When looking at issues like data storage, file sharing, even employee records and payroll, the sheer number of providers offering cloud-based options becomes a tempting choice. The reasons for the meteoric rise of cloud services is variously attributed to the global economic recession, the changing nature of the modern workplace (and workforce), and the flexibility offered by anywhere/anywhen access from any device. However, the number one reason is usually cost. The price ticket on a cloud package is almost certainly cheaper than that on its licensed, on-premises forebear. But the cloud option (also referred to as “on-demand service” and “software-as-a-service” or “SaaS”) also carries a few drawbacks that should be part of your balanced decision when choosing a provider.
Cloud services usually operate on a ‘pay as you go’ model of subscription and it’s this advantage that is mentioned so often: you only pay for what you use. If it’s personal records, the charge is usually per record. If it’s document storage, it’s by the gigabyte. No license fee, no hardware purchases, just the cost of the room you’re taking up on the virtual shelf in the storeroom. What’s more, there are often no tie-in clauses in the contract, you can leave any time you want (and take your data with you) so there’s little risk in trying a cloud solution from that perspective. Even better, cloud fees (which are effectively rental) are classed as operational expenses, whereas a licensed on-premises system is classed as a capital expense – this can make a difference to budget management.
However, the total cost of ownership always includes hidden factors and with cloud services these include the possibility of security breaches caused by data being out of your direct control, slower access depending on your internet connection, more problems when backup or recover fails, fines for non-compliance with data privacy legislation and inefficient management of SSL certificates.
One advantage of ‘going cloud’ as opposed to buying a software package that you have to install on your own system is that you’re usually up and running much more quickly, which means you can start to get a return on your investment faster. This is particularly attractive to startups and small businesses because they often don’t have the necessary existing hardware and so an on-premises solution may involve a much more significant investment than just the software. Furthermore, upgrades and patches are more likely to be seamless and unnoticed than if you have to ‘do it yourself’ in the office. Of course, implementation includes user training and getting your people up to speed with a new system or application will probably take the same time whether it’s on-premises or not.
This is often cited as the main drawback to cloud services, simply because all your data is somewhere else. Instead of being on your own server, safely locked away in the server room (or cabinet), your information is stored in a data center, sharing server space with a thousand other customers. You may not even know where that data center is (this is something to make a point of asking when considering the purchase in the first place) and – worse – the data center may not even belong to your cloud provider. In fact, from a security perspective, cloud services can cause a shiver: your provider may be offering a software as a service (SaaS) package that is installed on another provider’s platform as a service (PaaS), who might in turn be renting infrastructure (IaaS) from elsewhere. Finally, the infrastructure provider might be paying to use part of a shared data center. This chain of providers is often hidden from view and creates a security issue if only in the sense that the more links, the weaker the chain.
An information security survey from Ernst & Young found that 38% of those that replied took no special measures to reduce cloud security risks, even though the majority were using cloud services. On this issue, a number of points should be explored at the purchase stage, including the provider’s information security plan, data governance structure, disaster recovery plan, uptime performance history, and how successful they’ve been recovering data from backup. Ask if they have a current ISO27001 or SSAE 16 certification.