brings different responsibilities and behaviours affecting every part of the business. Don’t wait until you’ve been hacked to learn more about what it means to live in the cloud.
Originally posted here