Navigating the Cloud

Moving Mission-Critical Systems to the Public Cloud CIO Career Suicide or Opportunity?

Can moving mission-critical, enterprise systems to the public cloud be career suicide or opportunity for the Retail CIO?  When things go wrong, it's the CIO who will be fired – it was their decision and no one else can take the blame.  For opportunity, it is important to understand the current state of cloud providers and their readiness for prime time, enterprise systems?
 
On-premise solutions are about being in control and the ability to hold people responsible. Internal “providers” are vetted, employees. Their activities can be monitored and most importantly they can be held responsible when things go wrong. With the public cloud, the only recourse is what is written in an SLA and “money-back guarantees.” These are far from the level of assurance that an enterprise CIO needs. There is a huge difference between picking up a phone and calling your own data center versus dialing a 24x7 hotline or staring at a website with a “sit tight, we’ll be back soon” message. Cyber-insurance won’t help much either – any payout from the claim would ultimately be collected by a new CIO.
 
IT security professionals would tell you the solution is improved certification of cloud providers and the external vetting of their human operators. Certification has a role to play but the answer will include technologies that increase control over the outsource administrator.
 
The CIA Triad of Confidentiality, Integrity, and Availability
 
There are three tenets of security that are key to understanding control over the outsource administrator. 
 
Availability is the easiest to understand. Can a public cloud model deliver as reliable performance as the enterprise’s own data centers?  Consider how the earthquake and subsequent tsunami in Japan made the banking community realize that having a main data center in Tokyo with a backup in Yokohama, just 50km away, wasn't such a smart idea.
 
In contrast,  the latest object-store cloud provider solutions provide multi-continent, multi data-center storage redundancy, and availability that would be both financially and operationally challenging for an enterprise to replicate.  It is here that certification can play a key role as availability data is objective and it is possible to analyze and correlate the risks.
 
Integrity is possibly the least understood of the security triad. It can be addressed with Keyless Signature Infrastructure (KSI) which provides a mechanism for CIOs to dynamically attest that their systems and data are in a clean unmodified state and act when an unauthorized modification is detected.
 
It also keeps the public cloud administrators honest – everything that happens in the cloud environment can be verified independently. When something goes wrong there will be forensically auditable evidence to prove what happened.
 
Regulatory compliance requires enterprises to prove the integrity of their archived data, spending as much as $10,000 per TB for hardware-based solutions. Now,  this can be done in the public cloud at a fraction of the price.
 
Confidentiality.  Since IBM's Craig Gentry announced his fully homomorphic encryption (FHE) scheme there has been intense research in the academic community to build something practical. FHE implies that you can store encrypted data in the cloud using encrypted applications and the data never needs to be decrypted, even in memory. The results are decrypted locally when an authenticated end-user needs to view it, thereby removing any possibility of the cloud operator or outside attacker breaching the confidentiality of the data.
 
Although a long way from being practical the time will surely come.
 
Why Move to The Cloud?
 
There is a long list of cloud benefits, but I like to narrow it to the three most impactful: scalability, agility, and cost savings.
 
Cloud computing allows companies to change the way they operate rapidly. With the cloud, it is possible to very quickly add more computing resources. In contrast, IT teams can take much longer as they need to buy and install physical equipment. What is more, migrating IT systems to a cloud server will allow you to reduce the overall amount of physical hardware as well as data center space, which directly translates into cost savings.
 
How will it affect my role?
 
Cloud computing provides new opportunities to drive business growth and has a significant effect on the role of the CIO and the IT team. Leading the shift to the cloud not only gives you an opportunity to move into a more strategic and consultative role, but it will also help you concentrate on value-add activities, which in return will make your business more competitive.
 
According to Oracle’s Senior Vice President and Global Commercial CIO Tom Fisher:
 
“CIOs have the opportunity to transform from keeper of the technology into a true Chief of Information, now managing data as a company asset, just as the CFO manages company finances. To do that, the CIO not only has to understand where the data is and which provider is responsible for it but also how the individual business units can use that data. The business knowledge required to drive mission-critical processes, the market knowledge required to capture emerging opportunities, and the technical knowledge required to bring those elements together all drastically change—and elevate—the job of the person occupying the CIO seat.”
 
What’s important when choosing a cloud provider?
 
In many cases, CIOs are hesitant to entrust sensitive private data that has been always stored in-house to third-party companies. That is why reputation and security remain key considerations when choosing a cloud provider. What is more, most CIOs look for flexibility when choosing their cloud provider. It is no longer interesting to sign a contract for many years to secure the best price. Today contracts are usually negotiated for three years, as it guarantees a good price, higher flexibility, and the possibility to exploit the latest technologies as they emerge.
 
The good news, there are a lot of options, the bad news, there are a lot of options.



July 2020  by Klaus Sentker, Senior Partner and Chairman of the Board Retail Consult